all programs from malware guide wont run
Started by
sloppypa
, Aug 27 2011 06:54 PM
#16
Posted 28 August 2011 - 09:42 PM
#17
Posted 28 August 2011 - 10:56 PM
This should remove them:
Copy the text between the lines of stars by highlighting and Ctrl + c.
******************************************
Killall::
DirLook::
C:\Program Files\Common
%user%\library
Driver::
SASDIFSV
SASKUTIL
gupdate
gupdatem
Folder::
c:\docume~1\Family\LOCALS~1\Temp\SAS_SelfExtract
c:\program files\Google\Update
c:\program files\Microsoft\Search Enhancement Pack
c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com
c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
C:\Program Files\Messenger
******************************************
Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.
Pause your anti-virus.
Drag CFScript.txt over to Combofix and let go Combofix should start on its own.
Post the new log.
Ron
Copy the text between the lines of stars by highlighting and Ctrl + c.
******************************************
Killall::
DirLook::
C:\Program Files\Common
%user%\library
Driver::
SASDIFSV
SASKUTIL
gupdate
gupdatem
Folder::
c:\docume~1\Family\LOCALS~1\Temp\SAS_SelfExtract
c:\program files\Google\Update
c:\program files\Microsoft\Search Enhancement Pack
c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com
c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
C:\Program Files\Messenger
******************************************
Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.
Pause your anti-virus.
Drag CFScript.txt over to Combofix and let go Combofix should start on its own.
Post the new log.
Ron
#18
Posted 29 August 2011 - 05:45 AM
.
Edited by sloppypa, 29 August 2011 - 05:46 AM.
#19
Posted 29 August 2011 - 05:45 AM
ComboFix 11-08-29.01 - Family 08/29/2011 7:32.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2607 [GMT -4:00]
Running from: c:\documents and settings\Family\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Family\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com
c:\program files\Google\Update
c:\program files\Google\Update\1.3.21.65\GoogleCrashHandler.exe
c:\program files\Google\Update\1.3.21.65\GoogleUpdate.exe
c:\program files\Google\Update\1.3.21.65\GoogleUpdateBroker.exe
c:\program files\Google\Update\1.3.21.65\GoogleUpdateHelper.msi
c:\program files\Google\Update\1.3.21.65\GoogleUpdateOnDemand.exe
c:\program files\Google\Update\1.3.21.65\goopdate.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_am.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ar.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_bg.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_bn.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ca.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_cs.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_da.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_de.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_el.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_en-GB.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_en.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_es-419.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_es.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_et.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_fa.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_fi.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_fil.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_fr.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_gu.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_hi.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_hr.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_hu.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_id.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_is.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_it.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_iw.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ja.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_kn.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ko.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_lt.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_lv.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ml.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_mr.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ms.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_nl.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_no.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_pl.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_pt-BR.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_pt-PT.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ro.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ru.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_sk.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_sl.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_sr.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_sv.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_sw.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ta.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_te.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_th.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_tr.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_uk.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ur.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_vi.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_zh-CN.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_zh-TW.dll
c:\program files\Google\Update\1.3.21.65\npGoogleUpdate3.dll
c:\program files\Google\Update\1.3.21.65\psmachine.dll
c:\program files\Google\Update\1.3.21.65\psuser.dll
c:\program files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.21.65\GoogleUpdateSetup.exe
c:\program files\Google\Update\Download\{6C3EF8BB-73DE-405C-BC52-64A995806B15}\GoogleUpdateSetup.exe
c:\program files\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\13.0.782.215\chrome_updater.exe
c:\program files\Messenger
c:\program files\Messenger\blogo.gif
c:\program files\Messenger\custsat.dll
c:\program files\Messenger\logowin.gif
c:\program files\Messenger\lvback.gif
c:\program files\Messenger\mailtmpl.txt
c:\program files\Messenger\msgsc.dll
c:\program files\Messenger\msgslang.dll
c:\program files\Messenger\msmsgs.exe
c:\program files\Messenger\msmsgs.exe.manifest
c:\program files\Messenger\newalert.wav
c:\program files\Messenger\newemail.wav
c:\program files\Messenger\online.wav
c:\program files\Messenger\type.wav
c:\program files\Messenger\xpmsgr.chm
c:\program files\Microsoft\Search Enhancement Pack
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\da\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\de\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\dmres.dll
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\en-US\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\es\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\fr\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\it\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\ja\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\nl\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\no\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\pt-br\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\ru\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\sv\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\tr\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\zh-cn\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Installers\DefaultManager2.1.54\DefaultManager.msi
c:\program files\Microsoft\Search Enhancement Pack\Installers\SearchEnhancementPack2.0.269\SearchEnhancementPack.msi
c:\program files\Microsoft\Search Enhancement Pack\SCServer\aab.xap
c:\program files\Microsoft\Search Enhancement Pack\SCServer\aabloc.xap
c:\program files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
c:\program files\Microsoft\Search Enhancement Pack\SCServer\SearchOptionsFlyout.xap
c:\program files\Microsoft\Search Enhancement Pack\SCServer\SearchOptionsFlyoutLoc.xap
c:\program files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll
c:\program files\Microsoft\Search Enhancement Pack\Search Box Extension\SrchBxEx.dll
c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\chrome.manifest
c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\comp.xpt
c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\content\firefoxOverlay.xul
c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\content\overlay.js
c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\install.rdf
c:\program files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_GUPDATE
-------\Legacy_SASDIFSV
-------\Legacy_SASKUTIL
-------\Service_gupdate
-------\Service_gupdatem
-------\Service_SASDIFSV
-------\Service_SASKUTIL
-------\Legacy_SeaPort
-------\Service_SeaPort
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-29 )))))))))))))))))))))))))))))))
.
