Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Really stubborn Malware [Solved]


  • This topic is locked This topic is locked

#16
Plastic Welshman

Plastic Welshman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Here is the combofix log

ComboFix 12-06-20.02 - Mosley Family 20/06/2012 22:45:30.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.3327.2657 [GMT 1:00]
Running from: c:\documents and settings\Mosley Family\Desktop\Gotcha.exe
Command switches used :: c:\documents and settings\Mosley Family\Desktop\CFScript.txt
AV: Kaspersky Internet Security *Enabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Mosley Family\Application Data\Microsoft\Installer\{B3CB613C-58D3-4692-B2DA-8F3EAC6288D4}
c:\documents and settings\Mosley Family\Application Data\Microsoft\Installer\{B3CB613C-58D3-4692-B2DA-8F3EAC6288D4}\IconCF33A0CE.exe
c:\documents and settings\Mosley Family\Application Data\Microsoft\Installer\{B3CB613C-58D3-4692-B2DA-8F3EAC6288D4}\IconD7F16134.exe
c:\documents and settings\Mosley Family\Application Data\Microsoft\Installer\{B3CB613C-58D3-4692-B2DA-8F3EAC6288D4}\IconF7A21AF7.exe
c:\documents and settings\Mosley Family\Local Settings\Application Data\axbcctbn.log
c:\documents and settings\Mosley Family\Local Settings\Application Data\buqrabeh.log
c:\documents and settings\Mosley Family\Local Settings\Application Data\eqrjlpnl.log
c:\documents and settings\Mosley Family\Local Settings\Application Data\lwupdjfe.log
c:\documents and settings\Mosley Family\Local Settings\Application Data\nplmpljh.log
c:\documents and settings\Mosley Family\Local Settings\Application Data\pachxufb
c:\documents and settings\Mosley Family\Local Settings\Application Data\reecrujf.log
c:\documents and settings\Mosley Family\Local Settings\Application Data\yhwojtwq.log
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
.
.
((((((((((((((((((((((((( Files Created from 2012-05-20 to 2012-06-20 )))))))))))))))))))))))))))))))
.
.
2012-06-20 21:52 . 2012-06-20 21:52 -------- d-----w- c:\documents and settings\Mosley Family\Local Settings\Application Data\pachxufb
2012-06-20 18:41 . 2012-06-20 18:41 -------- d-----w- C:\_OTL
2012-06-19 21:09 . 2012-06-19 21:09 -------- d-----w- c:\documents and settings\Mosley Family\Application Data\SUPERAntiSpyware.com
2012-06-19 21:09 . 2012-06-19 21:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-06-19 21:09 . 2012-06-19 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-06-19 20:48 . 2012-06-19 20:48 -------- d-----w- c:\program files\Hewlett-Packard
2012-05-27 15:56 . 2012-05-27 15:56 -------- d-----w- c:\documents and settings\Mosley Family\Application Data\Malwarebytes
2012-05-25 20:43 . 2012-05-25 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-25 20:43 . 2012-05-27 17:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-25 20:43 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-25 18:16 . 2012-05-25 18:16 -------- d-----w- C:\sh4ldr
2012-05-25 18:16 . 2012-05-25 18:16 -------- d-----w- c:\program files\Enigma Software Group
2012-05-25 18:15 . 2012-05-25 18:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-05-24 19:25 . 2012-05-24 21:01 -------- d-----w- c:\documents and settings\Mosley Family\Application Data\AVG
2012-05-24 19:11 . 2012-05-25 08:54 -------- d-----w- c:\documents and settings\Mosley Family\Local Settings\Application Data\LogMeIn Rescue Applet
2012-05-24 18:04 . 2012-05-24 19:41 115369 ----a-w- c:\windows\system32\drivers\klin.dat
2012-05-24 18:04 . 2012-05-24 19:41 97961 ----a-w- c:\windows\system32\drivers\klick.dat
2012-05-24 18:02 . 2012-06-20 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2012-05-24 18:02 . 2012-05-24 18:02 -------- d-----w- c:\program files\Kaspersky Lab
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-19 21:32 . 2012-04-05 10:50 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-19 21:32 . 2011-06-17 08:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-14 15:26 . 2012-04-14 15:26 657822 ----a-w- c:\windows\P5KC-1203.zip
2012-04-14 15:07 . 2012-04-14 15:07 1409 ----a-w- c:\windows\QTFont.for
2012-04-04 12:13 . 2012-04-04 12:13 23376 ----a-r- c:\windows\system32\SZIO5.dll
2012-04-04 12:13 . 2012-04-04 12:13 546640 ----a-r- c:\windows\system32\SZComp5.dll
2012-04-04 12:13 . 2012-04-04 12:13 481104 ----a-r- c:\windows\system32\SZBase5.dll
2012-03-29 15:36 . 2012-03-29 15:36 72080 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2012-03-27 16:03 . 2008-04-13 11:04 6100072 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2012-01-09 17:56 . 2011-04-02 19:20 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-03-09 247728]
"Akamai NetSession Interface"="c:\documents and settings\Mosley Family\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-05-07 3331872]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-05-17 3906944]
"XgtTiuor"="c:\documents and settings\Mosley Family\Local Settings\Application Data\pachxufb\xgttiuor.exe" [2012-05-22 87776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UMonit"="c:\windows\system32\umonit.exe" [2005-05-23 53248]
"BigDog305"="c:\windows\VM305_STI.EXE" [2005-08-05 61440]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-12-13 296056]
"Ai Nap"="c:\program files\ASUS\AI Suite\AiNap\AiNap.exe" [2008-01-28 1413120]
