-
< %SYSTEMDRIVE%\*.exe >
< MD5 for: AGP440.SYS >
[2008/01/19 02:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\WINDOWS\SoftwareDistribution\Download\a58fa8f1a78b89e6c2a670e288053b8b\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2007/07/02 14:31:31 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=313FF294978EA6AF715722D708FB249F -- C:\WINDOWS\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.20494_none_b858f78adaed51b3\AGP440.sys
[2007/07/02 14:31:31 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=CE71AFD6738AA025D742CDBCFBDC8B9C -- C:\WINDOWS\System32\DriverStore\FileRepository\machine.inf_f2490cb0\AGP440.sys
[2007/07/02 14:31:31 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=CE71AFD6738AA025D742CDBCFBDC8B9C -- C:\WINDOWS\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.16399_none_b7d45c31c1cb309c\AGP440.sys
[2006/11/02 04:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\WINDOWS\ERDNT\cache\AGP440.sys
[2006/11/02 04:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\WINDOWS\System32\drivers\AGP440.sys
[2006/11/02 04:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\WINDOWS\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys
< MD5 for: ATAPI.SYS >
[2008/01/19 02:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\WINDOWS\SoftwareDistribution\Download\a58fa8f1a78b89e6c2a670e288053b8b\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 04:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/02/14 19:53:56 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/02/14 19:53:56 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\WINDOWS\System32\drivers\atapi.sys
[2008/02/14 19:53:56 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2008/02/14 19:53:56 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\WINDOWS\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008/02/14 19:53:22 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\WINDOWS\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys
< MD5 for: CNGAUDIT.DLL >
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\WINDOWS\ERDNT\cache\cngaudit.dll
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\WINDOWS\System32\cngaudit.dll
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll
< MD5 for: IASTOR.SYS >
[2009/06/04 18:54:36 | 000,408,600 | ---- | M] (Intel Corporation) MD5=1D004CB1DA6323B1F55CAEF7F94B61D9 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver64\IaStor.sys
[2007/03/21 19:58:56 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\SwSetup\HDD\iastor.sys
[2007/03/21 19:58:56 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\WINDOWS\System32\DriverStore\FileRepository\iaahci.inf_3a63e5a6\iaStor.sys
[2007/03/21 19:58:56 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\WINDOWS\System32\DriverStore\FileRepository\iastor.inf_5f6e7be5\iaStor.sys
[2009/06/04 18:43:16 | 000,330,264 | ---- | M] (Intel Corporation) MD5=D483687EACE0C065EE772481A96E05F5 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver\IaStor.sys
[2009/06/04 18:43:16 | 000,330,264 | ---- | M] (Intel Corporation) MD5=D483687EACE0C065EE772481A96E05F5 -- C:\WINDOWS\System32\DriverStore\FileRepository\iaahci.inf_0813ee45\iaStor.sys
[2007/03/21 19:58:56 | 000,304,920 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\System32\drivers\iaStor.sys
< MD5 for: IASTORV.SYS >
[2008/01/19 02:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\WINDOWS\SoftwareDistribution\Download\a58fa8f1a78b89e6c2a670e288053b8b\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\WINDOWS\System32\drivers\iaStorV.sys
[2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\WINDOWS\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys
< MD5 for: NETLOGON.DLL >
[2006/11/02 04:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2006/11/02 04:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\WINDOWS\System32\netlogon.dll
[2006/11/02 04:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2008/01/19 02:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\WINDOWS\SoftwareDistribution\Download\a58fa8f1a78b89e6c2a670e288053b8b\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll
< MD5 for: NVSTOR.SYS >
[2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\WINDOWS\System32\drivers\nvstor.sys
[2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\WINDOWS\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/19 02:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\WINDOWS\SoftwareDistribution\Download\a58fa8f1a78b89e6c2a670e288053b8b\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys
< MD5 for: SCECLI.DLL >
[2008/01/19 02:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\WINDOWS\SoftwareDistribution\Download\a58fa8f1a78b89e6c2a670e288053b8b\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2006/11/02 04:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2006/11/02 04:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\WINDOWS\System32\scecli.dll
[2006/11/02 04:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll
< %systemroot%\*. /mp /s >
< %systemroot%\system32\*.dll /lockedfiles >
[2006/11/02 04:47:18 | 000,228,968 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\System32\rsaenh.dll
[2007/12/04 08:42:23 | 000,223,232 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\System32\SLC.dll
< %systemroot%\Tasks\*.job /lockedfiles >
< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2007/03/21 19:58:56 | 000,304,920 | ---- | M] (Intel Corporation) Unable to obtain MD5 -- C:\WINDOWS\System32\drivers\iaStor.sys
[1 C:\Windows\system32\drivers\*.tmp files -> C:\Windows\system32\drivers\*.tmp -> ]
< %systemroot%\System32\config\*.sav >
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\WINDOWS\System32\config\COMPONENTS.SAV
[2006/11/02 05:34:05 | 000,020,480 | ---- | M] () -- C:\WINDOWS\System32\config\DEFAULT.SAV
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\WINDOWS\System32\config\SECURITY.SAV
[2006/11/02 05:34:08 | 010,133,504 | ---- | M] () -- C:\WINDOWS\System32\config\SOFTWARE.SAV
[2006/11/02 05:34:08 | 001,826,816 | ---- | M] () -- C:\WINDOWS\System32\config\SYSTEM.SAV
========== Alternate Data Streams ==========
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:CB0AACC9
@Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:888AFB86
< End of report >
-
I still need Extras.txt log.
Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Make sure, you re-enable your security programs, when you're done with Combofix.
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
-
Did it generate an Extras log? I can't find one.
That viewpoint manager, I uninstalled it a couple days ago, is it still showing on my computer?
And about the Combofix, should I uninstall the one I have now? then re-install that one? if so, how do I uninstall it?
-
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.
-
ComboFix 10-02-12.01 - User 02/13/2010 13:19:19.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2037.1227 [GMT -5:00]
Running from: c:\users\User\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100213-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1368 [VPS 100213-1] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 )))))))))))))))))))))))))))))))
.
2010-02-13 18:31 . 2010-02-13 18:31 -------- d-----w- c:\users\User\AppData\Local\temp
2010-02-13 18:31 . 2010-02-13 18:31 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-13 18:31 . 2010-02-13 18:31 -------- d-----w- c:\users\Mcx2\AppData\Local\temp
2010-02-13 18:31 . 2010-02-13 18:31 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2010-02-13 18:31 . 2010-02-13 18:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-13 18:11 . 2010-02-13 18:17 -------- d-----w- C:\32788R22FWJFW
2010-02-13 03:53 . 2010-02-13 03:53 -------- d-----w- c:\program files\Sophos
2010-02-11 18:28 . 2010-02-12 18:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-11 18:28 . 2010-02-12 18:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-11 14:01 . 2010-02-12 18:46 -------- d-----w- c:\program files\Enigma Software Group
2010-02-09 21:28 . 2010-02-09 21:34 -------- d-----w- c:\program files\Intel
2010-02-09 01:09 . 2010-02-09 01:09 -------- d-----w- C:\_OTM
2010-02-08 17:15 . 2010-02-08 17:15 -------- d-----w- c:\program files\Safari
2010-02-07 04:55 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-02-07 04:55 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2010-02-07 04:55 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2010-02-07 04:55 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-02-07 04:55 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2010-02-07 04:55 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2010-02-07 04:55 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-02-07 04:54 . 2009-08-07 00:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-02-07 04:54 . 2009-08-06 23:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-02-05 03:22 . 2010-02-05 03:24 -------- d-----w- c:\program files\iTunes
2010-02-04 17:49 . 2010-02-04 17:49 -------- d-----w- c:\program files\Trend Micro
2010-01-20 18:14 . 2010-01-20 18:14 -------- d-----w- c:\program files\RFA
2010-01-20 17:23 . 2010-02-11 19:26 -------- d-----w- c:\programdata\RFA_Backups
2010-01-19 18:30 . 2010-01-19 18:30 8704 ----a-w- c:\windows\system32\SpOrder.dll
2010-01-19 18:30 . 2010-01-19 18:30 73728 ----a-w- c:\windows\system32\VistaInfo32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-11 23:26 . 2009-02-28 18:40 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2010-02-09 21:28 . 2007-07-02 17:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-08 15:57 . 2009-04-17 13:50 117760 ----a-w- c:\users\User\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-07 17:12 . 2007-07-02 18:53 -------- d-----w- c:\programdata\Microsoft Help
2010-02-05 20:18 . 2008-10-29 00:15 -------- d-----w- c:\users\User\AppData\Roaming\uTorrent
2010-02-05 03:22 . 2007-12-05 23:45 -------- d-----w- c:\program files\iPod
2010-02-05 03:22 . 2007-12-06 00:04 -------- d-----w- c:\program files\Common Files\Apple
2010-02-04 19:41 . 2007-12-05 21:41 -------- d-----w- c:\program files\Viewpoint
2010-02-04 13:40 . 2009-04-19 14:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-03 17:02 . 2008-11-26 15:20 -------- d-----w- c:\program files\QuickTime
2010-02-01 20:30 . 2010-01-04 14:25 52224 ----a-w- c:\users\User\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-26 00:07 . 2009-07-23 12:34 335872 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{237CD223-1B9D-47E8-A76C-E478B83CCEA2}\ARPPRODUCTICON.exe
2010-01-26 00:06 . 2009-02-28 18:41 -------- d-----w- c:\program files\Common Files\Nikon
2010-01-26 00:05 . 2003-03-19 02:05 106496 ----a-w- c:\windows\system32\ATL71.DLL
2010-01-22 00:12 . 2009-06-26 13:07 -------- d-----w- c:\program files\DivX
2010-01-21 16:21 . 2008-01-13 00:58 210928 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-20 17:21 . 2010-01-06 15:13 -------- d-----w- c:\program files\MyDefrag v4.2.7
2010-01-14 16:12 . 2009-10-24 06:25 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 16:27 . 2009-04-07 23:57 0 ---h--w- c:\programdata\PKP_DLbx.DAT
2010-01-13 16:19 . 2007-12-03 01:03 128952 ----a-w- c:\users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-13 14:25 . 2007-12-10 22:29 -------- d-----w- c:\program files\Intuit
2010-01-13 14:22 . 2007-12-10 22:29 -------- d-----w- c:\program files\Common Files\Intuit
2010-01-13 14:12 . 2010-01-13 14:12 38878288 ----a-w- c:\users\User\AppData\Roaming\Nikon\Message Center\DOWNLOAD_LOG\14716\S-CNX2__-222WU-___EN.exe
2010-01-13 14:08 . 2010-01-13 14:08 38986384 ----a-w- c:\users\User\AppData\Roaming\Nikon\Message Center\DOWNLOAD_LOG\14919\S-CNX2__-223WU-___EN.exe
