[RESOLVED] XP Recovery Virus (Trojan)

Started By yu677gh, Jun 08 2011 11:50 PM

Next

You cannot start a new topic
You cannot reply to this topic
Go to first unread post

51 replies to this topic

#1 yu677gh

Member

58 posts
Joined: June 08, 2011
2 topics
Skin: IP.Board
Local time: 05:25 PM

Zodiac:Aquarius
OS:Windows XP
Country:

Offline

Time Online: 4h 40m 19s

Posted 08 June 2011 - 11:50 PM

Hello,

Thank you for your help.

Current Situation
-----------------
AntiVirus Scans are now showing clean.
Many Desktop icons are still hidden (seem missing, but cannot unhide)
Many folders still seem empty, missing files (for example Documents and Settings folder show completely empty)
Program folder is showing empty except for recently installed AntiVirus

here is the time-line:

1. Initial problem
------------------

Machine was infected by XP Recovery virus.

User clicked through and accepted fake offers to scan.
User did not proceed to pay for 'higher level'

computer would boot to empty desktop, showing empty Document folders, empty Program folders.

2. Steps taken Prior to Reading this Forum
----------------------------------------
entered safe-mode as Administrator
ran 2 antivirus (PCPitstop_Exterminator & SuperAntispywareFree)
both found and cleaned infections

rebooting as User in regular mode, machine got reinfected and Explorer would get Hijacked

3. After Reading this Forum
------------------------

Followed the 5-step plan, logs are as follows:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6813

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/8/2011 5:36:48 PM
mbam-log-2011-06-08 (17-36-48).txt

Scan type: Quick scan
Objects scanned: 174646
Time elapsed: 1 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---------

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-08 19:23:18
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200AAKS-75L9A0 rev.02.03E02
Running: 7ypyu31e.exe; Driver: C:\DOCUME~1\Eric\LOCALS~1\Temp\fxdoakod.sys

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00E2000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DF000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00DE000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E0000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00E1000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0059000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B06B70
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B06D70
.text C:\WINDOWS\system32\SearchIndexer.exe[3880] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B06B70
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B06D70
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00E1000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DE000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00B4000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DF000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00E0000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[6124] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0059000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2308] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat 9C336D20

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:124] 8A606E7A
Thread System [4:128] 8A609008

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS00169.log 131072 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0016A.log 0 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0016B.log 0 bytes

---- EOF - GMER 1.0.15 ----

=================

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 120):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 intelide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AE000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltMgr.sys
0xB9ED9000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9EC2000 KSecDD.sys
0xB9E35000 Ntfs.sys
0xB9E08000 NDIS.sys
0xBA108000 PBADRV.sys
0xB9DEE000 Mup.sys
0xBA148000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9D95000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xB91D8000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB91C4000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB919C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB9167000 \SystemRoot\system32\DRIVERS\k57xp32.sys
0xBA3E8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9143000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3F0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB912F000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA158000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA550000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA168000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA178000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA188000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB90CA000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA7D9000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA198000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9803000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB90B3000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA400000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB90A2000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB697D000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB6975000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB600C000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA248000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB696D000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB6965000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5B8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB5FAE000 \SystemRoot\system32\DRIVERS\update.sys
0xB678C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA288000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5BC000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA278000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA4BF0000 \SystemRoot\system32\drivers\RtDHDAud.sys
0xA4BCC000 \SystemRoot\system32\drivers\portcls.sys
0xB9010000 \SystemRoot\system32\drivers\drmk.sys
0x9FF70000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA5E2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x9F2AC000 \SystemRoot\System32\Drivers\Null.SYS
0xA087B000 \SystemRoot\System32\Drivers\Beep.SYS
0x9F3C4000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x9F3BC000 \SystemRoot\System32\drivers\vga.sys
0xA0879000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xA0877000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x9F3B4000 \SystemRoot\System32\Drivers\Msfs.SYS
0x9F3AC000 \SystemRoot\System32\Drivers\Npfs.SYS
0x9FF68000 \SystemRoot\system32\DRIVERS\rasacd.sys
0x9E405000 \SystemRoot\system32\DRIVERS\ipsec.sys
0x9E3AC000 \SystemRoot\system32\DRIVERS\tcpip.sys
0x9E384000 \SystemRoot\system32\DRIVERS\netbt.sys
0x9E362000 \SystemRoot\System32\drivers\afd.sys
0x9F70F000 \SystemRoot\system32\DRIVERS\netbios.sys
0x9E340000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0x9F3A4000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0x9E315000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9E2A5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9F6FF000 \SystemRoot\System32\Drivers\Fips.SYS
0x9F6CF000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9E28D000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xA086F000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0x9EE55000 \SystemRoot\System32\drivers\Dxapi.sys
0x9F39C000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6C7000 \SystemRoot\System32\drivers\dxgthk.sys
0x9F394000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x9EE51000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x9EC44000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x9EC34000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x9EE49000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x9E476000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF05E000 \SystemRoot\System32\igxpdv32.DLL
0xBF322000 \SystemRoot\System32\igxpdx32.DLL
0xBF67D000 \SystemRoot\System32\ATMFD.DLL
0x9E25B000 \SystemRoot\system32\DRIVERS\WavxDMgr.sys
0xA2724000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9E1CE000 \SystemRoot\system32\drivers\wdmaud.sys
0xA27CD000 \SystemRoot\system32\drivers\sysaudio.sys
0x9DB61000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x9D9F1000 \SystemRoot\system32\DRIVERS\srv.sys
0x9CCF9000 \SystemRoot\System32\Drivers\HTTP.sys
0x9C353000 \??\C:\DOCUME~1\Eric\LOCALS~1\Temp\fxdoakod.sys
0x9C32F000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x9C304000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 56):
0 System Idle Process
4 System
476 C:\WINDOWS\system32\smss.exe
536 csrss.exe
732 C:\WINDOWS\system32\winlogon.exe
776 C:\WINDOWS\system32\services.exe
792 C:\WINDOWS\system32\lsass.exe
1016 C:\WINDOWS\system32\svchost.exe
1104 svchost.exe
1200 C:\Program Files\Windows Defender\MsMpEng.exe
1240 C:\WINDOWS\system32\svchost.exe
1300 svchost.exe
1412 svchost.exe
1648 C:\WINDOWS\system32\spoolsv.exe
1984 C:\WINDOWS\explorer.exe
368 C:\WINDOWS\RTDCPL.EXE
512 C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
508 C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
556 C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
608 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
640 C:\WINDOWS\system32\hkcmd.exe
672 C:\WINDOWS\system32\igfxpers.exe
692 C:\Program Files\Windows Defender\MSASCui.exe
1036 C:\WINDOWS\system32\igfxsrvc.exe
1184 C:\WINDOWS\vVX3000.exe
1876 C:\Program Files\iTunes\iTunesHelper.exe
1912 C:\WINDOWS\system32\ctfmon.exe
1804 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2440 svchost.exe
2476 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2492 C:\Program Files\Bonjour\mDNSResponder.exe
2540 C:\Program Files\Citrix\GoToMyPC\g2svc.exe
2724 C:\Program Files\Citrix\GoToMyPC\g2comm.exe
2792 C:\Program Files\Java\jre6\bin\jqs.exe
2836 C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
2888 C:\Program Files\Retrospect\Retrospect Client\RemotSvc.exe
2924 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
2944 C:\Program Files\Retrospect\Retrospect Client\retroclient.exe
3200 C:\Program Files\Citrix\GoToMyPC\g2pre.exe
3328 C:\Program Files\Citrix\GoToMyPC\g2tray.exe
3440 C:\WINDOWS\system32\svchost.exe
3476 C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
3880 C:\WINDOWS\system32\searchindexer.exe
600 wmiprvse.exe
568 C:\WINDOWS\system32\wscntfy.exe
2668 C:\Program Files\iPod\bin\iPodService.exe
6124 C:\Program Files\Internet Explorer\iexplore.exe
2308 C:\Program Files\Internet Explorer\iexplore.exe
5188 C:\WINDOWS\system32\notepad.exe
1100 C:\WINDOWS\system32\wscript.exe
4556 C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE
2172 C:\Program Files\Internet Explorer\iexplore.exe
6100 C:\Program Files\Internet Explorer\iexplore.exe
2116 C:\WINDOWS\system32\searchprotocolhost.exe
4296 searchfilterhost.exe
1348 C:\Documents and Settings\Eric\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200AAKS-75L9A0, Rev: 02.03E02