"CPU Power Monitor"="c:\program files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe" [2008-01-09 627200]
"Cpu Level Up help"="c:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-11-30 881152]
"ASUS Energy Saving"="c:\program files\ASUS\AI Suite\EnergySaving\PwSave.exe" [2008-01-28 1352704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"RTHDCPL"="RTHDCPL.EXE" [2012-03-14 20065896]
"Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-07-29 1122304]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe" [2011-04-24 202296]
.
c:\documents and settings\Mosley Family\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
Scheduler.lnk - c:\progra~1\WinTV\SCHEDU~1\scheduler.exe [2009-2-15 4700712]
xgttiuor.exe [2012-5-22 87776]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - c:\program files\WinTV\Ir.exe [2009-2-15 110647]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2008-10-5 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Mosley Family\Local Settings\Application Data\pachxufb\xgttiuor.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
TPSvc.dll [BU]
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=c:\windows\pss\DataViz Inc Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Mosley Family^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Mosley Family^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\Mosley Family\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
2007-05-25 11:13 1957888 ----a-r- c:\windows\system32\xRaidSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2006-09-14 06:55 61440 ----a-w- c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2010-11-03 17:13 64104 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog305]
2005-08-05 14:15 61440 ----a-w- c:\windows\VM305_STI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
2005-12-12 08:36 143360 ------w- c:\program files\Creative\MediaSource5\Go\CTCMSGoU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 07:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-05-10 01:41 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 13:36 36864 ----a-r- c:\windows\RaidTool\xInsIDE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-02-27 16:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 21:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 14:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Alarm Clock]
2006-02-02 13:36 1254400 ----a-w- c:\program files\PC Alarm Clock\pcalarmclock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 14:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2012-03-14 12:40 20065896 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-07-29 11:31 17361032 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2005-10-26 17:17 159744 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 11:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\MSN BackUp\\MSNBackup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Documents and Settings\\Mosley Family\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1039:TCP"= 1039:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [24/02/2012 15:28 99728]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [29/03/2012 16:36 72080]
R1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;c:\windows\system32\drivers\hcw88aud.sys [15/02/2009 17:41 12928]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [04/03/2011 13:23 11352]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [29/07/2004 04:13 46779]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [18/04/2012 10:20 101112]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 00:38 116608]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 06:09 192776]
R2 EPGService;EPGService;c:\progra~1\WinTV\EPG Services\System\EPGService.exe [15/02/2009 18:11 437248]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [25/05/2012 21:43 654408]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [04/05/2012 18:21 737184]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [09/03/2011 13:30 92592]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [27/07/2005 17:25 14080]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [27/07/2005 17:25 36352]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [13/04/2008 12:05 38656]
R3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [05/02/2009 18:14 6016]
R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [15/02/2009 17:41 182400]
R3 hcw88rc5;Hauppauge WinTV 88x IR Decoder;c:\windows\system32\drivers\hcw88rc5.sys [15/02/2009 17:41 12288]
R3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys [15/02/2009 17:41 320256]
R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys [15/02/2009 17:41 74624]
R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [15/02/2009 17:41 394880]
R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\hcw88bar.sys [15/02/2009 17:41 17280]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [10/03/2011 18:34 34608]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/11/2009 20:27 19472]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [25/05/2012 21:43 22344]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [27/07/2005 17:25 77056]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [24/02/2012 15:28 99728]