2010-01-13 00:58 . 2008-12-20 16:42 -------- d-----w- c:\program files\Google
2010-01-12 02:20 . 2009-06-26 12:35 -------- d-----w- c:\users\User\AppData\Roaming\Red Kawa
2010-01-07 21:07 . 2009-04-19 14:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-04-19 14:59 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 19:29 . 2008-11-02 14:20 -------- d-----w- c:\program files\CCleaner
2010-01-06 16:56 . 2009-04-19 02:46 -------- d-----w- c:\program files\SpeedFan
2010-01-06 02:24 . 2007-07-02 18:32 -------- d-----w- c:\programdata\Roxio
2010-01-04 14:26 . 2009-05-31 14:38 5061520 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-26 16:08 . 2009-12-26 16:08 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-25 16:57 . 2007-12-10 01:15 -------- d-----w- c:\users\User\AppData\Roaming\Roxio
2009-11-24 23:54 . 2009-10-12 15:09 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:49 . 2009-10-12 15:09 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-10-12 15:09 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-10-12 15:09 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-04-18 16:52 . 2009-04-18 16:52 22 --sha-w- c:\windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-02-08_00.11.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-17 14:41 . 2008-01-19 07:33 72704 c:\windows\winsxs\x86_microsoft-windows-ie-adminkitmostfiles_31bf3856ad364e35_6.0.6001.18385_none_ade0a99107023f3c\admparse.dll
+ 2009-08-06 01:55 . 2009-04-11 06:28 64512 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6002.18167_none_03958f7b9f23b4ad\WininetPlugin.dll
+ 2009-08-06 01:55 . 2009-04-11 06:28 27648 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6002.18167_none_03958f7b9f23b4ad\jsproxy.dll
+ 2008-04-09 13:58 . 2008-02-22 05:01 64512 c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18385_none_01977b41a20f6796\WininetPlugin.dll
+ 2009-08-06 01:55 . 2009-06-15 14:52 23552 c:\windows\winsxs\x86_microsoft-windows-gdi_31bf3856ad364e35_6.0.6002.18124_none_aba7f34857b9444a\lpk.dll
+ 2009-08-06 01:55 . 2009-06-15 14:51 10240 c:\windows\winsxs\x86_microsoft-windows-gdi_31bf3856ad364e35_6.0.6002.18124_none_aba7f34857b9444a\dciman32.dll
+ 2009-08-06 01:55 . 2009-04-11 06:28 34304 c:\windows\winsxs\x86_microsoft-windows-gdi_31bf3856ad364e35_6.0.6002.18124_none_aba7f34857b9444a\atmlib.dll
+ 2009-08-06 01:55 . 2008-01-19 07:34 23552 c:\windows\winsxs\x86_microsoft-windows-gdi_31bf3856ad364e35_6.0.6001.18344_none_a9abdfa25aa329e1\lpk.dll
+ 2009-08-06 01:55 . 2009-06-15 15:20 10240 c:\windows\winsxs\x86_microsoft-windows-gdi_31bf3856ad364e35_6.0.6001.18344_none_a9abdfa25aa329e1\dciman32.dll
+ 2007-07-02 18:07 . 2010-02-13 18:05 68762 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-02-13 18:05 70218 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-12-03 00:58 . 2010-02-13 18:05 12724 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3095095602-4275134223-639891559-1000_UserData.bin
+ 2007-12-03 00:54 . 2010-02-13 18:03 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-03 00:54 . 2010-02-07 23:50 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-02-09 04:16 . 2010-02-13 18:03 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-03 00:54 . 2010-02-07 23:50 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-03 00:54 . 2010-02-07 23:50 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-12-03 00:54 . 2010-02-13 18:03 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-13 18:03 . 2010-02-13 18:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-02-07 23:26 . 2010-02-07 23:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-02-13 18:03 . 2010-02-13 18:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-02-07 23:26 . 2010-02-07 23:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-08-14 13:48 . 2008-01-19 07:34 180736 c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.18385_none_6450f463ae5b5ef9\ieui.dll
+ 2008-10-15 12:40 . 2008-01-19 07:36 129536 c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18385_none_4752321d8cc085f3\sqmapi.dll
+ 2009-08-06 01:55 . 2009-06-15 12:42 289792 c:\windows\winsxs\x86_microsoft-windows-gdi_31bf3856ad364e35_6.0.6002.18124_none_aba7f34857b9444a\atmfd.dll
+ 2009-08-06 01:55 . 2009-06-15 12:52 289792 c:\windows\winsxs\x86_microsoft-windows-gdi_31bf3856ad364e35_6.0.6001.18344_none_a9abdfa25aa329e1\atmfd.dll
+ 2010-02-09 21:28 . 2009-06-04 23:43 330264 c:\windows\System32\DriverStore\FileRepository\iaahci.inf_0813ee45\iaStor.sys
- 2007-07-02 17:48 . 2006-11-10 21:25 319456 c:\windows\System32\difxapi.dll
+ 2007-07-02 17:48 . 2006-11-10 14:25 319456 c:\windows\System32\difxapi.dll
+ 2007-12-04 13:53 . 2010-02-08 16:03 262144 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2007-12-04 13:53 . 2010-02-07 05:15 262144 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2007-12-04 13:52 . 2010-02-08 16:02 262144 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2007-12-04 13:52 . 2010-02-07 05:15 262144 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2010-02-08 17:15 . 2010-02-08 17:15 307200 c:\windows\Installer\{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}\SafariIco.exe
+ 2009-08-06 01:55 . 2009-06-18 06:56 2452872 c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6002.22290_none_fda0dd56824b713c\ieapfltr.dat
+ 2009-08-06 01:55 . 2009-06-18 06:56 2452872 c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6002.18167_none_fd3eb255690f2f00\ieapfltr.dat