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Dell Inspiron MBR code detected
SHA1: AE3E0A945D44C8EA304A19A8F50F69065C34344B

Done!

=====================

.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Eric at 19:27:54 on 2011-06-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3292.2402 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTDCPL.EXE
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
C:\Program Files\Retrospect\Retrospect Client\RemotSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Retrospect\Retrospect Client\retroclient.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wscript.exe
C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.bing.com
uSearch Bar = hxxp://www.bing.com/sphome.aspx
mSearchAssistant = hxxp://www.bing.com/sphome.aspx
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [VyuAmrmEfIELC] c:\documents and settings\all users\application data\VyuAmrmEfIELC.exe
mRun: [RTHDCPL] RTDCPL.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\eric\startm~1\programs\startup\shortc~1.lnk - c:\documents and settings\eric\my documents\Mohican DB 2.0.fp5
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://kynex.webex.com/client/T27LB/support/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 24.92.226.11 24.92.226.12
TCP: Interfaces\{B1E28740-6CD8-4EF4-832E-E6632159D41C} : DhcpNameServer = 24.92.226.11 24.92.226.12
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2011-6-6 77312]
R2 Retrospect Client;Retrospect Client;c:\program files\retrospect\retrospect client\RemotSvc.exe [2008-12-1 61440]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2010-7-1 209960]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-13 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-13 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
.
=============== Created Last 30 ================
.
2011-06-08 21:07:24 -------- d-----w- c:\documents and settings\eric\application data\Malwarebytes
2011-06-08 20:37:01 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-08 20:37:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-08 20:36:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-06 20:02:08 -------- d-----w- c:\documents and settings\eric\application data\SUPERAntiSpyware.com
2011-06-06 18:14:16 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-06-06 18:14:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-25 20:11:15 -------- d--h--w- c:\program files\iPod
2011-05-25 20:11:13 -------- d--h--w- c:\program files\iTunes
2011-05-25 20:09:15 -------- d--h--w- c:\program files\Bonjour
2011-05-25 19:51:38 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-05-25 19:51:37 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-05-25 19:51:37 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-05-25 19:51:37 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
.
==================== Find3M ====================
.
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
============= FINISH: 19:28:00.78 ===============