S0 MxEFUF;Matrox Extio Upper Function Filter;c:\windows\system32\drivers\MxEFUF32.sys [18/04/2012 22:09 102728]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18/09/2009 16:22 133104]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [05/04/2012 11:50 257224]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [20/04/2012 16:10 1691480]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [16/04/2012 12:23 99856]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [02/06/2011 11:08 11336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [18/09/2009 16:22 133104]
S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\drivers\imhidusb.sys [27/10/2009 16:43 30920]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [02/02/2009 17:30 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [02/02/2009 17:30 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [02/02/2009 17:30 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [02/02/2009 17:30 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [02/02/2009 17:30 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [02/02/2009 17:30 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [02/02/2009 17:30 115752]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [02/02/2009 17:30 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [02/02/2009 17:30 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [02/02/2009 17:30 122152]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [02/02/2009 17:30 115496]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [02/02/2009 17:30 25768]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [02/02/2009 17:30 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [02/02/2009 17:30 117672]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [20/05/2008 17:16 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [20/05/2008 17:16 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [20/05/2008 17:16 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [20/05/2008 18:24 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [20/05/2008 18:24 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [20/05/2008 18:23 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [20/05/2008 18:24 97704]
S3 usbaucmd;usbaucmd;c:\windows\system32\drivers\usbaucmd.sys --> c:\windows\system32\drivers\usbaucmd.sys [?]
S3 vvftav;vvftav;c:\windows\system32\drivers\vvftav.sys [19/04/2009 19:54 474368]
S3 ZSMC0305;USB PC Camera VC305;c:\windows\system32\drivers\usbVM305.sys [16/09/2010 18:55 391688]
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 21:32]
.
2012-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-06-20 c:\windows\Tasks\AVG PC Tuneup Integrator Start On Mosley Family Logon.job
- c:\program files\AVG\AVG PC Tuneup\BoostSpeed.exe [2012-05-24 16:20]
.
2012-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-18 15:22]
.
2012-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-18 15:22]
.
2012-06-20 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 12:25]
.
2012-01-16 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 12:25]
.
2012-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-507921405-448539723-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 16:14]
.
2012-05-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-507921405-448539723-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 16:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://cloud-search.linkury.com/results.htm?cx=partner-pub-7890126930977991:1926905636&cof=FORID:11&q={searchTerms}&sa=Search&siteurl=search.linkury.com
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{E725B942-BB4D-4B55-9CFE-78F2C62F7423}: NameServer = 212.74.112.66,212.74.112.67
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
FF - ProfilePath - c:\documents and settings\Mosley Family\Application Data\Mozilla\Firefox\Profiles\5ojqtqh8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Linkury Smartbar Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://cloud-search.linkury.com/results.htm?cx=partner-pub-7890126930977991:7317400059&cof=FORID:11&sa=Search&siteurl=search.linkury.com&q=
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-20 22:53
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
UMonit = c:\windows\system32\umonit.exe?1??$?\???8?????????$?8?????$?C?US????8???UB????????????????????????????A~????????????tq??l??????|p??|????m??|??D~??????????$?B$?|??B~??B~*?,???$???????????????????????????????B~????????????tq??????T???????????tq??????L??????
BigDog305 = c:\windows\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)[email protected]?Y????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-507921405-448539723-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:22,62,e5,92,41,cb,fb,3d,21,4a,d6,7b,48,99,35,fe,14,1e,e4,e1,29,bc,69,
cd,1e,39,51,4b,9a,7c,ea,d7,3d,58,5d,4c,6f,f9,d0,24,76,17,b4,51,e8,9a,22,a1,\
"??"=hex:16,10,91,32,90,a8,f8,b3,2f,a3,c0,66,2e,9e,28,65
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1216)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(4484)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\System32\GEARSec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\ASUS\AASP\1.00.59\aaCenter.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-06-20 23:00:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-20 22:00
ComboFix2.txt 2012-06-20 21:14
.
Pre-Run: 250,667,257,856 bytes free
Post-Run: 250,484,998,144 bytes free
.
- - End Of File - - E9BBCE3211013C4C6E4F7882295CC77D
  • 0