.
2011-08-29 03:28 . 2011-08-29 03:31 -------- d-----w- c:\windows\SxsCaPendDel
2011-08-28 16:30 . 2011-02-16 13:22 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-08-28 16:30 . 2011-02-16 13:22 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-27 23:09 . 2011-08-27 23:09 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\PCHealth
2011-08-27 22:15 . 2011-08-27 22:15 -------- d-----w- c:\program files\AVAST Software
2011-08-27 22:15 . 2011-08-27 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-08-27 21:34 . 2011-08-27 21:35 -------- d-----w- c:\documents and settings\Administrator
2011-08-27 21:27 . 2010-11-09 18:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-27 21:27 . 2010-11-09 18:56 27984 ----a-w- c:\windows\system32\sbbd.exe
2011-08-27 21:27 . 2011-08-27 21:27 -------- d-----w- C:\VIPRERESCUE
2011-08-19 23:42 . 2011-08-19 23:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-08-12 17:06 . 2011-08-27 22:03 -------- d-----w- c:\documents and settings\Family\Application Data\Sammsoft
2011-08-12 16:45 . 2011-08-12 16:45 -------- d-----w- c:\program files\Common Files\iS3
2011-08-12 16:45 . 2011-08-12 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-08-12 16:19 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-12 16:19 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-07-30 22:00 . 2011-07-30 22:00 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-07-30 22:00 . 2011-07-30 22:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-30 21:59 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-30 21:58 . 2011-08-28 17:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-30 21:58 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-30 21:44 . 2011-07-30 21:44 -------- d-----w- c:\documents and settings\Family\Application Data\Malwarebytes
2011-07-30 21:44 . 2011-07-30 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-24 18:35 . 2011-07-24 18:29 246272 ----a-w- c:\windows\unrar.exe
2011-07-15 13:29 . 2001-08-23 05:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2001-08-23 05:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2011-01-08 20:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2001-08-23 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2001-08-23 05:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2001-08-23 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2001-08-23 05:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2001-08-23 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-03-11 05:01 . 2010-03-11 05:01 124272 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-03-11 05:40 . 2010-03-11 05:40 13168 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-03-11 05:02 . 2010-03-11 05:02 70512 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-03-11 05:01 . 2010-03-11 05:01 91504 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-03-11 05:01 . 2010-03-11 05:01 22384 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-03-11 05:00 . 2010-03-11 05:00 255344 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-03-11 05:01 . 2010-03-11 05:01 31088 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-03-11 05:01 . 2010-03-11 05:01 40304 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-10-05 18:49 . 2009-10-05 18:49 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-03-11 05:02 . 2010-03-11 05:02 23920 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----
.
.
---- Directory of c:\program files\Common ----
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-28_16.45.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-29 03:22 . 2011-08-29 03:22 262144 c:\windows\system32\config\systemprofile\NtUser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2010-05-04 21:05 311296 ----a-r- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2006-02-10 02:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
2010-03-11 05:21 300400 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 05:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
2009-11-16 13:27 240992 ----a-w- c:\program files\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-03-22 22:20 339968 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wlidsvc"=2 (0x2)
"SeaPort"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Bonjour Service"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"DisableThumbnailCache"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\MSN Toolbar\\Platform\\4.0.0357.1\\mswinext.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Citrix\\ICA Client\\wfica32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 11:08 AM 65584]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/27/2011 5:27 PM 98392]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\g2pjybo3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IPGTDF&PC=IPGTDF&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-Microsoft Default Manager - c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-29 07:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2904)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-08-29 07:39:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-29 11:39
ComboFix2.txt 2011-08-28 23:33
ComboFix3.txt 2011-08-28 16:49
.
Pre-Run: 16,110,358,528 bytes free
Post-Run: 16,099,409,920 bytes free
.