+ 2009-08-06 01:55 . 2009-06-18 06:56 2452872 c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6001.22585_none_fbca3ccc85187eda\ieapfltr.dat
+ 2009-08-06 01:55 . 2009-06-18 06:56 2452872 c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6001.18385_none_fb409e1b6bfae1e9\ieapfltr.dat
+ 2009-08-06 01:55 . 2009-06-18 06:56 2452872 c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.21184_none_f9e2d41887f30aad\ieapfltr.dat
+ 2009-08-06 01:55 . 2009-06-18 06:56 2452872 c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.16982_none_f9575e976ed704f3\ieapfltr.dat
+ 2010-02-08 17:15 . 2010-02-08 17:15 2449408 c:\windows\Installer\bdd0eb.msi
+ 2008-02-16 13:45 . 2010-02-09 22:37 250922870 c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-11-07 159744]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
backup=c:\windows\pss\LaunchU3.exe.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Nikon Monitor.lnk]
backup=c:\windows\pss\Nikon Monitor.lnk.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 02:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-19 15:38 135664 ----atw- c:\program files\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 05:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2007-03-12 18:54 50696 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2009-06-05 00:03 186904 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nikon Transfer Monitor]
2009-05-29 21:58 479232 ----a-w- c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-06-11 15:57 184320 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-03-29 00:45 176128 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\r***ent]
2009-10-21 17:58 916304 ----a-w- c:\program files\RFA\r***ent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunSpySweeperScheduleAtStartup]
2007-03-23 21:23 86016 ----a-w- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-09 13:12 1232896 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-02 19:45 77824 ----a-w- c:\program files\Java\jre1.6.0\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-03-23 18:07 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2007-07-02 18:15 1006264 ----a-w- c:\program files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [10/12/2009 10:09 AM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 1:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 1:07 PM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [10/12/2009 10:09 AM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [10/12/2009 10:09 AM 53328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/5/2007 4:43 PM 24652]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [11/30/2008 1:30 PM 717296]
S3 LTXMD_VAC;Litex Media Virtual Audio Cable (WDM);c:\windows\System32\drivers\lmvac.sys [12/18/2008 7:13 PM 18912]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 4:29 AM 29178224]
S3 PAC207;PC Camer@;c:\windows\System32\drivers\PFC027.SYS [2/13/2008 4:17 PM 618112]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 1:07 PM 7408]
S3 WMSvc;Web Management Service;c:\windows\System32\inetsrv\WMSvc.exe [11/2/2006 7:36 AM 10752]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/19/2009 10:38 AM 135664]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
2007-09-19 15:32 7680 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
2010-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-19 15:38]
2010-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-19 15:38]
2010-02-13 c:\windows\Tasks\HPCeeScheduleForUser.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-07-02 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=PRESARIO&pf=laptop
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\bv5h7rsw.SPEED\
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/weather/local/28273?lswe=28273&lwsa=WeatherLocalUndeclared&from=searchbox_localwx
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-13 13:31
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys >>UNKNOWN [0x8635B8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x87faed1f
\Driver\ACPI -> acpi.sys @ 0x804439d6
\Driver\atapi -> ataport.SYS @ 0x806619c6
\Driver\iaStor -> iaStor.sys @ 0x87b7d6c8
IoDeviceObjectType -> SecurityProcedure -> ntkrnlpa.exe @ 0x81d95467
\Device\Harddisk0\DR0 -> SecurityProcedure -> ntkrnlpa.exe @ 0x81d95467
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\9240.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(3508)
c:\program files\HP\QuickPlay\Kernel\Movie\CLDemuxer.ax
c:\program files\PixiePack Codec Pack\MP4Splitter.ax
c:\windows\system32\RealMediaSplitter.ax
c:\program files\Adobe\Adobe Premiere Pro CS3\ad2dsh264.ax
c:\program files\Adobe\Adobe Premiere Pro CS3\ad2h264dec.dll
c:\program files\Adobe\Adobe Premiere Pro CS3\ad2h264dec.004
c:\program files\PixiePack Codec Pack\FLVSplitter.ax
c:\program files\Common Files\Roxio Shared\9.0\MPEG\RoxioMPEGDemuxer.dll
c:\program files\HP\QuickPlay\Kernel\DMP\CLWMFDemux.ax
c:\program files\Adobe\Adobe Premiere Pro CS3\ad2mcdsmpeg.ax
c:\program files\Adobe\Adobe Premiere Pro CS3\ad2mcmpgdec.dll
c:\program files\Adobe\Adobe Premiere Pro CS3\ad2mcspmpeg.ax
c:\program files\Adobe\Adobe Premiere Pro CS3\ad2mpegin.dll
c:\program files\Common Files\Nikon\MPEG\nikondsmpeg.ax
c:\program files\Common Files\Nikon\MPEG\nikonmpgdec.dll
.