Advertisements


#17
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK we have a real bad boy in there somewhere .. Lets find it

Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
[I]**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[i]-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning

  • 0

#18
Plastic Welshman

Plastic Welshman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Have completed instructions
Tried running Kaspersky and it loads succesfully with icon in bottom right task bar. It did an update.
Can go anywhere on internet.
Rebooted
Kaspersky is now turned on as antivirus program in Security Centre although it's icon does not appear in bottom right hand taskbar.
Cannot access Kasperskys Control Panel
Web browsers preventing me from going to antivirus websites and microsoft again.
Ahhhhhhhhhhhh!
  • 0

#19
Plastic Welshman

Plastic Welshman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Sorry see you replied 20 mins ago.
Did note that you had responded, but there wasn't any correspondence
Will carry out last instructions
  • 0

#20
Plastic Welshman

Plastic Welshman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Still here
Had great difficulty getting GMER as neither of your links worked.
Browser wouldn't let me go to one site and the download wouldn't start on the other so I've gone elsewhere.
Now scanning
  • 0

#21
Plastic Welshman

Plastic Welshman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Here is the logAttached File  gmerplastic welshman.txt   125.74KB   29 downloads
  • 0

#22
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Both work for me and GMER showed a naughty CLSID that will need to go

On completion of this please give the system a check to determine if there are any other problems

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKLM\SOFTWARE\Classes\CLSID\{909FCFE5-19B5-D007-74EB-19EE542DABFF}]

Save this as CFScript.txt, in the same location as ComboFix.exe
Posted Image

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

  • 0

#23
Plastic Welshman

Plastic Welshman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi Essexboy
Here is the log from the last combofix action