- - End Of File - - C244EECCF126F45BFA89821362E35AB8
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2607 [GMT -4:00]
Running from: c:\documents and settings\Family\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Family\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com
c:\program files\Google\Update
c:\program files\Google\Update\1.3.21.65\GoogleCrashHandler.exe
c:\program files\Google\Update\1.3.21.65\GoogleUpdate.exe
c:\program files\Google\Update\1.3.21.65\GoogleUpdateBroker.exe
c:\program files\Google\Update\1.3.21.65\GoogleUpdateHelper.msi
c:\program files\Google\Update\1.3.21.65\GoogleUpdateOnDemand.exe
c:\program files\Google\Update\1.3.21.65\goopdate.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_am.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ar.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_bg.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_bn.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ca.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_cs.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_da.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_de.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_el.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_en-GB.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_en.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_es-419.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_es.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_et.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_fa.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_fi.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_fil.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_fr.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_gu.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_hi.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_hr.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_hu.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_id.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_is.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_it.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_iw.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ja.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_kn.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ko.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_lt.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_lv.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ml.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_mr.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ms.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_nl.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_no.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_pl.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_pt-BR.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_pt-PT.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ro.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ru.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_sk.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_sl.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_sr.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_sv.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_sw.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ta.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_te.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_th.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_tr.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_uk.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_ur.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_vi.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_zh-CN.dll
c:\program files\Google\Update\1.3.21.65\goopdateres_zh-TW.dll
c:\program files\Google\Update\1.3.21.65\npGoogleUpdate3.dll
c:\program files\Google\Update\1.3.21.65\psmachine.dll
c:\program files\Google\Update\1.3.21.65\psuser.dll
c:\program files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.21.65\GoogleUpdateSetup.exe
c:\program files\Google\Update\Download\{6C3EF8BB-73DE-405C-BC52-64A995806B15}\GoogleUpdateSetup.exe
c:\program files\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\13.0.782.215\chrome_updater.exe
c:\program files\Messenger
c:\program files\Messenger\blogo.gif
c:\program files\Messenger\custsat.dll
c:\program files\Messenger\logowin.gif
c:\program files\Messenger\lvback.gif
c:\program files\Messenger\mailtmpl.txt
c:\program files\Messenger\msgsc.dll
c:\program files\Messenger\msgslang.dll
c:\program files\Messenger\msmsgs.exe
c:\program files\Messenger\msmsgs.exe.manifest
c:\program files\Messenger\newalert.wav
c:\program files\Messenger\newemail.wav
c:\program files\Messenger\online.wav
c:\program files\Messenger\type.wav
c:\program files\Messenger\xpmsgr.chm
c:\program files\Microsoft\Search Enhancement Pack
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\da\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\de\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\dmres.dll
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\en-US\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\es\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\fr\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\it\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\ja\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\nl\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\no\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\pt-br\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\ru\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\sv\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\tr\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\zh-cn\dmres.dll.mui
c:\program files\Microsoft\Search Enhancement Pack\Installers\DefaultManager2.1.54\DefaultManager.msi
c:\program files\Microsoft\Search Enhancement Pack\Installers\SearchEnhancementPack2.0.269\SearchEnhancementPack.msi
c:\program files\Microsoft\Search Enhancement Pack\SCServer\aab.xap
c:\program files\Microsoft\Search Enhancement Pack\SCServer\aabloc.xap
c:\program files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
c:\program files\Microsoft\Search Enhancement Pack\SCServer\SearchOptionsFlyout.xap
c:\program files\Microsoft\Search Enhancement Pack\SCServer\SearchOptionsFlyoutLoc.xap
c:\program files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll
c:\program files\Microsoft\Search Enhancement Pack\Search Box Extension\SrchBxEx.dll
c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\chrome.manifest
c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\comp.xpt
c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\content\firefoxOverlay.xul
c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\content\overlay.js
c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\install.rdf
c:\program files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_GUPDATE
-------\Legacy_SASDIFSV
-------\Legacy_SASKUTIL
-------\Service_gupdate
-------\Service_gupdatem
-------\Service_SASDIFSV
-------\Service_SASKUTIL
-------\Legacy_SeaPort
-------\Service_SeaPort
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-29 )))))))))))))))))))))))))))))))
.
.