Completion time: 2010-02-13 13:37:20
ComboFix-quarantined-files.txt 2010-02-13 18:37
ComboFix2.txt 2010-02-09 19:19
ComboFix3.txt 2010-02-09 17:41
ComboFix4.txt 2010-02-08 04:27
ComboFix5.txt 2010-02-13 18:17
Pre-Run: 25,433,657,344 bytes free
Post-Run: 25,311,981,568 bytes free
- - End Of File - - CA0E1CDAE3ECF849715F8383F4A4E6CF
-
1. Please open Notepad- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
KillAll::
File::
Folder::
c:\program files\Viewpoint
Driver::
"Viewpoint Manager Service"
Registry::
RegLockDel::
MBR::
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
https://discussions.virtualdr.com/im.../2016/03/2.gif
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:- Combofix.txt
- A new HijackThis log.
-
ComboFix 10-02-12.01 - User 02/13/2010 14:40:25.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2037.1210 [GMT -5:00]
Running from: c:\users\User\Desktop\ComboFix.exe
Command switches used :: c:\users\User\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100213-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1368 [VPS 100213-1] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Viewpoint
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Viewpoint\Common\VistaBoot.sdll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_Viewpoint Manager Service
((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 )))))))))))))))))))))))))))))))
.
2010-02-13 19:53 . 2010-02-13 19:55 -------- d-----w- c:\users\User\AppData\Local\temp
2010-02-13 19:53 . 2010-02-13 19:53 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-13 19:53 . 2010-02-13 19:53 -------- d-----w- c:\users\Mcx2\AppData\Local\temp
2010-02-13 19:53 . 2010-02-13 19:53 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2010-02-13 19:53 . 2010-02-13 19:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-13 19:30 . 2010-02-13 19:35 -------- d-----w- C:\32788R22FWJFW
2010-02-13 03:53 . 2010-02-13 03:53 -------- d-----w- c:\program files\Sophos
2010-02-11 18:28 . 2010-02-12 18:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-11 18:28 . 2010-02-12 18:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-11 14:01 . 2010-02-12 18:46 -------- d-----w- c:\program files\Enigma Software Group
2010-02-09 21:28 . 2010-02-09 21:34 -------- d-----w- c:\program files\Intel
2010-02-09 01:09 . 2010-02-09 01:09 -------- d-----w- C:\_OTM
2010-02-08 17:15 . 2010-02-08 17:15 -------- d-----w- c:\program files\Safari
2010-02-07 04:55 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-02-07 04:55 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2010-02-07 04:55 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2010-02-07 04:55 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-02-07 04:55 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2010-02-07 04:55 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2010-02-07 04:55 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-02-07 04:54 . 2009-08-07 00:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-02-07 04:54 . 2009-08-06 23:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-02-05 03:22 . 2010-02-05 03:24 -------- d-----w- c:\program files\iTunes
2010-02-04 17:49 . 2010-02-04 17:49 -------- d-----w- c:\program files\Trend Micro
2010-01-20 18:14 . 2010-01-20 18:14 -------- d-----w- c:\program files\RFA
2010-01-20 17:23 . 2010-02-11 19:26 -------- d-----w- c:\programdata\RFA_Backups
2010-01-19 18:30 . 2010-01-19 18:30 8704 ----a-w- c:\windows\system32\SpOrder.dll
2010-01-19 18:30 . 2010-01-19 18:30 73728 ----a-w- c:\windows\system32\VistaInfo32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-13 18:56 . 2009-04-17 13:50 117760 ----a-w- c:\users\User\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-11 23:26 . 2009-02-28 18:40 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2010-02-09 21:28 . 2007-07-02 17:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-07 17:12 . 2007-07-02 18:53 -------- d-----w- c:\programdata\Microsoft Help
2010-02-05 20:18 . 2008-10-29 00:15 -------- d-----w- c:\users\User\AppData\Roaming\uTorrent
2010-02-05 03:22 . 2007-12-05 23:45 -------- d-----w- c:\program files\iPod
2010-02-05 03:22 . 2007-12-06 00:04 -------- d-----w- c:\program files\Common Files\Apple
2010-02-04 13:40 . 2009-04-19 14:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-03 17:02 . 2008-11-26 15:20 -------- d-----w- c:\program files\QuickTime
2010-02-01 20:30 . 2010-01-04 14:25 52224 ----a-w- c:\users\User\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-26 00:07 . 2009-07-23 12:34 335872 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{237CD223-1B9D-47E8-A76C-E478B83CCEA2}\ARPPRODUCTICON.exe
2010-01-26 00:06 . 2009-02-28 18:41 -------- d-----w- c:\program files\Common Files\Nikon
2010-01-26 00:05 . 2003-03-19 02:05 106496 ----a-w- c:\windows\system32\ATL71.DLL
2010-01-22 00:12 . 2009-06-26 13:07 -------- d-----w- c:\program files\DivX
2010-01-21 16:21 . 2008-01-13 00:58 210928 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-20 17:21 . 2010-01-06 15:13 -------- d-----w- c:\program files\MyDefrag v4.2.7
2010-01-14 16:12 . 2009-10-24 06:25 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 16:27 . 2009-04-07 23:57 0 ---h--w- c:\programdata\PKP_DLbx.DAT
2010-01-13 16:19 . 2007-12-03 01:03 128952 ----a-w- c:\users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-13 14:25 . 2007-12-10 22:29 -------- d-----w- c:\program files\Intuit
2010-01-13 14:22 . 2007-12-10 22:29 -------- d-----w- c:\program files\Common Files\Intuit
2010-01-13 14:12 . 2010-01-13 14:12 38878288 ----a-w- c:\users\User\AppData\Roaming\Nikon\Message Center\DOWNLOAD_LOG\14716\S-CNX2__-222WU-___EN.exe
2010-01-13 14:08 . 2010-01-13 14:08 38986384 ----a-w- c:\users\User\AppData\Roaming\Nikon\Message Center\DOWNLOAD_LOG\14919\S-CNX2__-223WU-___EN.exe
2010-01-13 00:58 . 2008-12-20 16:42 -------- d-----w- c:\program files\Google
2010-01-12 02:20 . 2009-06-26 12:35 -------- d-----w- c:\users\User\AppData\Roaming\Red Kawa
2010-01-07 21:07 . 2009-04-19 14:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-04-19 14:59 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 19:29 . 2008-11-02 14:20 -------- d-----w- c:\program files\CCleaner
2010-01-06 16:56 . 2009-04-19 02:46 -------- d-----w- c:\program files\SpeedFan
2010-01-06 02:24 . 2007-07-02 18:32 -------- d-----w- c:\programdata\Roxio
2010-01-04 14:26 . 2009-05-31 14:38 5061520 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-26 16:08 . 2009-12-26 16:08 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-25 16:57 . 2007-12-10 01:15 -------- d-----w- c:\users\User\AppData\Roaming\Roxio
2009-11-24 23:54 . 2009-10-12 15:09 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:49 . 2009-10-12 15:09 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-10-12 15:09 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-10-12 15:09 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-04-18 16:52 . 2009-04-18 16:52 22 --sha-w- c:\windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-11-07 159744]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
backup=c:\windows\pss\LaunchU3.exe.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Nikon Monitor.lnk]
backup=c:\windows\pss\Nikon Monitor.lnk.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 02:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-19 15:38 135664 ----atw- c:\program files\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 05:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2007-03-12 18:54 50696 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2009-06-05 00:03 186904 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nikon Transfer Monitor]
2009-05-29 21:58 479232 ----a-w- c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-06-11 15:57 184320 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-03-29 00:45 176128 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\r***ent]
2009-10-21 17:58 916304 ----a-w- c:\program files\RFA\r***ent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunSpySweeperScheduleAtStartup]
2007-03-23 21:23 86016 ----a-w- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-09 13:12 1232896 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-02 19:45 77824 ----a-w- c:\program files\Java\jre1.6.0\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-03-23 18:07 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2007-07-02 18:15 1006264 ----a-w- c:\program files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
-
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [10/12/2009 10:09 AM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 1:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 1:07 PM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [10/12/2009 10:09 AM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [10/12/2009 10:09 AM 53328]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [11/30/2008 1:30 PM 717296]
S3 LTXMD_VAC;Litex Media Virtual Audio Cable (WDM);c:\windows\System32\drivers\lmvac.sys [12/18/2008 7:13 PM 18912]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 4:29 AM 29178224]
S3 PAC207;PC Camer@;c:\windows\System32\drivers\PFC027.SYS [2/13/2008 4:17 PM 618112]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 1:07 PM 7408]
S3 WMSvc;Web Management Service;c:\windows\System32\inetsrv\WMSvc.exe [11/2/2006 7:36 AM 10752]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/19/2009 10:38 AM 135664]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
2007-09-19 15:32 7680 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
2010-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-19 15:38]
2010-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-19 15:38]
2010-02-13 c:\windows\Tasks\HPCeeScheduleForUser.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-07-02 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=PRESARIO&pf=laptop
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\bv5h7rsw.SPEED\
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/weather/local/28273?lswe=28273&lwsa=WeatherLocalUndeclared&from=searchbox_localwx
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-13 14:56
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys >>UNKNOWN [0x8635B8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x87faed1f
\Driver\ACPI -> acpi.sys @ 0x804439d6
\Driver\atapi -> ataport.SYS @ 0x806619c6
\Driver\iaStor -> iaStor.sys @ 0x87b7d6c8
IoDeviceObjectType -> SecurityProcedure -> ntkrnlpa.exe @ 0x81d95467
\Device\Harddisk0\DR0 -> SecurityProcedure -> ntkrnlpa.exe @ 0x81d95467
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\9240.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(1236)
c:\program files\HP\QuickPlay\Kernel\Movie\CLDemuxer.ax
c:\program files\PixiePack Codec Pack\MP4Splitter.ax
c:\windows\system32\RealMediaSplitter.ax
c:\program files\Adobe\Adobe Premiere Pro CS3\ad2dsh264.ax
c:\program files\Adobe\Adobe Premiere Pro CS3\ad2h264dec.dll
c:\program files\Adobe\Adobe Premiere Pro CS3\ad2h264dec.004
c:\program files\PixiePack Codec Pack\FLVSplitter.ax
c:\program files\Common Files\Roxio Shared\9.0\MPEG\RoxioMPEGDemuxer.dll
c:\program files\HP\QuickPlay\Kernel\DMP\CLWMFDemux.ax
c:\program files\Adobe\Adobe Premiere Pro CS3\ad2mcdsmpeg.ax
c:\program files\Adobe\Adobe Premiere Pro CS3\ad2mcmpgdec.dll
c:\program files\Adobe\Adobe Premiere Pro CS3\ad2mcspmpeg.ax
c:\program files\Adobe\Adobe Premiere Pro CS3\ad2mpegin.dll
c:\program files\Common Files\Nikon\MPEG\nikondsmpeg.ax
c:\program files\Common Files\Nikon\MPEG\nikonmpgdec.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
.
**************************************************************************
.
Completion time: 2010-02-13 15:05:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-13 20:05
ComboFix2.txt 2010-02-13 18:37
ComboFix3.txt 2010-02-09 19:19
ComboFix4.txt 2010-02-09 17:41
ComboFix5.txt 2010-02-13 19:35
Pre-Run: 25,256,517,632 bytes free
Post-Run: 24,995,745,792 bytes free
- - End Of File - - 46EEDBB1A7DE86DEB36D4A196BB83308
-
Hijackthis;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:58 PM, on 2/13/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16916)
Boot mode: Normal
Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\PixArt\Pac207\Monitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ARIO&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe"
O4 - HKLM\..\Run: [WAWifiMessage] "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [PAC207_Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 6060 bytes
-
I assume, redirection is still on?
-
Yes, I'm still getting redirected!:(
-
Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
-
15:37:30:959 1884 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
15:37:30:959 1884 ================================================================================
15:37:30:959 1884 SystemInfo:
15:37:30:959 1884 OS Version: 6.0.6000 ServicePack: 0.0
15:37:30:959 1884 Product type: Workstation
15:37:30:959 1884 ComputerName: ASK
15:37:30:960 1884 UserName: User
15:37:30:960 1884 Windows directory: C:\Windows
15:37:30:960 1884 Processor architecture: Intel x86
15:37:30:960 1884 Number of processors: 2
15:37:30:960 1884 Page size: 0x1000
15:37:30:960 1884 Boot type: Normal boot
15:37:30:960 1884 ================================================================================
15:37:30:965 1884 UnloadDriverW: NtUnloadDriver error 2
15:37:30:965 1884 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:37:30:966 1884 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
15:37:31:068 1884 UtilityInit: KLMD drop and load success
15:37:31:068 1884 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
15:37:31:068 1884 UtilityInit: KLMD open success
15:37:31:068 1884 UtilityInit: Initialize success
15:37:31:068 1884
15:37:31:068 1884 Scanning Services ...
15:37:31:068 1884 CreateRegParser: Registry parser init started
15:37:31:069 1884 CreateRegParser: DisableWow64Redirection error
15:37:31:069 1884 wfopen_ex: Trying to open file C:\Windows\system32\config\system
15:37:31:069 1884 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
15:37:31:069 1884 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:37:31:069 1884 wfopen_ex: Trying to KLMD file open
15:37:31:069 1884 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
15:37:31:069 1884 wfopen_ex: File opened ok (Flags 2)
15:37:31:090 1884 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 1316F70
15:37:31:090 1884 wfopen_ex: Trying to open file C:\Windows\system32\config\software
15:37:31:090 1884 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
15:37:31:091 1884 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:37:31:091 1884 wfopen_ex: Trying to KLMD file open
15:37:31:091 1884 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
15:37:31:091 1884 wfopen_ex: File opened ok (Flags 2)
15:37:31:091 1884 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 1316F98
15:37:31:091 1884 CreateRegParser: EnableWow64Redirection error
15:37:31:091 1884 CreateRegParser: RegParser init completed
15:37:31:506 1884 GetAdvancedServicesInfo: Raw services enum returned 462 services
15:37:31:513 1884 fclose_ex: Trying to close file C:\Windows\system32\config\system
15:37:31:514 1884 fclose_ex: Trying to close file C:\Windows\system32\config\software
15:37:31:514 1884
15:37:31:515 1884 Scanning Kernel memory ...