ComboFix 12-06-20.02 - Mosley Family 21/06/2012 15:35:50.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.3327.2049 [GMT 1:00]
Running from: c:\documents and settings\Mosley Family\Desktop\Gotcha.exe
Command switches used :: c:\documents and settings\Mosley Family\Desktop\CFScript.txt
AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Mosley Family\Local Settings\Application Data\axbcctbn.log
c:\documents and settings\Mosley Family\Local Settings\Application Data\buqrabeh.log
c:\documents and settings\Mosley Family\Local Settings\Application Data\eqrjlpnl.log
c:\documents and settings\Mosley Family\Local Settings\Application Data\lwupdjfe.log
c:\documents and settings\Mosley Family\Local Settings\Application Data\nplmpljh.log
c:\documents and settings\Mosley Family\Local Settings\Application Data\pachxufb\xgttiuor.exe
c:\documents and settings\Mosley Family\Local Settings\Application Data\reecrujf.log
c:\documents and settings\Mosley Family\Local Settings\Application Data\yhwojtwq.log
c:\windows\system32\tmpA9.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-05-21 to 2012-06-21 )))))))))))))))))))))))))))))))
.
.
2012-06-21 10:46 . 2012-06-21 10:48 -------- d-----w- c:\windows\LastGood.Tmp
2012-06-21 10:46 . 2012-06-21 10:48 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2012-06-20 21:52 . 2012-06-21 14:44 -------- d-----w- c:\documents and settings\Mosley Family\Local Settings\Application Data\pachxufb
2012-06-20 18:41 . 2012-06-20 18:41 -------- d-----w- C:\_OTL
2012-06-19 21:09 . 2012-06-19 21:09 -------- d-----w- c:\documents and settings\Mosley Family\Application Data\SUPERAntiSpyware.com
2012-06-19 21:09 . 2012-06-19 21:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-06-19 21:09 . 2012-06-19 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-06-19 20:48 . 2012-06-19 20:48 -------- d-----w- c:\program files\Hewlett-Packard
2012-05-27 15:56 . 2012-05-27 15:56 -------- d-----w- c:\documents and settings\Mosley Family\Application Data\Malwarebytes
2012-05-25 20:43 . 2012-05-25 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-25 20:43 . 2012-05-27 17:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-25 20:43 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-25 18:16 . 2012-05-25 18:16 -------- d-----w- C:\sh4ldr
2012-05-25 18:16 . 2012-05-25 18:16 -------- d-----w- c:\program files\Enigma Software Group
2012-05-25 18:15 . 2012-05-25 18:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-05-24 19:25 . 2012-05-24 21:01 -------- d-----w- c:\documents and settings\Mosley Family\Application Data\AVG
2012-05-24 19:11 . 2012-05-25 08:54 -------- d-----w- c:\documents and settings\Mosley Family\Local Settings\Application Data\LogMeIn Rescue Applet
2012-05-24 18:04 . 2012-05-24 19:41 115369 ----a-w- c:\windows\system32\drivers\klin.dat
2012-05-24 18:04 . 2012-05-24 19:41 97961 ----a-w- c:\windows\system32\drivers\klick.dat
2012-05-24 18:02 . 2012-06-21 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2012-05-24 18:02 . 2012-05-24 18:02 -------- d-----w- c:\program files\Kaspersky Lab
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-21 10:15 . 2008-04-15 09:24 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2012-06-21 10:15 . 2008-04-15 09:24 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2012-06-19 21:32 . 2012-04-05 10:50 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-19 21:32 . 2011-06-17 08:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-14 15:26 . 2012-04-14 15:26 657822 ----a-w- c:\windows\P5KC-1203.zip
2012-04-04 12:13 . 2012-04-04 12:13 23376 ----a-r- c:\windows\system32\SZIO5.dll
2012-04-04 12:13 . 2012-04-04 12:13 546640 ----a-r- c:\windows\system32\SZComp5.dll
2012-04-04 12:13 . 2012-04-04 12:13 481104 ----a-r- c:\windows\system32\SZBase5.dll
2012-03-29 15:36 . 2012-03-29 15:36 72080 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2012-03-27 16:03 . 2008-04-13 11:04 6100072 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2012-01-09 17:56 . 2011-04-02 19:20 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-03-09 247728]
"Akamai NetSession Interface"="c:\documents and settings\Mosley Family\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-05-07 3331872]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-05-17 3906944]
"SetDefaultMIDI"="MIDIDef.exe" [2005-04-22 73728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UMonit"="c:\windows\system32\umonit.exe" [2005-05-23 53248]
"BigDog305"="c:\windows\VM305_STI.EXE" [2005-08-05 61440]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-12-13 296056]
"Ai Nap"="c:\program files\ASUS\AI Suite\AiNap\AiNap.exe" [2008-01-28 1413120]
"CPU Power Monitor"="c:\program files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe" [2008-01-09 627200]
"Cpu Level Up help"="c:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-11-30 881152]
"ASUS Energy Saving"="c:\program files\ASUS\AI Suite\EnergySaving\PwSave.exe" [2008-01-28 1352704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"RTHDCPL"="RTHDCPL.EXE" [2012-03-14 20065896]
"Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-07-29 1122304]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"P17Helper"="SPIRun.dll" [2006-07-03 10752]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe" [2011-04-24 202296]
.
c:\documents and settings\Mosley Family\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
Scheduler.lnk - c:\progra~1\WinTV\SCHEDU~1\scheduler.exe [2009-2-15 4700712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - c:\program files\WinTV\Ir.exe [2009-2-15 110647]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2008-10-5 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Mosley Family\Local Settings\Application Data\pachxufb\xgttiuor.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
TPSvc.dll [BU]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=c:\windows\pss\DataViz Inc Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Mosley Family^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Mosley Family^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\Mosley Family\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
2007-05-25 11:13 1957888 ----a-r- c:\windows\system32\xRaidSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2006-09-14 06:55 61440 ----a-w- c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2010-11-03 17:13 64104 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog305]
2005-08-05 14:15 61440 ----a-w- c:\windows\VM305_STI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
2005-12-12 08:36 143360 ------w- c:\program files\Creative\MediaSource5\Go\CTCMSGoU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 07:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-05-10 01:41 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 13:36 36864 ----a-r- c:\windows\RaidTool\xInsIDE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-02-27 16:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 21:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 14:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Alarm Clock]
2006-02-02 13:36 1254400 ----a-w- c:\program files\PC Alarm Clock\pcalarmclock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 14:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2012-03-14 12:40 20065896 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-07-29 11:31 17361032 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2005-10-26 17:17 159744 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 11:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\MSN BackUp\\MSNBackup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Documents and Settings\\Mosley Family\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1045:TCP"= 1045:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [24/02/2012 15:28 99728]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [29/03/2012 16:36 72080]