2011-08-29 03:28 . 2011-08-29 03:31 -------- d-----w- c:\windows\SxsCaPendDel
2011-08-28 16:30 . 2011-02-16 13:22 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-08-28 16:30 . 2011-02-16 13:22 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-27 23:09 . 2011-08-27 23:09 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\PCHealth
2011-08-27 22:15 . 2011-08-27 22:15 -------- d-----w- c:\program files\AVAST Software
2011-08-27 22:15 . 2011-08-27 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-08-27 21:34 . 2011-08-27 21:35 -------- d-----w- c:\documents and settings\Administrator
2011-08-27 21:27 . 2010-11-09 18:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-27 21:27 . 2010-11-09 18:56 27984 ----a-w- c:\windows\system32\sbbd.exe
2011-08-27 21:27 . 2011-08-27 21:27 -------- d-----w- C:\VIPRERESCUE
2011-08-19 23:42 . 2011-08-19 23:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-08-12 17:06 . 2011-08-27 22:03 -------- d-----w- c:\documents and settings\Family\Application Data\Sammsoft
2011-08-12 16:45 . 2011-08-12 16:45 -------- d-----w- c:\program files\Common Files\iS3
2011-08-12 16:45 . 2011-08-12 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-08-12 16:19 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-12 16:19 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-07-30 22:00 . 2011-07-30 22:00 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-07-30 22:00 . 2011-07-30 22:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-30 21:59 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-30 21:58 . 2011-08-28 17:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-30 21:58 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-30 21:44 . 2011-07-30 21:44 -------- d-----w- c:\documents and settings\Family\Application Data\Malwarebytes
2011-07-30 21:44 . 2011-07-30 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-24 18:35 . 2011-07-24 18:29 246272 ----a-w- c:\windows\unrar.exe
2011-07-15 13:29 . 2001-08-23 05:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2001-08-23 05:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2011-01-08 20:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2001-08-23 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2001-08-23 05:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2001-08-23 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2001-08-23 05:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2001-08-23 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-03-11 05:01 . 2010-03-11 05:01 124272 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-03-11 05:40 . 2010-03-11 05:40 13168 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-03-11 05:02 . 2010-03-11 05:02 70512 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-03-11 05:01 . 2010-03-11 05:01 91504 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-03-11 05:01 . 2010-03-11 05:01 22384 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-03-11 05:00 . 2010-03-11 05:00 255344 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-03-11 05:01 . 2010-03-11 05:01 31088 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-03-11 05:01 . 2010-03-11 05:01 40304 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-10-05 18:49 . 2009-10-05 18:49 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-03-11 05:02 . 2010-03-11 05:02 23920 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----
.
.
---- Directory of c:\program files\Common ----
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-28_16.45.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-29 03:22 . 2011-08-29 03:22 262144 c:\windows\system32\config\systemprofile\NtUser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2010-05-04 21:05 311296 ----a-r- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2006-02-10 02:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
2010-03-11 05:21 300400 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 05:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
2009-11-16 13:27 240992 ----a-w- c:\program files\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-03-22 22:20 339968 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wlidsvc"=2 (0x2)
"SeaPort"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Bonjour Service"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"DisableThumbnailCache"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\MSN Toolbar\\Platform\\4.0.0357.1\\mswinext.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Citrix\\ICA Client\\wfica32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 11:08 AM 65584]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/27/2011 5:27 PM 98392]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\g2pjybo3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IPGTDF&PC=IPGTDF&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-Microsoft Default Manager - c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-29 07:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2904)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-08-29 07:39:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-29 11:39
ComboFix2.txt 2011-08-28 23:33
ComboFix3.txt 2011-08-28 16:49
.
Pre-Run: 16,110,358,528 bytes free
Post-Run: 16,099,409,920 bytes free
.
- - End Of File - - C244EECCF126F45BFA89821362E35AB8
#20
Posted 29 August 2011 - 08:32 AM
Now go back into msconfig and either click on Normal Boot and Apply or recheck everything and Apply then reboot. Run Combofix one more time.
How is it running now?
Ron
How is it running now?
Ron
#21
Posted 29 August 2011 - 05:33 PM
Seems like it is ok
running fine
ComboFix 11-08-29.03 - Family 08/29/2011 19:11:05.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2592 [GMT -4:00]
Running from: c:\documents and settings\Family\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-29 )))))))))))))))))))))))))))))))
.
.
2011-08-29 03:28 . 2011-08-29 03:31 -------- d-----w- c:\windows\SxsCaPendDel
2011-08-28 16:30 . 2011-02-16 13:22 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-08-28 16:30 . 2011-02-16 13:22 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-27 23:09 . 2011-08-27 23:09 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\PCHealth
2011-08-27 22:15 . 2011-08-27 22:15 -------- d-----w- c:\program files\AVAST Software
2011-08-27 22:15 . 2011-08-27 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-08-27 21:34 . 2011-08-27 21:35 -------- d-----w- c:\documents and settings\Administrator
2011-08-27 21:27 . 2010-11-09 18:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-27 21:27 . 2010-11-09 18:56 27984 ----a-w- c:\windows\system32\sbbd.exe
2011-08-27 21:27 . 2011-08-27 21:27 -------- d-----w- C:\VIPRERESCUE
2011-08-19 23:42 . 2011-08-19 23:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-08-12 17:06 . 2011-08-27 22:03 -------- d-----w- c:\documents and settings\Family\Application Data\Sammsoft
2011-08-12 16:45 . 2011-08-12 16:45 -------- d-----w- c:\program files\Common Files\iS3
2011-08-12 16:45 . 2011-08-12 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-08-12 16:19 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-12 16:19 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-30 22:00 . 2011-07-30 22:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-24 18:35 . 2011-07-24 18:29 246272 ----a-w- c:\windows\unrar.exe
2011-07-15 13:29 . 2001-08-23 05:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2001-08-23 05:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2011-07-30 21:59 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-07-30 21:58 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2011-01-08 20:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2001-08-23 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2001-08-23 05:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2001-08-23 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2001-08-23 05:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2001-08-23 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-03-11 05:01 . 2010-03-11 05:01 124272 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-03-11 05:40 . 2010-03-11 05:40 13168 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-03-11 05:02 . 2010-03-11 05:02 70512 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-03-11 05:01 . 2010-03-11 05:01 91504 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-03-11 05:01 . 2010-03-11 05:01 22384 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-03-11 05:00 . 2010-03-11 05:00 255344 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-03-11 05:01 . 2010-03-11 05:01 31088 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-03-11 05:01 . 2010-03-11 05:01 40304 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-10-05 18:49 . 2009-10-05 18:49 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-03-11 05:02 . 2010-03-11 05:02 23920 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-28_16.45.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-29 03:22 . 2011-08-29 03:22 262144 c:\windows\system32\config\systemprofile\NtUser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe" [2009-11-16 240992]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-03-11 300400]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2011-1-9 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wlidsvc"=2 (0x2)
"SeaPort"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"DisableThumbnailCache"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\MSN Toolbar\\Platform\\4.0.0357.1\\mswinext.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Citrix\\ICA Client\\wfica32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 11:08 AM 65584]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/27/2011 5:27 PM 98392]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\g2pjybo3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IPGTDF&PC=IPGTDF&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-29 19:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(164)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-08-29 19:15:57
ComboFix-quarantined-files.txt 2011-08-29 23:15
ComboFix2.txt 2011-08-29 11:39
ComboFix3.txt 2011-08-28 23:33
ComboFix4.txt 2011-08-28 16:49
.
Pre-Run: 16,285,122,560 bytes free
Post-Run: 16,268,394,496 bytes free
.
- - End Of File - - 07ED75ECD053E7C860423B7CAD5B8E80
running fine
ComboFix 11-08-29.03 - Family 08/29/2011 19:11:05.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2592 [GMT -4:00]
Running from: c:\documents and settings\Family\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-29 )))))))))))))))))))))))))))))))
.
.
2011-08-29 03:28 . 2011-08-29 03:31 -------- d-----w- c:\windows\SxsCaPendDel
2011-08-28 16:30 . 2011-02-16 13:22 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-08-28 16:30 . 2011-02-16 13:22 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-27 23:09 . 2011-08-27 23:09 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\PCHealth
2011-08-27 22:15 . 2011-08-27 22:15 -------- d-----w- c:\program files\AVAST Software
2011-08-27 22:15 . 2011-08-27 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-08-27 21:34 . 2011-08-27 21:35 -------- d-----w- c:\documents and settings\Administrator
2011-08-27 21:27 . 2010-11-09 18:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-27 21:27 . 2010-11-09 18:56 27984 ----a-w- c:\windows\system32\sbbd.exe
2011-08-27 21:27 . 2011-08-27 21:27 -------- d-----w- C:\VIPRERESCUE
2011-08-19 23:42 . 2011-08-19 23:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-08-12 17:06 . 2011-08-27 22:03 -------- d-----w- c:\documents and settings\Family\Application Data\Sammsoft
2011-08-12 16:45 . 2011-08-12 16:45 -------- d-----w- c:\program files\Common Files\iS3
2011-08-12 16:45 . 2011-08-12 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-08-12 16:19 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-12 16:19 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-30 22:00 . 2011-07-30 22:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-24 18:35 . 2011-07-24 18:29 246272 ----a-w- c:\windows\unrar.exe
2011-07-15 13:29 . 2001-08-23 05:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2001-08-23 05:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2011-07-30 21:59 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-07-30 21:58 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2011-01-08 20:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2001-08-23 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2001-08-23 05:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2001-08-23 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2001-08-23 05:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2001-08-23 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-03-11 05:01 . 2010-03-11 05:01 124272 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-03-11 05:40 . 2010-03-11 05:40 13168 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-03-11 05:02 . 2010-03-11 05:02 70512 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-03-11 05:01 . 2010-03-11 05:01 91504 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-03-11 05:01 . 2010-03-11 05:01 22384 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-03-11 05:00 . 2010-03-11 05:00 255344 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-03-11 05:01 . 2010-03-11 05:01 31088 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-03-11 05:01 . 2010-03-11 05:01 40304 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-10-05 18:49 . 2009-10-05 18:49 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-03-11 05:02 . 2010-03-11 05:02 23920 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-28_16.45.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-29 03:22 . 2011-08-29 03:22 262144 c:\windows\system32\config\systemprofile\NtUser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe" [2009-11-16 240992]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-03-11 300400]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2011-1-9 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wlidsvc"=2 (0x2)
"SeaPort"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"DisableThumbnailCache"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\MSN Toolbar\\Platform\\4.0.0357.1\\mswinext.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Citrix\\ICA Client\\wfica32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 11:08 AM 65584]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/27/2011 5:27 PM 98392]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\g2pjybo3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IPGTDF&PC=IPGTDF&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-29 19:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(164)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-08-29 19:15:57
ComboFix-quarantined-files.txt 2011-08-29 23:15
ComboFix2.txt 2011-08-29 11:39
ComboFix3.txt 2011-08-28 23:33
ComboFix4.txt 2011-08-28 16:49
.
Pre-Run: 16,285,122,560 bytes free
Post-Run: 16,268,394,496 bytes free
.
- - End Of File - - 07ED75ECD053E7C860423B7CAD5B8E80
#22
Posted 29 August 2011 - 08:56 PM
You didn't turn all of the services on:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wlidsvc"=2 (0x2)
"SeaPort"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
You should turn on avast at least. The others can stay off if you want. run Combofix again and post the log.
Ron
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wlidsvc"=2 (0x2)
"SeaPort"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
You should turn on avast at least. The others can stay off if you want. run Combofix again and post the log.
Ron
#23
Posted 30 August 2011 - 06:06 AM
ComboFix 11-08-30.01 - Family 08/30/2011 7:48.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2444 [GMT -4:00]
Running from: c:\documents and settings\Family\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-30 )))))))))))))))))))))))))))))))
.
.
2011-08-30 11:38 . 2011-08-30 11:38 -------- d-----w- c:\program files\Apple Software Update
2011-08-30 00:02 . 2011-08-30 00:02 -------- d-----w- c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com
2011-08-30 00:01 . 2011-08-30 00:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-30 00:01 . 2011-08-30 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-30 00:01 . 2011-08-30 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERSetup
2011-08-29 23:55 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-08-29 23:55 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-29 23:55 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-08-29 23:55 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-08-29 23:55 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-29 23:55 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-08-29 23:55 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-08-29 23:55 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-08-29 23:55 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-08-29 23:55 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-29 23:54 . 2011-08-29 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-08-29 03:28 . 2011-08-29 03:31 -------- d-----w- c:\windows\SxsCaPendDel
2011-08-28 16:30 . 2011-02-16 13:22 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-08-28 16:30 . 2011-02-16 13:22 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-27 23:09 . 2011-08-27 23:09 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\PCHealth
2011-08-27 22:15 . 2011-08-27 22:15 -------- d-----w- c:\program files\AVAST Software
2011-08-27 22:15 . 2011-08-27 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-08-27 21:34 . 2011-08-27 21:35 -------- d-----w- c:\documents and settings\Administrator
2011-08-27 21:27 . 2010-11-09 18:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-27 21:27 . 2010-11-09 18:56 27984 ----a-w- c:\windows\system32\sbbd.exe
2011-08-27 21:27 . 2011-08-27 21:27 -------- d-----w- C:\VIPRERESCUE
2011-08-19 23:42 . 2011-08-19 23:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-08-12 17:06 . 2011-08-27 22:03 -------- d-----w- c:\documents and settings\Family\Application Data\Sammsoft
2011-08-12 16:45 . 2011-08-12 16:45 -------- d-----w- c:\program files\Common Files\iS3
2011-08-12 16:45 . 2011-08-12 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-08-12 16:19 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-12 16:19 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-30 22:00 . 2011-07-30 22:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-24 18:35 . 2011-07-24 18:29 246272 ----a-w- c:\windows\unrar.exe
2011-07-15 13:29 . 2001-08-23 05:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2001-08-23 05:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2011-07-30 21:59 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-07-30 21:58 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10 . 2011-01-08 20:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2001-08-23 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2001-08-23 05:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2001-08-23 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2001-08-23 05:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2001-08-23 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-03-11 05:01 . 2010-03-11 05:01 124272 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-03-11 05:40 . 2010-03-11 05:40 13168 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-03-11 05:02 . 2010-03-11 05:02 70512 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-03-11 05:01 . 2010-03-11 05:01 91504 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-03-11 05:01 . 2010-03-11 05:01 22384 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-03-11 05:00 . 2010-03-11 05:00 255344 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-03-11 05:01 . 2010-03-11 05:01 31088 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-03-11 05:01 . 2010-03-11 05:01 40304 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-10-05 18:49 . 2009-10-05 18:49 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-03-11 05:02 . 2010-03-11 05:02 23920 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-28_16.45.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-30 11:38 . 2011-05-10 12:06 42496 c:\windows\system32\DRVSTORE\usbaapl_5CBB3A09528F68FC4AD2F36E43C028E7E6F20400\usbaapl.sys
+ 2011-08-30 11:38 . 2011-05-10 12:06 18432 c:\windows\system32\DRVSTORE\netaapl_B71F8545DA20A81C41BFD744E8D7D9784787E916\netaapl.sys
+ 2011-08-30 11:38 . 2011-08-30 11:38 27136 c:\windows\Installer\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}\AppleSoftwareUpdateIco.exe
+ 2011-08-29 03:22 . 2011-08-29 03:22 262144 c:\windows\system32\config\systemprofile\NtUser.dat
+ 2011-08-30 11:36 . 2011-08-30 11:36 811520 c:\windows\Installer\e3aa9.msi
+ 2011-08-30 11:38 . 2011-05-10 12:06 4517664 c:\windows\system32\DRVSTORE\usbaapl_5CBB3A09528F68FC4AD2F36E43C028E7E6F20400\usbaaplrc.dll
+ 2011-08-30 11:38 . 2011-04-08 18:59 1461992 c:\windows\system32\DRVSTORE\netaapl_B71F8545DA20A81C41BFD744E8D7D9784787E916\wdfcoinstaller01009.dll
+ 2011-08-30 11:39 . 2011-08-30 11:39 9474048 c:\windows\Installer\e3d6d.msi
+ 2011-08-30 11:38 . 2011-08-30 11:38 1769984 c:\windows\Installer\e3abc.msi
+ 2011-08-30 11:38 . 2011-08-30 11:38 3085312 c:\windows\Installer\e3ab5.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe" [2009-11-16 240992]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-03-11 300400]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2011-1-9 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wlidsvc"=2 (0x2)
"SeaPort"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"DisableThumbnailCache"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\MSN Toolbar\\Platform\\4.0.0357.1\\mswinext.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Citrix\\ICA Client\\wfica32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/29/2011 7:55 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/29/2011 7:55 PM 309848]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 11:08 AM 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/27/2011 5:27 PM 98392]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/29/2011 7:55 PM 19544]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-08-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-73586283-839522115-1003Core.job
- c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-29 23:50]
.
2011-08-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-73586283-839522115-1003UA.job
- c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-29 23:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\g2pjybo3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IPGTDF&PC=IPGTDF&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: avast! WebRep: [email protected] - c:\program files\AVAST Software\Avast\WebRep\FF
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-30 07:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2736)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-08-30 08:00:03
ComboFix-quarantined-files.txt 2011-08-30 11:59
ComboFix2.txt 2011-08-29 23:15
ComboFix3.txt 2011-08-29 11:39
ComboFix4.txt 2011-08-28 23:33
ComboFix5.txt 2011-08-30 11:47
.
Pre-Run: 15,326,330,880 bytes free
Post-Run: 15,312,846,848 bytes free
.
- - End Of File - - 5C1DFD1DAFFB78305D7E6E748AE94EF2
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2444 [GMT -4:00]
Running from: c:\documents and settings\Family\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-30 )))))))))))))))))))))))))))))))
.
.
2011-08-30 11:38 . 2011-08-30 11:38 -------- d-----w- c:\program files\Apple Software Update
2011-08-30 00:02 . 2011-08-30 00:02 -------- d-----w- c:\documents and settings\Family\Application Data\SUPERAntiSpyware.com
2011-08-30 00:01 . 2011-08-30 00:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-30 00:01 . 2011-08-30 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-30 00:01 . 2011-08-30 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERSetup
2011-08-29 23:55 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-08-29 23:55 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-29 23:55 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-08-29 23:55 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-08-29 23:55 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-29 23:55 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-08-29 23:55 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-08-29 23:55 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-08-29 23:55 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-08-29 23:55 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-29 23:54 . 2011-08-29 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-08-29 03:28 . 2011-08-29 03:31 -------- d-----w- c:\windows\SxsCaPendDel
2011-08-28 16:30 . 2011-02-16 13:22 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-08-28 16:30 . 2011-02-16 13:22 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-27 23:09 . 2011-08-27 23:09 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\PCHealth
2011-08-27 22:15 . 2011-08-27 22:15 -------- d-----w- c:\program files\AVAST Software
2011-08-27 22:15 . 2011-08-27 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-08-27 21:34 . 2011-08-27 21:35 -------- d-----w- c:\documents and settings\Administrator
2011-08-27 21:27 . 2010-11-09 18:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-27 21:27 . 2010-11-09 18:56 27984 ----a-w- c:\windows\system32\sbbd.exe
2011-08-27 21:27 . 2011-08-27 21:27 -------- d-----w- C:\VIPRERESCUE
2011-08-19 23:42 . 2011-08-19 23:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-08-12 17:06 . 2011-08-27 22:03 -------- d-----w- c:\documents and settings\Family\Application Data\Sammsoft
2011-08-12 16:45 . 2011-08-12 16:45 -------- d-----w- c:\program files\Common Files\iS3
2011-08-12 16:45 . 2011-08-12 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-08-12 16:19 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-12 16:19 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-30 22:00 . 2011-07-30 22:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-24 18:35 . 2011-07-24 18:29 246272 ----a-w- c:\windows\unrar.exe
2011-07-15 13:29 . 2001-08-23 05:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2001-08-23 05:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2011-07-30 21:59 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-07-30 21:58 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10 . 2011-01-08 20:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2001-08-23 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2001-08-23 05:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2001-08-23 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2001-08-23 05:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2001-08-23 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-03-11 05:01 . 2010-03-11 05:01 124272 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-03-11 05:40 . 2010-03-11 05:40 13168 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-03-11 05:02 . 2010-03-11 05:02 70512 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-03-11 05:01 . 2010-03-11 05:01 91504 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-03-11 05:01 . 2010-03-11 05:01 22384 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-03-11 05:00 . 2010-03-11 05:00 255344 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-03-11 05:01 . 2010-03-11 05:01 31088 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-03-11 05:01 . 2010-03-11 05:01 40304 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-10-05 18:49 . 2009-10-05 18:49 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-03-11 05:02 . 2010-03-11 05:02 23920 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-28_16.45.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-30 11:38 . 2011-05-10 12:06 42496 c:\windows\system32\DRVSTORE\usbaapl_5CBB3A09528F68FC4AD2F36E43C028E7E6F20400\usbaapl.sys
+ 2011-08-30 11:38 . 2011-05-10 12:06 18432 c:\windows\system32\DRVSTORE\netaapl_B71F8545DA20A81C41BFD744E8D7D9784787E916\netaapl.sys
+ 2011-08-30 11:38 . 2011-08-30 11:38 27136 c:\windows\Installer\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}\AppleSoftwareUpdateIco.exe
+ 2011-08-29 03:22 . 2011-08-29 03:22 262144 c:\windows\system32\config\systemprofile\NtUser.dat
+ 2011-08-30 11:36 . 2011-08-30 11:36 811520 c:\windows\Installer\e3aa9.msi
+ 2011-08-30 11:38 . 2011-05-10 12:06 4517664 c:\windows\system32\DRVSTORE\usbaapl_5CBB3A09528F68FC4AD2F36E43C028E7E6F20400\usbaaplrc.dll
+ 2011-08-30 11:38 . 2011-04-08 18:59 1461992 c:\windows\system32\DRVSTORE\netaapl_B71F8545DA20A81C41BFD744E8D7D9784787E916\wdfcoinstaller01009.dll
+ 2011-08-30 11:39 . 2011-08-30 11:39 9474048 c:\windows\Installer\e3d6d.msi
+ 2011-08-30 11:38 . 2011-08-30 11:38 1769984 c:\windows\Installer\e3abc.msi
+ 2011-08-30 11:38 . 2011-08-30 11:38 3085312 c:\windows\Installer\e3ab5.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe" [2009-11-16 240992]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-03-11 300400]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2011-1-9 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wlidsvc"=2 (0x2)
"SeaPort"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"DisableThumbnailCache"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\MSN Toolbar\\Platform\\4.0.0357.1\\mswinext.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Citrix\\ICA Client\\wfica32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/29/2011 7:55 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/29/2011 7:55 PM 309848]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 11:08 AM 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/27/2011 5:27 PM 98392]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/29/2011 7:55 PM 19544]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-08-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-73586283-839522115-1003Core.job
- c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-29 23:50]
.
2011-08-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-73586283-839522115-1003UA.job
- c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-29 23:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\g2pjybo3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IPGTDF&PC=IPGTDF&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: avast! WebRep: [email protected] - c:\program files\AVAST Software\Avast\WebRep\FF
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-30 07:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2736)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-08-30 08:00:03
ComboFix-quarantined-files.txt 2011-08-30 11:59
ComboFix2.txt 2011-08-29 23:15
ComboFix3.txt 2011-08-29 11:39
ComboFix4.txt 2011-08-28 23:33
ComboFix5.txt 2011-08-30 11:47
.
Pre-Run: 15,326,330,880 bytes free
Post-Run: 15,312,846,848 bytes free
.
- - End Of File - - 5C1DFD1DAFFB78305D7E6E748AE94EF2
#24
Posted 30 August 2011 - 10:23 AM
Log looks good. Any problems left?
If not we can cleanup:
We need to clean up System Restore. Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f
You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:
"%userprofile%\Desktop\combofix.exe" /Uninstall
Start, Run, cmd, OK then right click, Paste, then hit Enter.
OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.
To hide hidden files again:
XP
# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.
You probably do not have the latest Java (Java™ 6 Update 26 or perhaps 7 update 0 by now). Get the latest at:
http://www.java.com/en/
Save it to your PC then close all browsers and install it.
Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.
Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.
To help keep your programs up-to-date you can download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/
If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.
Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.
If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.
Ron
If not we can cleanup:
We need to clean up System Restore. Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f
You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:
"%userprofile%\Desktop\combofix.exe" /Uninstall
Start, Run, cmd, OK then right click, Paste, then hit Enter.
OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.
To hide hidden files again:
XP
# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.
You probably do not have the latest Java (Java™ 6 Update 26 or perhaps 7 update 0 by now). Get the latest at:
http://www.java.com/en/
Save it to your PC then close all browsers and install it.
Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.
Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.
To help keep your programs up-to-date you can download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/
If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.
Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.
If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.
Ron
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users