=====================

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-03.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/8/2010 4:32:09 PM
System Uptime: 6/8/2011 5:52:38 PM (2 hours ago)
.
Motherboard: Dell Inc. | | 0HN7XN
Processor: Intel® Core™2 Duo CPU E7500 @ 2.93GHz | CPU | 2925/1066mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 249.378 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP279: 3/11/2011 1:59:22 AM - Software Distribution Service 3.0
RP280: 3/12/2011 3:40:55 AM - System Checkpoint
RP281: 3/13/2011 6:16:51 AM - System Checkpoint
RP282: 3/14/2011 8:16:51 AM - System Checkpoint
RP283: 3/15/2011 1:59:24 AM - Software Distribution Service 3.0
RP284: 3/16/2011 2:16:51 AM - System Checkpoint
RP285: 3/16/2011 3:00:13 AM - Software Distribution Service 3.0
RP286: 3/17/2011 3:20:18 AM - System Checkpoint
RP287: 3/17/2011 12:02:32 PM - Configured 2007 Microsoft Office system
RP288: 3/18/2011 1:49:24 AM - Software Distribution Service 3.0
RP289: 3/19/2011 3:56:20 AM - System Checkpoint
RP290: 3/20/2011 5:20:18 AM - System Checkpoint
RP291: 3/21/2011 7:20:18 AM - System Checkpoint
RP292: 3/22/2011 1:49:08 AM - Software Distribution Service 3.0
RP293: 3/23/2011 3:20:18 AM - System Checkpoint
RP294: 3/24/2011 3:00:13 AM - Software Distribution Service 3.0
RP295: 3/25/2011 1:49:27 AM - Software Distribution Service 3.0
RP296: 3/26/2011 3:56:20 AM - System Checkpoint
RP297: 3/27/2011 5:20:18 AM - System Checkpoint
RP298: 3/28/2011 7:20:13 AM - System Checkpoint
RP299: 3/29/2011 1:49:23 AM - Software Distribution Service 3.0
RP300: 3/30/2011 3:20:13 AM - System Checkpoint
RP301: 3/31/2011 5:20:13 AM - System Checkpoint
RP302: 4/1/2011 1:49:22 AM - Software Distribution Service 3.0
RP303: 4/2/2011 2:08:16 AM - System Checkpoint
RP304: 4/3/2011 3:44:15 AM - System Checkpoint
RP305: 4/4/2011 5:20:14 AM - System Checkpoint
RP306: 4/5/2011 1:49:22 AM - Software Distribution Service 3.0
RP307: 4/6/2011 3:20:14 AM - System Checkpoint
RP308: 4/7/2011 5:56:19 AM - System Checkpoint
RP309: 4/8/2011 1:49:27 AM - Software Distribution Service 3.0
RP310: 4/9/2011 3:44:17 AM - System Checkpoint
RP311: 4/10/2011 4:08:19 AM - System Checkpoint
RP312: 4/11/2011 5:20:16 AM - System Checkpoint
RP313: 4/12/2011 1:49:26 AM - Software Distribution Service 3.0
RP314: 4/13/2011 3:20:17 AM - System Checkpoint
RP315: 4/14/2011 5:20:17 AM - System Checkpoint
RP316: 4/15/2011 1:49:21 AM - Software Distribution Service 3.0
RP317: 4/16/2011 3:00:13 AM - Software Distribution Service 3.0
RP318: 4/17/2011 3:23:45 AM - System Checkpoint
RP319: 4/18/2011 5:23:46 AM - System Checkpoint
RP320: 4/19/2011 1:46:26 AM - Software Distribution Service 3.0
RP321: 4/20/2011 3:23:45 AM - System Checkpoint
RP322: 4/21/2011 5:23:45 AM - System Checkpoint
RP323: 4/22/2011 1:46:22 AM - Software Distribution Service 3.0
RP324: 4/23/2011 3:23:45 AM - System Checkpoint
RP325: 4/24/2011 3:23:49 AM - System Checkpoint
RP326: 4/25/2011 3:42:47 AM - System Checkpoint
RP327: 4/26/2011 2:14:22 AM - Software Distribution Service 3.0
RP328: 4/27/2011 3:04:48 AM - System Checkpoint
RP329: 4/28/2011 3:00:13 AM - Software Distribution Service 3.0
RP330: 4/29/2011 1:46:56 AM - Software Distribution Service 3.0
RP331: 4/30/2011 3:23:34 AM - System Checkpoint
RP332: 5/1/2011 5:04:50 AM - System Checkpoint
RP333: 5/2/2011 5:16:52 AM - System Checkpoint
RP334: 5/3/2011 5:40:08 AM - System Checkpoint
RP335: 5/4/2011 7:41:13 AM - System Checkpoint
RP336: 5/5/2011 8:03:04 AM - System Checkpoint
RP337: 5/6/2011 12:36:22 PM - System Checkpoint
RP338: 5/7/2011 1:40:08 PM - System Checkpoint
RP339: 5/8/2011 3:40:08 PM - System Checkpoint
RP340: 5/9/2011 3:41:13 PM - System Checkpoint
RP341: 5/10/2011 5:38:06 PM - System Checkpoint
RP342: 5/11/2011 5:40:08 PM - System Checkpoint
RP343: 5/12/2011 7:40:08 PM - System Checkpoint
RP344: 5/13/2011 9:40:09 PM - System Checkpoint
RP345: 5/14/2011 11:40:08 PM - System Checkpoint
RP346: 5/16/2011 1:40:08 AM - System Checkpoint
RP347: 5/17/2011 3:40:09 AM - System Checkpoint
RP348: 5/18/2011 5:40:08 AM - System Checkpoint
RP349: 5/19/2011 7:40:09 AM - System Checkpoint
RP350: 5/20/2011 10:02:35 AM - System Checkpoint
RP351: 5/21/2011 11:41:09 AM - System Checkpoint
RP352: 5/22/2011 11:44:06 AM - System Checkpoint
RP353: 5/23/2011 1:17:27 PM - System Checkpoint
RP354: 5/24/2011 2:32:09 PM - System Checkpoint
RP355: 5/25/2011 4:09:49 PM - Installed iTunes
RP356: 5/26/2011 4:26:21 PM - System Checkpoint
RP357: 5/27/2011 6:17:47 PM - System Checkpoint
RP358: 5/28/2011 8:17:47 PM - System Checkpoint
RP359: 5/29/2011 10:18:52 PM - System Checkpoint
RP360: 5/31/2011 12:17:47 AM - System Checkpoint
RP361: 6/1/2011 1:05:53 AM - System Checkpoint
RP362: 6/2/2011 2:17:49 AM - System Checkpoint
RP363: 6/3/2011 4:17:49 AM - System Checkpoint
RP364: 6/4/2011 7:05:55 AM - System Checkpoint
RP365: 6/5/2011 8:17:49 AM - System Checkpoint
RP366: 6/6/2011 5:20:47 PM - System Checkpoint
RP367: 6/7/2011 7:00:51 PM - System Checkpoint
.
==== Installed Programs ======================
.
.
2007 Microsoft Office system
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BioAPI Framework
BNP Paribas Online Trading ver 7.0
Bonjour
Broadcom NetXtreme-I Netlink Driver and Management Installer
Citrix XenApp Web Plugin
DCP32MMWrapper
Dell Backup and Recovery Manager
Dell Control Point
Dell ControlPoint Security Manager
Dell Embassy Trust Suite by Wave Systems
Dell Security Device Driver Pack
Document Manager Lite
EMBASSY Security Center
EMBASSY Security Setup
ESC Home Page Plugin
FileMaker Pro 6
Gemalto
Google Toolbar for Internet Explorer
Google Update Helper
GoToMyPC
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB968764)
Hotfix for Windows XP (KB969084)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
IMC Messenger (remove only)
Intel® Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java™ 6 Update 20
Junk Mail filter update
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Professional with FrontPage
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser (KB973685)
MSXML 6.0 Parser
NTRU TCG Software Stack
NVIDIA Drivers
NVIDIA nView Desktop Manager
PC Pitstop Exterminate2 2.0
PowerDVD DX
Preboot Manager
Private Information Manager
QuickTime
Realtek High Definition Audio Driver
Retrospect Client 7.6
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE 10.3
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2483614)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Security Wizards
Segoe UI
SO32MMWrapper
ST Microelectronics TPM Driver Installer
SUPERAntiSpyware
Trusted Drive Manager
tsp patch
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Word 2007 (KB974631)
Update for Office 2007 (KB934528)
Update for Office System 2007 Setup (KB929722)
Update for Outlook 2007 (KB933493)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB980182)
UPEK TouchChip Fingerprint Reader
Wave Infrastructure Installer
Wave Support Software
WebEx
WebFldrs XP
Windows Defender
Windows Driver Package - Dell Inc. PBADRV System (01/07/2008 1.0.1.5)
Windows Driver Package - STMicroelectronics (stmtpm) System (05/24/2007 1.00.04.15)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Management Framework Core
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows Search 4.0
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
6/6/2011 3:12:12 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm SASDIFSV SASKUTIL
6/6/2011 12:24:31 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
6/6/2011 12:24:31 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
6/6/2011 12:24:31 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/6/2011 12:24:31 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/6/2011 12:24:31 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
6/6/2011 12:24:31 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/6/2011 12:24:31 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/6/2011 12:24:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
6/6/2011 11:17:00 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
6/6/2011 11:16:54 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
6/6/2011 11:15:49 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/6/2011 1:03:22 PM, error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
6/6/2011 1:03:22 PM, error: Service Control Manager [7022] - The SQL Server VSS Writer service hung on starting.
.
==== End Of File ===========================

Back to top

#2 Broni Re: [RESOLVED] XP Recovery Virus (Trojan)

Malware Annihilator

24,880 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 02:25 PM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Offline

Time Online: 57d 9h 13m 9s

Posted 08 June 2011 - 11:53 PM

Welcome aboard Posted Image

Download TDSSKiller and save it to your desktop.

Extract (unzip) its contents to your desktop.
Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

Back to top

#3 yu677gh Re: [RESOLVED] XP Recovery Virus (Trojan)

Member

58 posts
Joined: June 08, 2011
2 topics
Skin: IP.Board
Local time: 05:25 PM

Zodiac:Aquarius
OS:Windows XP
Country:

Offline

Time Online: 4h 40m 19s

Posted 09 June 2011 - 12:00 AM

double-clicking on the (extracted) .exe is not doing anything..

Back to top

#4 Broni Re: [RESOLVED] XP Recovery Virus (Trojan)

Malware Annihilator

24,880 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 02:25 PM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Offline

Time Online: 57d 9h 13m 9s

Posted 09 June 2011 - 12:01 AM

Please download Rootkit Unhooker from one of the following links and save it to your desktop.

Link 1 (.exe file)

Link 2 (zipped file)

Link 3 (.rar file)

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

Double-click on RKUnhookerLE.exe to start the program.
Vista/Windows 7 users right-click and select Run As Administrator.
Click the Report tab, then click Scan.
Check Drivers, Stealth, and uncheck the rest.
Click OK.
Wait until it's finished and then go to File > Save Report.
Save the report to your Desktop.
Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Back to top

#5 yu677gh Re: [RESOLVED] XP Recovery Virus (Trojan)

Member

58 posts
Joined: June 08, 2011
2 topics
Skin: IP.Board
Local time: 05:25 PM

Zodiac:Aquarius
OS:Windows XP
Country:

Offline

Time Online: 4h 40m 19s

Posted 09 June 2011 - 12:08 AM

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB91D8000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 6320128 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xA4BF0000 C:\WINDOWS\system32\drivers\RtDHDAud.sys 6070272 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xBF322000 C:\WINDOWS\System32\igxpdx32.DLL 3518464 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xBF05E000 C:\WINDOWS\System32\igxpdv32.DLL 2899968 bytes (Intel Corporation, Component GHAL Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1867776 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1867776 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9E35000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0x9E2A5000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB5FAE000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0x9E3AC000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0x9D9F1000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF67D000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x9CCF9000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 237568 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xB9167000 C:\WINDOWS\system32\DRIVERS\k57xp32.sys 217088 bytes (Broadcom Corporation, Broadcom NetLink ™ Gigabit Ethernet NDIS5.1 Driver.)
0x9E25B000 C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys 204800 bytes (Wave Systems Corp., WavX Document Manager Filter Driver)
0xB600C000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0x9DB61000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9E08000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0x9C304000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0x9E315000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB919C000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0x9E384000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0x9C32F000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA4BCC000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9143000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB90CA000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0x9E362000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x9E340000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806E5000 ACPI_HAL 134528 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134528 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EEB000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9DEE000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x9C353000 C:\DOCUME~1\Eric\LOCALS~1\Temp\fxdoakod.sys 102400 bytes
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0x9E28D000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9EC2000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB90B3000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9E1CE000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB912F000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB91C4000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0x9E405000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xB9ED9000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB90A2000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0x9F6CF000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA178000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA158000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB9010000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA188000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA27CD000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA288000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA198000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x9F6FF000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA168000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA108000 PBADRV.sys 45056 bytes (Dell Inc, PBA Support Driver)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA278000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA248000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0x9EC74000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0x9EC44000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA148000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0x9F70F000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xBA0F8000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0x9EC34000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x9F3AC000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0x9F394000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA3F0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x9F3C4000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xA099F000 C:\DOCUME~1\Eric\LOCALS~1\Temp\mbr.sys 28672 bytes
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA3F8000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xB696D000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB6965000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0x9F3A4000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xBA3E8000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x9F3BC000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x9F3B4000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xB697D000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xB6975000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA400000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0x9F39C000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0x9EE49000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB678C000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA2724000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA550000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0x9EE55000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0x9EE51000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x9FF70000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0x9E476000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9803000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x9FF68000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB9D95000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xA087B000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AE000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xA086F000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA5E2000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5AC000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xA0879000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xA0877000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5B8000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5BC000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA7D9000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA6C7000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0x9F2AC000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x8A603A91 Unknown page with executable code, 1391 bytes
0x8A602288 Unknown page with executable code, 3448 bytes
0x8A604191 Unknown page with executable code, 3695 bytes
0xBA0C8000 WARNING: Virus alike driver modification [VolSnap.sys], 53248 bytes
0x8A606E7A Unknown thread object [ ETHREAD 0x8A573B88 ] TID: 124, 600 bytes
0x8A609008 Unknown thread object [ ETHREAD 0x8A573910 ] TID: 128, 600 bytes
0x8A608CDC Unknown page with executable code, 804 bytes

Back to top

#6 Broni Re: [RESOLVED] XP Recovery Virus (Trojan)

Malware Annihilator

24,880 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 02:25 PM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Offline

Time Online: 57d 9h 13m 9s

Posted 09 June 2011 - 12:10 AM

OK, we have a rootkit there.

Before we'll try to remove it, I'd like to see, if we can uncover any of your hidden/moved files.
Download and run UnHide
Let me know, if you got any of your missing items back.

Back to top

#7 yu677gh Re: [RESOLVED] XP Recovery Virus (Trojan)

Member

58 posts
Joined: June 08, 2011
2 topics
Skin: IP.Board
Local time: 05:25 PM

Zodiac:Aquarius
OS:Windows XP
Country:

Offline

Time Online: 4h 40m 19s

Posted 09 June 2011 - 12:17 AM

yes, missing items have been uncovered succesfully (Desktop items, Docs&Settings, Program Folder, etc.)

Back to top

#8 Broni Re: [RESOLVED] XP Recovery Virus (Trojan)

Malware Annihilator

24,880 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 02:25 PM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Offline

Time Online: 57d 9h 13m 9s

Posted 09 June 2011 - 12:19 AM

Perfect!

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Back to top

#9 yu677gh Re: [RESOLVED] XP Recovery Virus (Trojan)

Member

58 posts
Joined: June 08, 2011
2 topics
Skin: IP.Board
Local time: 05:25 PM

Zodiac:Aquarius
OS:Windows XP
Country:

Offline

Time Online: 4h 40m 19s

Posted 09 June 2011 - 12:30 AM

"Driver VOLSNAP.SYS is patched with a rootkit"
"Attempting Disinfection"

"Rootkit!! - ComboFix has detected the presence of rootkit activity and needs to reboot the machine - OK"

Back to top

#10 yu677gh Re: [RESOLVED] XP Recovery Virus (Trojan)

Member

58 posts
Joined: June 08, 2011
2 topics
Skin: IP.Board
Local time: 05:25 PM

Zodiac:Aquarius
OS:Windows XP
Country:

Offline

Time Online: 4h 40m 19s

Posted 09 June 2011 - 12:31 AM

shall I go ahead, OK?

Back to top

#11 Broni Re: [RESOLVED] XP Recovery Virus (Trojan)

Malware Annihilator

24,880 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 02:25 PM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Offline

Time Online: 57d 9h 13m 9s

Posted 09 June 2011 - 12:32 AM

Yes. That's the rootkit.

Back to top

#12 yu677gh Re: [RESOLVED] XP Recovery Virus (Trojan)

Member

58 posts
Joined: June 08, 2011
2 topics
Skin: IP.Board
Local time: 05:25 PM

Zodiac:Aquarius
OS:Windows XP
Country:

Offline

Time Online: 4h 40m 19s

Posted 09 June 2011 - 12:41 AM

long delay on shutdown..

computer rebooted

received error "SQL Writer - SQLDumper library failed initialization. Your installation is either corrupt or has been tampered with. Please Uninstall then re-run setup to correct this problem" -- OK ?

(meanwhile ComboFix is saying that machine does not have 'Microsoft Windows recovery console'...snip.. Click yes to have ComboFix download/install it)

Back to top

#13 Broni Re: [RESOLVED] XP Recovery Virus (Trojan)

Malware Annihilator

24,880 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 02:25 PM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Offline

Time Online: 57d 9h 13m 9s

Posted 09 June 2011 - 12:42 AM

Yes, allow recovery console installation.

Back to top

#14 yu677gh Re: [RESOLVED] XP Recovery Virus (Trojan)

Member

58 posts
Joined: June 08, 2011
2 topics
Skin: IP.Board
Local time: 05:25 PM

Zodiac:Aquarius
OS:Windows XP
Country:

Offline

Time Online: 4h 40m 19s

Posted 09 June 2011 - 12:50 AM

AutoScan scanned, Completed Stages_

deleted folder Windows XP Recovery

Combofix is rebooting machine..

Back to top

#15 Broni Re: [RESOLVED] XP Recovery Virus (Trojan)

Malware Annihilator

24,880 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 02:25 PM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Offline

Time Online: 57d 9h 13m 9s

Posted 09 June 2011 - 12:50 AM

Very well...

Back to top

#16 yu677gh Re: [RESOLVED] XP Recovery Virus (Trojan)

Member

58 posts
Joined: June 08, 2011
2 topics
Skin: IP.Board
Local time: 05:25 PM

Zodiac:Aquarius
OS:Windows XP
Country:

Offline

Time Online: 4h 40m 19s

Posted 09 June 2011 - 12:56 AM

ComboFix 11-06-08.03 - Eric 06/08/2011 20:45:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3292.2829 [GMT -4:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Eric\Desktop\Windows XP Recovery.lnk
c:\documents and settings\Eric\Start Menu\Programs\Windows XP Recovery
c:\documents and settings\Eric\Start Menu\Programs\Windows XP Recovery\Uninstall Windows XP Recovery.lnk
c:\documents and settings\Eric\Start Menu\Programs\Windows XP Recovery\Windows XP Recovery.lnk
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2011-05-09 to 2011-06-09 )))))))))))))))))))))))))))))))
.
.
2011-06-08 21:07 . 2011-06-08 21:07 -------- d-----w- c:\documents and settings\Eric\Application Data\Malwarebytes
2011-06-08 20:37 . 2011-06-08 20:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-06-08 20:37 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-08 20:37 . 2011-06-08 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-08 20:36 . 2011-06-08 20:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-08 06:12 . 2011-06-08 06:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-06-06 20:02 . 2011-06-06 20:02 -------- d-----w- c:\documents and settings\Eric\Application Data\SUPERAntiSpyware.com
2011-06-06 18:14 . 2011-06-06 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-06 18:14 . 2011-06-06 18:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-06-06 18:14 . 2011-06-06 20:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-06 16:28 . 2011-06-06 16:28 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-06-06 16:27 . 2011-06-06 16:27 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-05-25 20:11 . 2011-05-25 20:11 -------- d-----w- c:\program files\iPod
2011-05-25 20:11 . 2011-05-25 20:11 -------- d-----w- c:\program files\iTunes
2011-05-25 20:09 . 2011-05-25 20:09 -------- d-----w- c:\program files\Bonjour
2011-05-25 19:51 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-05-25 19:51 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-05-25 19:51 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-05-25 19:51 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-09 00:51 . 2010-07-08 20:32 0 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\WavXMapDrive.bat
2011-04-11 07:04 . 2011-04-29 05:46 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{6B1FC12C-603A-4C3A-AD25-071360B52D32}\mpengine.dll
2011-04-11 07:04 . 2010-07-08 20:55 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-06-11 23:41 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-06-11 23:41 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-13 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTDCPL.EXE" [2009-08-26 2691072]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-03-04 1657448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-03-10 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-10 13918208]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2009-06-03 184320]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2009-05-18 145920]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-06-12 656384]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-07-05 15872]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-28 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-28 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-28 142872]
"VX3000"="c:\windows\vVX3000.exe" [2009-06-26 757248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Eric\Start Menu\Programs\Startup\
Shortcut to Mohican DB 2.0.lnk - c:\documents and settings\Eric\My Documents\Mohican DB 2.0.fp5 [2010-7-8 28672]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2010-07-26 18:42 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Retrospect\\Retrospect Client\\retroclient.exe"=
"c:\\Program Files\\IQuoteBNPP\\iquote32.exe"=
"c:\\Program Files\\LiveOffice\\IMC Messenger\\mtc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [6/6/2011 12:43 PM 77312]
R2 Retrospect Client;Retrospect Client;c:\program files\Retrospect\Retrospect Client\RemotSvc.exe [12/1/2008 5:36 PM 61440]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [7/1/2010 1:55 AM 209960]
S?2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/13/2011 3:19 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/13/2011 3:19 PM 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 12:16 PM 14336]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-13 19:19]
.
2011-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-13 19:19]
.
2011-06-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: DhcpNameServer = 24.92.226.11 24.92.226.12
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-VyuAmrmEfIELC - c:\documents and settings\All Users\Application Data\VyuAmrmEfIELC.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-08 20:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
c:\windows\System32\TdmNetworkProvider.dll
c:\windows\System32\WCR10.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'explorer.exe'(4040)
c:\windows\system32\WININET.dll
c:\windows\system32\igfxdo.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Citrix\GoToMyPC\g2svc.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\windows\RTDCPL.EXE
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\Retrospect\Retrospect Client\retroclient.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
c:\windows\system32\imapi.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2011-06-08 20:53:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-09 00:53
.
Pre-Run: 268,411,277,312 bytes free
Post-Run: 268,979,036,160 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - F1D665D4165FDC940F1E9133B311AE8D

Back to top

#17 Broni Re: [RESOLVED] XP Recovery Virus (Trojan)

Malware Annihilator

24,880 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 02:25 PM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Offline

Time Online: 57d 9h 13m 9s

Posted 09 June 2011 - 12:59 AM

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box
Click OK

Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= dword:00000001
"DisableNotifications"= dword:00000000

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

Back to top

#18 yu677gh Re: [RESOLVED] XP Recovery Virus (Trojan)

Member

58 posts
Joined: June 08, 2011
2 topics
Skin: IP.Board
Local time: 05:25 PM

Zodiac:Aquarius
OS:Windows XP
Country:

Offline

Time Online: 4h 40m 19s

Posted 09 June 2011 - 01:08 AM

ComboFix 11-06-08.03 - Eric 06/08/2011 21:03:38.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3292.2632 [GMT -4:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-05-09 to 2011-06-09 )))))))))))))))))))))))))))))))
.
.
2011-06-09 00:54 . 2011-05-09 20:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{B94D72B5-9E94-4905-9CF2-513A6C73105A}\mpengine.dll
2011-06-08 21:07 . 2011-06-08 21:07 -------- d-----w- c:\documents and settings\Eric\Application Data\Malwarebytes
2011-06-08 20:37 . 2011-06-08 20:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-06-08 20:37 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-08 20:37 . 2011-06-08 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-08 20:36 . 2011-06-08 20:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-08 06:12 . 2011-06-08 06:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-06-06 20:02 . 2011-06-06 20:02 -------- d-----w- c:\documents and settings\Eric\Application Data\SUPERAntiSpyware.com
2011-06-06 18:14 . 2011-06-06 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-06 18:14 . 2011-06-06 18:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-06-06 18:14 . 2011-06-06 20:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-06 16:28 . 2011-06-06 16:28 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-06-06 16:27 . 2011-06-06 16:27 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-05-25 20:11 . 2011-05-25 20:11 -------- d-----w- c:\program files\iPod
2011-05-25 20:11 . 2011-05-25 20:11 -------- d-----w- c:\program files\iTunes
2011-05-25 20:09 . 2011-05-25 20:09 -------- d-----w- c:\program files\Bonjour
2011-05-25 19:51 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-05-25 19:51 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-05-25 19:51 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-05-25 19:51 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-09 00:51 . 2010-07-08 20:32 0 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\WavXMapDrive.bat
2011-05-24 23:14 . 2010-07-08 20:55 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-11 07:04 . 2010-07-08 20:55 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-06-09_00.51.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-25 16:16 . 2011-06-09 00:55 80270 c:\windows\system32\perfc009.dat
- 2008-04-25 16:16 . 2011-06-09 00:39 80270 c:\windows\system32\perfc009.dat
+ 2008-04-25 16:16 . 2011-06-09 00:55 467180 c:\windows\system32\perfh009.dat
- 2008-04-25 16:16 . 2011-06-09 00:39 467180 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-06-11 23:41 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-06-11 23:41 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-13 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTDCPL.EXE" [2009-08-26 2691072]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-03-04 1657448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-03-10 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-10 13918208]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2009-06-03 184320]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2009-05-18 145920]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-06-12 656384]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-07-05 15872]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-28 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-28 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-28 142872]
"VX3000"="c:\windows\vVX3000.exe" [2009-06-26 757248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Eric\Start Menu\Programs\Startup\
Shortcut to Mohican DB 2.0.lnk - c:\documents and settings\Eric\My Documents\Mohican DB 2.0.fp5 [2010-7-8 28672]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2010-07-26 18:42 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Retrospect\\Retrospect Client\\retroclient.exe"=
"c:\\Program Files\\IQuoteBNPP\\iquote32.exe"=
"c:\\Program Files\\LiveOffice\\IMC Messenger\\mtc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 Retrospect Client;Retrospect Client;c:\program files\Retrospect\Retrospect Client\RemotSvc.exe [12/1/2008 5:36 PM 61440]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [7/1/2010 1:55 AM 209960]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/13/2011 3:19 PM 136176]
S2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [6/6/2011 12:43 PM 77312]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/13/2011 3:19 PM 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 12:16 PM 14336]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-13 19:19]
.
2011-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-13 19:19]
.
2011-06-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: DhcpNameServer = 24.92.226.11 24.92.226.12
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-08 21:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
c:\windows\System32\TdmNetworkProvider.dll
c:\windows\System32\WCR10.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'explorer.exe'(3764)
c:\windows\system32\WININET.dll
c:\windows\system32\igfxdo.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-06-08 21:07:19
ComboFix-quarantined-files.txt 2011-06-09 01:07
ComboFix2.txt 2011-06-09 00:53
.
Pre-Run: 268,916,473,856 bytes free
Post-Run: 268,910,088,192 bytes free
.
- - End Of File - - 8149A07903196B5D6D13F223623C12AF

Back to top

#19 Broni Re: [RESOLVED] XP Recovery Virus (Trojan)

Malware Annihilator

24,880 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 02:25 PM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Offline

Time Online: 57d 9h 13m 9s

Posted 09 June 2011 - 01:11 AM

Looks good :)

See, if TDSSKiller will run now.
Also, post fresh RKUnhooker log.

Back to top

#20 yu677gh Re: [RESOLVED] XP Recovery Virus (Trojan)

Member

58 posts
Joined: June 08, 2011
2 topics
Skin: IP.Board
Local time: 05:25 PM

Zodiac:Aquarius
OS:Windows XP
Country:

Offline

Time Online: 4h 40m 19s

Posted 09 June 2011 - 01:12 AM

2011/06/08 21:11:48.0953 1396 TDSS rootkit removing tool 2.5.4.0 Jun 7 2011 17:31:48
2011/06/08 21:11:49.0250 1396 ================================================================================
2011/06/08 21:11:49.0250 1396 SystemInfo:
2011/06/08 21:11:49.0250 1396
2011/06/08 21:11:49.0250 1396 OS Version: 5.1.2600 ServicePack: 3.0
2011/06/08 21:11:49.0250 1396 Product type: Workstation
2011/06/08 21:11:49.0250 1396 ComputerName: ERIC_OPTIPLEX
2011/06/08 21:11:49.0250 1396 UserName: Eric
2011/06/08 21:11:49.0250 1396 Windows directory: C:\WINDOWS
2011/06/08 21:11:49.0250 1396 System windows directory: C:\WINDOWS
2011/06/08 21:11:49.0250 1396 Processor architecture: Intel x86
2011/06/08 21:11:49.0250 1396 Number of processors: 2
2011/06/08 21:11:49.0250 1396 Page size: 0x1000
2011/06/08 21:11:49.0250 1396 Boot type: Normal boot
2011/06/08 21:11:49.0250 1396 ================================================================================
2011/06/08 21:11:50.0093 1396 Initialize success
2011/06/08 21:11:55.0734 3052 ================================================================================
2011/06/08 21:11:55.0734 3052 Scan started
2011/06/08 21:11:55.0734 3052 Mode: Manual;
2011/06/08 21:11:55.0734 3052 ================================================================================
2011/06/08 21:11:56.0265 3052 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/06/08 21:11:56.0296 3052 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/08 21:11:56.0296 3052 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/06/08 21:11:56.0312 3052 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/06/08 21:11:56.0343 3052 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/06/08 21:11:56.0390 3052 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/06/08 21:11:56.0406 3052 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/06/08 21:11:56.0406 3052 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/06/08 21:11:56.0421 3052 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/06/08 21:11:56.0437 3052 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/06/08 21:11:56.0437 3052 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/06/08 21:11:56.0453 3052 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/06/08 21:11:56.0468 3052 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/06/08 21:11:56.0484 3052 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/06/08 21:11:56.0484 3052 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/06/08 21:11:56.0500 3052 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/06/08 21:11:56.0500 3052 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/06/08 21:11:56.0515 3052 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/06/08 21:11:56.0546 3052 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/08 21:11:56.0562 3052 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/06/08 21:11:56.0578 3052 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/08 21:11:56.0609 3052 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/08 21:11:56.0625 3052 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/06/08 21:11:56.0640 3052 Blfp (3edae8e7b40257da798c6952edb26eb0) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
2011/06/08 21:11:56.0671 3052 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/06/08 21:11:56.0671 3052 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/08 21:11:56.0703 3052 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/06/08 21:11:56.0703 3052 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/06/08 21:11:56.0718 3052 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/08 21:11:56.0718 3052 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/08 21:11:56.0750 3052 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/08 21:11:56.0781 3052 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/06/08 21:11:56.0781 3052 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/06/08 21:11:56.0796 3052 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/06/08 21:11:56.0812 3052 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/06/08 21:11:56.0828 3052 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/08 21:11:56.0843 3052 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/08 21:11:56.0859 3052 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/06/08 21:11:56.0859 3052 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/08 21:11:56.0875 3052 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/08 21:11:56.0890 3052 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/06/08 21:11:56.0906 3052 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/08 21:11:56.0937 3052 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/08 21:11:56.0953 3052 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/06/08 21:11:56.0968 3052 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/08 21:11:56.0984 3052 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/06/08 21:11:56.0984 3052 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/06/08 21:11:57.0000 3052 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/08 21:11:57.0015 3052 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/08 21:11:57.0031 3052 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/06/08 21:11:57.0046 3052 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/08 21:11:57.0078 3052 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/06/08 21:11:57.0093 3052 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/06/08 21:11:57.0125 3052 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/06/08 21:11:57.0140 3052 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/08 21:11:57.0156 3052 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/06/08 21:11:57.0171 3052 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/06/08 21:11:57.0281 3052 ialm (a01bb8da8d73bca83702a4cf1cd56dce) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/06/08 21:11:57.0312 3052 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/08 21:11:57.0328 3052 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/06/08 21:11:57.0437 3052 IntcAzAudAddService (9126d796a5101765650cc39d99c5ace7) C:\WINDOWS\system32\drivers\RtDHDAud.sys
2011/06/08 21:11:57.0484 3052 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/06/08 21:11:57.0500 3052 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/06/08 21:11:57.0515 3052 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/06/08 21:11:57.0515 3052 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/08 21:11:57.0531 3052 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/08 21:11:57.0546 3052 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/06/08 21:11:57.0562 3052 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/08 21:11:57.0578 3052 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/08 21:11:57.0593 3052 k57w2k (997190701bd80dd0f4412ed202cc7816) C:\WINDOWS\system32\DRIVERS\k57xp32.sys
2011/06/08 21:11:57.0625 3052 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/08 21:11:57.0625 3052 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/06/08 21:11:57.0656 3052 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/08 21:11:57.0671 3052 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/08 21:11:57.0687 3052 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/08 21:11:57.0703 3052 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/08 21:11:57.0703 3052 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/08 21:11:57.0718 3052 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/06/08 21:11:57.0718 3052 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/08 21:11:57.0750 3052 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/06/08 21:11:57.0750 3052 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/08 21:11:57.0796 3052 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/08 21:11:57.0812 3052 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/08 21:11:57.0828 3052 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/08 21:11:57.0843 3052 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/08 21:11:57.0843 3052 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/08 21:11:57.0859 3052 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/08 21:11:57.0875 3052 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/06/08 21:11:57.0890 3052 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/08 21:11:57.0906 3052 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/06/08 21:11:57.0906 3052 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/08 21:11:57.0937 3052 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/06/08 21:11:57.0968 3052 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/08 21:11:57.0984 3052 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/08 21:11:57.0984 3052 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/08 21:11:58.0031 3052 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/08 21:11:58.0031 3052 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/08 21:11:58.0062 3052 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/08 21:11:58.0078 3052 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/08 21:11:58.0125 3052 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/08 21:11:58.0140 3052 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/08 21:11:58.0312 3052 nv (551f664b90d83e6822ddca0509b29bc5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/06/08 21:11:58.0453 3052 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/08 21:11:58.0468 3052 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/08 21:11:58.0484 3052 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/06/08 21:11:58.0500 3052 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/08 21:11:58.0515 3052 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/08 21:11:58.0531 3052 PBADRV (4088c1ecd1f54281a92fa663b0fdc36f) C:\WINDOWS\system32\DRIVERS\PBADRV.sys
2011/06/08 21:11:58.0546 3052 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/08 21:11:58.0562 3052 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/06/08 21:11:58.0578 3052 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/06/08 21:11:58.0609 3052 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/06/08 21:11:58.0625 3052 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/06/08 21:11:58.0656 3052 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/08 21:11:58.0656 3052 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/06/08 21:11:58.0671 3052 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/08 21:11:58.0687 3052 PxHelp20 (03e0fe281823ba64b3782f5b38950e73) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/06/08 21:11:58.0703 3052 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/06/08 21:11:58.0703 3052 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/06/08 21:11:58.0718 3052 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/06/08 21:11:58.0734 3052 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/06/08 21:11:58.0734 3052 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/06/08 21:11:58.0765 3052 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/08 21:11:58.0765 3052 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/08 21:11:58.0781 3052 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/08 21:11:58.0796 3052 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/08 21:11:58.0812 3052 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/08 21:11:58.0812 3052 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/08 21:11:58.0828 3052 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/06/08 21:11:58.0859 3052 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/08 21:11:58.0859 3052 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/08 21:11:58.0968 3052 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/06/08 21:11:58.0968 3052 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/06/08 21:11:58.0984 3052 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/08 21:11:59.0000 3052 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/06/08 21:11:59.0000 3052 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/06/08 21:11:59.0031 3052 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/06/08 21:11:59.0046 3052 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/06/08 21:11:59.0078 3052 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/06/08 21:11:59.0093 3052 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/06/08 21:11:59.0125 3052 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/08 21:11:59.0140 3052 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/08 21:11:59.0171 3052 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/08 21:11:59.0187 3052 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/06/08 21:11:59.0203 3052 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/08 21:11:59.0203 3052 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/08 21:11:59.0218 3052 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/06/08 21:11:59.0234 3052 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/06/08 21:11:59.0234 3052 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/06/08 21:11:59.0250 3052 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/06/08 21:11:59.0281 3052 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/08 21:11:59.0296 3052 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/08 21:11:59.0312 3052 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/08 21:11:59.0328 3052 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/08 21:11:59.0328 3052 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/08 21:11:59.0343 3052 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/06/08 21:11:59.0359 3052 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/08 21:11:59.0375 3052 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/06/08 21:11:59.0390 3052 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/08 21:11:59.0437 3052 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/06/08 21:11:59.0468 3052 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/06/08 21:11:59.0484 3052 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/06/08 21:11:59.0515 3052 usbehci (4bac8df07f1d8434fc640e677a62204e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/08 21:11:59.0546 3052 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/08 21:11:59.0562 3052 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/06/08 21:11:59.0578 3052 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/06/08 21:11:59.0593 3052 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/06/08 21:11:59.0609 3052 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/06/08 21:11:59.0625 3052 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/06/08 21:11:59.0656 3052 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/08 21:11:59.0703 3052 VX3000 (42870675b4d84acd81a9da69b83f14c5) C:\WINDOWS\system32\DRIVERS\VX3000.sys
2011/06/08 21:11:59.0718 3052 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/08 21:11:59.0765 3052 WavxDMgr (e1369c7a53c76eb681afd0eba348b45a) C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys
2011/06/08 21:11:59.0796 3052 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/08 21:11:59.0828 3052 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/06/08 21:11:59.0859 3052 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/06/08 21:11:59.0875 3052 MBR (0x1B8) (cdb4de4bbd714f152979da2dcbef57eb) \Device\Harddisk0\DR0
2011/06/08 21:11:59.0890 3052 ================================================================================
2011/06/08 21:11:59.0890 3052 Scan finished
2011/06/08 21:11:59.0890 3052 ================================================================================
2011/06/08 21:11:59.0890 1880 Detected object count: 0
2011/06/08 21:11:59.0890 1880 Actual detected object count: 0