R1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;c:\windows\system32\drivers\hcw88aud.sys [15/02/2009 17:41 12928]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [04/03/2011 13:23 11352]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [29/07/2004 04:13 46779]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [18/04/2012 10:20 101112]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 00:38 116608]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 06:09 192776]
R2 EPGService;EPGService;c:\progra~1\WinTV\EPG Services\System\EPGService.exe [15/02/2009 18:11 437248]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [04/05/2012 18:21 737184]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [09/03/2011 13:30 92592]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [27/07/2005 17:25 14080]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [27/07/2005 17:25 36352]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [13/04/2008 12:05 38656]
R3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [05/02/2009 18:14 6016]
R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [15/02/2009 17:41 182400]
R3 hcw88rc5;Hauppauge WinTV 88x IR Decoder;c:\windows\system32\drivers\hcw88rc5.sys [15/02/2009 17:41 12288]
R3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys [15/02/2009 17:41 320256]
R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys [15/02/2009 17:41 74624]
R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [15/02/2009 17:41 394880]
R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\hcw88bar.sys [15/02/2009 17:41 17280]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [10/03/2011 18:34 34608]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/11/2009 20:27 19472]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [25/05/2012 21:43 22344]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [27/07/2005 17:25 77056]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [24/02/2012 15:28 99728]
S0 MxEFUF;Matrox Extio Upper Function Filter;c:\windows\system32\drivers\MxEFUF32.sys [18/04/2012 22:09 102728]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18/09/2009 16:22 133104]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [25/05/2012 21:43 654408]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [05/04/2012 11:50 257224]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [20/04/2012 16:10 1691480]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [16/04/2012 12:23 99856]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [02/06/2011 11:08 11336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [18/09/2009 16:22 133104]
S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\drivers\imhidusb.sys [27/10/2009 16:43 30920]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [02/02/2009 17:30 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [02/02/2009 17:30 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [02/02/2009 17:30 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [02/02/2009 17:30 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [02/02/2009 17:30 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [02/02/2009 17:30 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [02/02/2009 17:30 115752]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [02/02/2009 17:30 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [02/02/2009 17:30 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [02/02/2009 17:30 122152]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [02/02/2009 17:30 115496]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [02/02/2009 17:30 25768]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [02/02/2009 17:30 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [02/02/2009 17:30 117672]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [20/05/2008 17:16 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [20/05/2008 17:16 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [20/05/2008 17:16 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [20/05/2008 18:24 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [20/05/2008 18:24 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [20/05/2008 18:23 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [20/05/2008 18:24 97704]
S3 usbaucmd;usbaucmd;c:\windows\system32\drivers\usbaucmd.sys --> c:\windows\system32\drivers\usbaucmd.sys [?]
S3 vvftav;vvftav;c:\windows\system32\drivers\vvftav.sys [19/04/2009 19:54 474368]
S3 ZSMC0305;USB PC Camera VC305;c:\windows\system32\drivers\usbVM305.sys [16/09/2010 18:55 391688]
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 21:32]
.
2012-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-06-21 c:\windows\Tasks\AVG PC Tuneup Integrator Start On Mosley Family Logon.job
- c:\program files\AVG\AVG PC Tuneup\BoostSpeed.exe [2012-05-24 16:20]
.
2012-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-18 15:22]
.
2012-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-18 15:22]
.
2012-06-20 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 12:25]
.
2012-01-16 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 12:25]
.
2012-06-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-507921405-448539723-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 16:14]
.
2012-05-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-507921405-448539723-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 16:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://cloud-search.linkury.com/results.htm?cx=partner-pub-7890126930977991:1926905636&cof=FORID:11&q={searchTerms}&sa=Search&siteurl=search.linkury.com
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{E725B942-BB4D-4B55-9CFE-78F2C62F7423}: NameServer = 212.74.112.66,212.74.112.67
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
FF - ProfilePath - c:\documents and settings\Mosley Family\Application Data\Mozilla\Firefox\Profiles\5ojqtqh8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Linkury Smartbar Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://cloud-search.linkury.com/results.htm?cx=partner-pub-7890126930977991:7317400059&cof=FORID:11&sa=Search&siteurl=search.linkury.com&q=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-XgtTiuor - c:\documents and settings\Mosley Family\Local Settings\Application Data\pachxufb\xgttiuor.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-21 15:45
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
UMonit = c:\windows\system32\umonit.exe?1??$?\???8?????????$?8?????$?C?US????8???UB????????????????????????????A~????????????tq??l??????|p??|????m??|??D~??????????$?B$?|??B~??B~*?,???$???????????????????????????????B~????????????tq??????T???????????tq??????L??????
BigDog305 = c:\windows\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)[email protected]?Y????????????
P17Helper = Rundll32 SPIRun.dll,RunDLLEntry?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-507921405-448539723-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:22,62,e5,92,41,cb,fb,3d,21,4a,d6,7b,48,99,35,fe,14,1e,e4,e1,29,bc,69,
cd,1e,39,51,4b,9a,7c,ea,d7,3d,58,5d,4c,6f,f9,d0,24,76,17,b4,51,e8,9a,22,a1,\
"??"=hex:16,10,91,32,90,a8,f8,b3,2f,a3,c0,66,2e,9e,28,65
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1216)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(4552)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\System32\GEARSec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\ASUS\AASP\1.00.59\aaCenter.exe
c:\windows\system32\Rundll32.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
.
**************************************************************************
.
Completion time: 2012-06-21 15:52:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-21 14:52
ComboFix2.txt 2012-06-20 22:00
ComboFix3.txt 2012-06-20 21:14
.
Pre-Run: 251,369,000,960 bytes free
Post-Run: 251,254,005,760 bytes free
.
- - End Of File - - FB892526EB373F04F23F8FCBC175168C
  • 0