15:37:31:516 1884 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
15:37:31:516 1884 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8522A568
15:37:31:516 1884 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
15:37:31:516 1884
15:37:31:516 1884 DetectCureTDL3: DEVICE_OBJECT: 85722958
15:37:31:516 1884 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85722958
15:37:31:516 1884 DetectCureTDL3: DEVICE_OBJECT: 847FDF18
15:37:31:516 1884 KLMD_GetLowerDeviceObject: Trying to get lower device object for 847FDF18
15:37:31:516 1884 DetectCureTDL3: DEVICE_OBJECT: 847FE030
15:37:31:516 1884 KLMD_GetLowerDeviceObject: Trying to get lower device object for 847FE030
15:37:31:516 1884 KLMD_ReadMem: Trying to ReadMemory 0x847FE030[0x38]
15:37:31:516 1884 DetectCureTDL3: DRIVER_OBJECT: 847DBCE0
15:37:31:516 1884 KLMD_ReadMem: Trying to ReadMemory 0x847DBCE0[0xA8]
15:37:31:516 1884 KLMD_ReadMem: Trying to ReadMemory 0x83AA1410[0x1C]
15:37:31:516 1884 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor
15:37:31:516 1884 DetectCureTDL3: IrpHandler (0) addr: 87B7D6C8
15:37:31:516 1884 DetectCureTDL3: IrpHandler (1) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (2) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (3) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (4) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (5) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (6) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (7) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (8) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (9) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (10) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (11) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (12) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (13) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (14) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (15) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (16) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (17) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (18) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (19) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (20) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (21) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (22) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (23) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (24) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (25) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: IrpHandler (26) addr: 87B7D6C8
15:37:31:517 1884 DetectCureTDL3: All IRP handlers pointed to one addr: 87B7D6C8
15:37:31:517 1884 KLMD_ReadMem: Trying to ReadMemory 0x87B7D6C8[0x400]
15:37:31:517 1884 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
15:37:31:517 1884 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
15:37:31:517 1884 KLMD_ReadMem: Trying to ReadMemory 0x847DB66C[0x4]
15:37:31:518 1884 TDL3_IrpHookDetect: New IrpHandler addr: 863168C8
15:37:31:518 1884 KLMD_ReadMem: Trying to ReadMemory 0x863168C8[0x400]
15:37:31:518 1884 TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120
15:37:31:518 1884 Driver "iaStor" Irp handler infected by TDSS rootkit ... 15:37:31:518 1884 KLMD_WriteMem: Trying to WriteMemory 0x8631694E[0xD]
15:37:31:518 1884 cured
15:37:31:519 1884 TDL3_FileDetect: Processing driver: iaStor
15:37:31:519 1884 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\iaStor.sys
15:37:31:519 1884 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\iaStor.sys
15:37:31:550 1884 TDL3_FileDetect: C:\Windows\system32\DRIVERS\iaStor.sys - Verdict: Infected
15:37:31:550 1884 File C:\Windows\system32\DRIVERS\iaStor.sys infected by TDSS rootkit ... 15:37:31:551 1884 TDL3_FileCure: Processing driver file: C:\Windows\system32\DRIVERS\iaStor.sys
15:37:32:585 1884 FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\iaahci.inf_3a63e5a6\iaStor.sys:304920, checking..
15:37:32:605 1884 ValidateDriverFile: Stage 1 passed
15:37:32:607 1884 ValidateDriverFile: Stage 2 passed
15:37:33:158 1884 DigitalSignVerifyByHandle: Embedded DS result: 00000000
15:37:33:158 1884 ValidateDriverFile: Stage 3 passed
15:37:33:158 1884 FileCallback: File validated successfully, restore information prepared
15:37:35:666 1884 FindDriverFileBackup: Backup copy found in DriverStore
15:37:35:666 1884 TDL3_FileCure: Backup copy found, using it..
15:37:35:667 1884 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\drivers\tsk42DF.tmp
15:37:35:672 1884 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk42DF.tmp, system32\drivers\iaStor.sys)
15:37:35:672 1884 TDL3_FileCure: KLMD jobs schedule success
15:37:35:672 1884 will be cured on next reboot
15:37:35:673 1884 UtilityBootReinit: Reboot required for cure complete..
15:37:35:673 1884 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
15:37:35:677 1884 UtilityBootReinit: KLMD drop success
15:37:35:678 1884 KLMD_ApplyPendList: Pending buffer(1095_7E5B, 616) dropped successfully
15:37:35:678 1884 UtilityBootReinit: Cure on reboot scheduled successfully
15:37:35:678 1884
15:37:35:678 1884 Completed
15:37:35:679 1884
15:37:35:679 1884 Results:
15:37:35:679 1884 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
15:37:35:680 1884 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:37:35:680 1884 File objects infected / cured / cured on reboot: 1 / 0 / 1
15:37:35:680 1884
15:37:35:681 1884 UnloadDriverW: NtUnloadDriver error 1
15:37:35:681 1884 KLMD_Unload: UnloadDriverW(klmd21) error 1
15:37:35:682 1884 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
15:37:35:682 1884 UtilityDeinit: KLMD(ARK) unloaded successfully
-