#24
Plastic Welshman

Plastic Welshman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
I've checked my PC and the same problems exist.
  • 0

#25
Plastic Welshman

Plastic Welshman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
One thing I haven't mentioned is that I can't close Kaspersky and Combofix identifies it as active.
Would it be necessary to go to the Task Manager and terminate the process, whatever that is called!
  • 0

Advertisements


#26
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK now I have removed the reg key lets see if I can now kill the rest dead. Once done see if Kaspersky works, if it does could you do the analysis scan for me. Also could I see the aswMBR scan

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\documents and settings\Mosley Family\Local Settings\Application Data\pachxufb

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,

Save this as CFScript.txt, in the same location as ComboFix.exe
Posted Image

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Analysis

To create an AVZ logfile, please launch Kaspersky and click on "Support" in the bottom left hand corner of the main screen.
Then click on "Support Tools".
A new window will open, and underneath the "Actions" heading you will find a button labelled "Create system state report".
Click this button to create the AVZ sysinfo log.

Once your system has been analysed, click on "View" in order to open the logfile location.
The logfile should be located in C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP11\AVZ folder for Windows XP and will be called sysinfo.zip (for Windows Vista/7 this will be C:\ProgramData\Kaspersky Lab\AVP11\AVZ).
Please collect this file, and attach it to your post/topic.
  • 0

#27
Plastic Welshman

Plastic Welshman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Ran Combofix with your CFScript.
Still the same problems on reboot.
Can't visit anti-virus websites.
Kaspersky is active in Security centre, but cannot access it's main gui panel. Doesn't appear in bottom right hand taskbar.Attached File  ComboFix.txt   27.96KB   25 downloads
Here is the Combofix log attached.
I will send you the aswMBR log asap
  • 0

#28
Plastic Welshman

Plastic Welshman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
aswMBR log file attached
Attached File  aswMBRPlasticWelshman2.txt   1.91KB   28 downloads
  • 0

#29
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK I believe that the removal of the reg key has now revealed the miscreant start point

This is then recreating the folder and other registry entries

If this fails we will then work outside of windows.. Do you have a USB drive handy ?

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\Mosley Family\Start Menu\Programs\Startup\xgttiuor.exe

Folder::
c:\documents and settings\Mosley Family\Local Settings\Application Data\pachxufb

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XgtTiuor"=-

Save this as CFScript.txt, in the same location as ComboFix.exe
Posted Image

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

  • 0

#30
Plastic Welshman

Plastic Welshman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Combofix log attached
Attached File  ComboFix.txt   26.63KB   68 downloads
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP