Malwarebytes and Hijack this log files. Any ideas?
Malwarebytes' Anti-Malware 1.34
Database version: 1826
Windows 5.1.2600 Service Pack 3
9/03/2009 9:06:25 PM
mbam-log-2009-03-09 (21-06-25).txt
Scan type: Quick Scan
Objects scanned: 88426
Time elapsed: 5 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:10 PM, on 9/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Windows\system32\ltmsg.exe
C:\Windows\System32\Ati2evxx.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Windows\system32\atiptaxx.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\System32\tcpsvcs.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Windows\System32\svchost.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Windows\system32\wscntfy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe" -tsr
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\726799cc-78e6-4600-9646-2bdca9c9d681.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ArcGIS License Manager - Acresso Software Inc. - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
--
End of file - 6243 bytes
Full Version: C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent)
STEP 01
STEP 02
RootRepeal - Rootkit Detector
STEP 03
Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program
Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe
Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Click Yes to allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
STEP 02
RootRepeal - Rootkit Detector
- Please download the following tool: RootRepeal - Rootkit Detector
- Direct download link is here: RootRepeal.rar
- If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
- Extract the program file to a new folder such as C:\RootRepeal
- Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
- Select ALL of the checkboxes and then click OK and it will start scanning your system.
- If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
- When done, click on Save Report
- Save it to the same location where you ran it from, such as C:\RootRepeal
- Save it as your_name_rootrepeal.txt - where your_name is your forum name
- This makes it more easy to track who the log belongs to.
- Then open that log and select all and copy/paste it back on your next reply please.
- Quit the RootRepeal program.
STEP 03
- Please create a BOOTLOG
- Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
- Select "Enable Boot Logging" option and press enter.
- Windows prompts you to select a Windows Installation (even if there is only one windows installation)
- This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
If you're already running inside Windows you can enable it the following way.
- Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
- Click on OK and you will be prompted to RESTART Windows. Please do restart now.
- After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
- From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
- Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
- The tab is called BOOT on Vista. Then choose Boot log
Combofix.txt
ComboFix 09-03-14.01 - Administrator 2009-03-15 23:51:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.285 [GMT 11:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\gaopdxftwwilolkikmovbuyabdbeiuidotglls.sys
c:\windows\system32\drivers\gaopdxwviwesscosxacbrxnsvxextkbeetasmr.sys
c:\windows\system32\gaopdxtliqoedibphxvxqnvvpdqwmnmpctbron.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_gaopdxserv.sys
((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.
2009-03-13 20:17 . 2009-03-13 20:17 <DIR> d-------- c:\program files\Common Files\AnswerWorks 4.0
2009-03-13 20:16 . 2009-03-13 20:16 <DIR> d-------- c:\program files\Leica Geosystems
2009-03-13 20:11 . 2009-03-13 20:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESRI
2009-03-10 20:53 . 2009-03-10 20:53 <DIR> d-------- c:\windows\system32\QuickTime
2009-03-10 20:52 . 2009-03-10 20:53 <DIR> d-------- c:\program files\QuickTime
2009-03-10 20:51 . 2009-03-10 20:51 <DIR> d-------- c:\program files\Red Orb
2009-03-09 21:07 . 2009-03-09 21:07 <DIR> d-------- c:\program files\Avira
2009-03-09 21:07 . 2009-03-09 21:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-09 20:34 . 2009-03-09 20:34 <DIR> d-------- c:\program files\Trend Micro
2009-03-08 23:35 . 2009-03-08 23:35 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-08 23:35 . 2009-03-08 23:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-08 23:35 . 2009-03-08 23:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-08 23:34 . 2009-03-08 23:34 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-08 21:52 . 2001-08-18 07:00 18,944 --a------ c:\windows\system32\simptcp.dll
2009-03-08 21:52 . 2001-08-18 07:00 18,944 --a------ c:\windows\system32\dllcache\simptcp.dll
2009-03-08 19:35 . 2009-03-08 19:35 <DIR> d-------- c:\windows\system32\scripting
2009-03-08 19:34 . 2009-03-08 19:34 <DIR> d-------- c:\windows\system32\en
2009-03-08 19:34 . 2009-03-08 19:34 <DIR> d-------- c:\windows\l2schemas
2009-03-08 16:49 . 2009-03-08 16:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-08 16:47 . 2009-03-08 16:49 <DIR> d-------- c:\program files\Anti
2009-03-08 16:41 . 2009-03-15 23:26 <DIR> d-------- c:\program files\Malwarebytes
2009-03-08 16:41 . 2009-03-08 16:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-08 16:41 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-08 16:41 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-08 14:50 . 2009-03-08 19:15 <DIR> d-------- c:\program files\Panda Security
2009-03-08 14:09 . 2009-03-08 16:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-08 11:25 . 2009-03-08 19:16 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-08 09:31 . 2009-03-08 09:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-08 09:28 . 2009-03-08 09:28 <DIR> d-------- c:\windows\system32\drivers\NAV
2009-03-08 09:28 . 2009-03-08 09:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-08 09:28 . 2009-03-08 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-08 09:18 . 2009-03-08 19:16 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner
2009-03-07 21:25 . 2009-03-15 23:50 <DIR> d-------- c:\windows\SxsCaPendDel
2009-03-07 20:39 . 2009-03-07 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Macrovision
2009-03-07 20:30 . 2009-03-07 20:30 <DIR> d-------- c:\windows\Downloaded Installations
2009-03-07 20:30 . 2009-03-07 20:30 <DIR> d-------- c:\program files\SafeNet Sentinel
2009-03-07 20:30 . 2009-03-07 20:30 <DIR> d-------- c:\program files\Common Files\SafeNet Sentinel
2009-03-07 20:24 . 2008-12-21 10:15 6,066,688 --------- c:\windows\system32\dllcache\ieframe.dll
2009-03-07 20:24 . 2007-04-17 20:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2009-03-07 20:24 . 2007-03-08 16:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-07 20:24 . 2008-12-21 10:15 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-07 20:24 . 2008-12-21 10:15 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-07 20:24 . 2008-12-21 10:15 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2009-03-07 20:24 . 2008-12-21 10:15 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-03-07 20:24 . 2008-12-21 10:15 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-07 20:24 . 2008-12-19 20:10 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2009-03-07 17:12 . 2009-03-07 17:12 <DIR> d-------- c:\program files\ESRI
2009-03-07 17:12 . 2007-04-18 08:51 2,113,536 --a------ c:\windows\system32\python25.dll
2009-03-07 17:11 . 2009-03-13 21:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ESRI
2009-03-07 16:57 . 2009-03-13 20:15 <DIR> d-------- c:\program files\Common Files\ESRI
2009-03-07 16:54 . 2009-03-07 17:12 <DIR> d-------- C:\Python25
2009-03-07 16:54 . 2009-03-13 20:54 <DIR> d-------- c:\program files\ArcGIS
2009-03-07 15:06 . 2009-03-07 21:00 <DIR> d-------- C:\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 03:54 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2009-03-07 03:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-07 03:46 --------- d-----w c:\program files\Microsoft ActiveSync
2009-03-07 03:46 --------- d-----w c:\program files\EPSON
2009-03-07 03:42 --------- d-----w c:\program files\KODAK
2009-03-07 03:38 --------- d-----w c:\program files\Creative Designer
2009-03-01 09:06 --------- d-----w c:\program files\Google
2009-02-08 08:06 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2009-02-08 07:13 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
2009-01-16 10:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-21 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\726799cc-78e6-4600-9646-2bdca9c9d681.exe" [2009-02-17 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"="c:\program files\Compaq\EAB\EabServr.exe" [2002-03-07 171665]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"LTWinModem1"="ltmsg.exe" [2002-02-28 c:\windows\system32\ltmsg.exe]
"AtiPTA"="atiptaxx.exe" [2002-02-14 c:\windows\system32\atiptaxx.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Premier8\\Myobp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Anti\\anti.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 EterlogicVirtualSerialDriver;EterlogicVirtualSerialDriver;c:\windows\system32\drivers\VSPE.sys [7/23/2008 1:27:11 PM 24192]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43:28 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43:28 AM 55024]
R2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [3/7/2009 9:55:57 PM 1431440]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [4/19/2007 3:07:41 PM 20352]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\ATICDSDr.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\ATICDSDr.sys [?]
S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [4/20/2007 9:45:28 AM 81152]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [4/20/2007 9:45:37 AM 90368]
S3 NDMSHLP;Device Monitor Helper Driver;c:\program files\Common Files\HHD Software\Device Monitor\NDMSHLP.sys [5/25/2005 12:23:52 AM 7632]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43:30 AM 7408]
S3 SerMon;Serial Monitor Filter Driver;c:\program files\HHD Software\Free Serial Port Monitor\sermon.sys [5/25/2005 12:26:16 AM 18432]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder
2009-03-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-BigPondWirelessBroadbandCM - c:\program files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe
HKLM-Run-POINTER - point32.exe
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\icgjck5a.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 23:55:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(580)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-03-15 23:57:53
ComboFix-quarantined-files.txt 2009-03-15 12:57:49
Pre-Run: 47,928,369,152 bytes free
Post-Run: 48,017,612,800 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\Windows
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\Windows="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
180 --- E O F --- 2009-03-08 08:45:47
HijackTHis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:48 AM, on 16/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Windows\System32\Ati2evxx.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\System32\svchost.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\726799cc-78e6-4600-9646-2bdca9c9d681.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ArcGIS License Manager - Acresso Software Inc. - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
--
End of file - 5579 bytes
RootRepeal
ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/03/15 23:59
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xF88B6000 Size: 30592 File Visible: No
Status: -
Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF8606000 Size: 60416 File Visible: No
Status: -
Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0xEFD37000 Size: 98304 File Visible: No
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\Windows\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8AF8000 Size: 8192 File Visible: No
Status: -
Name: PROCEXP90.SYS
Image Path: C:\Windows\system32\Drivers\PROCEXP90.SYS
Address: 0xF8B62000 Size: 6464 File Visible: No
Status: -
Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xBAB8B000 Size: 45056 File Visible: No
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\WINDOWS\Prefetch\SETUP50.EXE-362FF7C9.pf
Status: Visible to the Windows API, but not on disk.
SSDT
-------------------
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf8ce429c
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf8ce4288
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf8ce428d
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf8ce4297
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xf8ce4292
ComboFix 09-03-14.01 - Administrator 2009-03-15 23:51:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.285 [GMT 11:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\gaopdxftwwilolkikmovbuyabdbeiuidotglls.sys
c:\windows\system32\drivers\gaopdxwviwesscosxacbrxnsvxextkbeetasmr.sys
c:\windows\system32\gaopdxtliqoedibphxvxqnvvpdqwmnmpctbron.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_gaopdxserv.sys
((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.
2009-03-13 20:17 . 2009-03-13 20:17 <DIR> d-------- c:\program files\Common Files\AnswerWorks 4.0
2009-03-13 20:16 . 2009-03-13 20:16 <DIR> d-------- c:\program files\Leica Geosystems
2009-03-13 20:11 . 2009-03-13 20:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESRI
2009-03-10 20:53 . 2009-03-10 20:53 <DIR> d-------- c:\windows\system32\QuickTime
2009-03-10 20:52 . 2009-03-10 20:53 <DIR> d-------- c:\program files\QuickTime
2009-03-10 20:51 . 2009-03-10 20:51 <DIR> d-------- c:\program files\Red Orb
2009-03-09 21:07 . 2009-03-09 21:07 <DIR> d-------- c:\program files\Avira
2009-03-09 21:07 . 2009-03-09 21:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-09 20:34 . 2009-03-09 20:34 <DIR> d-------- c:\program files\Trend Micro
2009-03-08 23:35 . 2009-03-08 23:35 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-08 23:35 . 2009-03-08 23:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-08 23:35 . 2009-03-08 23:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-08 23:34 . 2009-03-08 23:34 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-08 21:52 . 2001-08-18 07:00 18,944 --a------ c:\windows\system32\simptcp.dll
2009-03-08 21:52 . 2001-08-18 07:00 18,944 --a------ c:\windows\system32\dllcache\simptcp.dll
2009-03-08 19:35 . 2009-03-08 19:35 <DIR> d-------- c:\windows\system32\scripting
2009-03-08 19:34 . 2009-03-08 19:34 <DIR> d-------- c:\windows\system32\en
2009-03-08 19:34 . 2009-03-08 19:34 <DIR> d-------- c:\windows\l2schemas
2009-03-08 16:49 . 2009-03-08 16:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-08 16:47 . 2009-03-08 16:49 <DIR> d-------- c:\program files\Anti
2009-03-08 16:41 . 2009-03-15 23:26 <DIR> d-------- c:\program files\Malwarebytes
2009-03-08 16:41 . 2009-03-08 16:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-08 16:41 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-08 16:41 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-08 14:50 . 2009-03-08 19:15 <DIR> d-------- c:\program files\Panda Security
2009-03-08 14:09 . 2009-03-08 16:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-08 11:25 . 2009-03-08 19:16 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-08 09:31 . 2009-03-08 09:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-08 09:28 . 2009-03-08 09:28 <DIR> d-------- c:\windows\system32\drivers\NAV
2009-03-08 09:28 . 2009-03-08 09:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-08 09:28 . 2009-03-08 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-08 09:18 . 2009-03-08 19:16 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner
2009-03-07 21:25 . 2009-03-15 23:50 <DIR> d-------- c:\windows\SxsCaPendDel
2009-03-07 20:39 . 2009-03-07 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Macrovision
2009-03-07 20:30 . 2009-03-07 20:30 <DIR> d-------- c:\windows\Downloaded Installations
2009-03-07 20:30 . 2009-03-07 20:30 <DIR> d-------- c:\program files\SafeNet Sentinel
2009-03-07 20:30 . 2009-03-07 20:30 <DIR> d-------- c:\program files\Common Files\SafeNet Sentinel
2009-03-07 20:24 . 2008-12-21 10:15 6,066,688 --------- c:\windows\system32\dllcache\ieframe.dll
2009-03-07 20:24 . 2007-04-17 20:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2009-03-07 20:24 . 2007-03-08 16:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-07 20:24 . 2008-12-21 10:15 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-07 20:24 . 2008-12-21 10:15 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-07 20:24 . 2008-12-21 10:15 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2009-03-07 20:24 . 2008-12-21 10:15 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-03-07 20:24 . 2008-12-21 10:15 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-07 20:24 . 2008-12-19 20:10 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2009-03-07 17:12 . 2009-03-07 17:12 <DIR> d-------- c:\program files\ESRI
2009-03-07 17:12 . 2007-04-18 08:51 2,113,536 --a------ c:\windows\system32\python25.dll
2009-03-07 17:11 . 2009-03-13 21:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ESRI
2009-03-07 16:57 . 2009-03-13 20:15 <DIR> d-------- c:\program files\Common Files\ESRI
2009-03-07 16:54 . 2009-03-07 17:12 <DIR> d-------- C:\Python25
2009-03-07 16:54 . 2009-03-13 20:54 <DIR> d-------- c:\program files\ArcGIS
2009-03-07 15:06 . 2009-03-07 21:00 <DIR> d-------- C:\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 03:54 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2009-03-07 03:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-07 03:46 --------- d-----w c:\program files\Microsoft ActiveSync
2009-03-07 03:46 --------- d-----w c:\program files\EPSON
2009-03-07 03:42 --------- d-----w c:\program files\KODAK
2009-03-07 03:38 --------- d-----w c:\program files\Creative Designer
2009-03-01 09:06 --------- d-----w c:\program files\Google
2009-02-08 08:06 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2009-02-08 07:13 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
2009-01-16 10:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-21 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\726799cc-78e6-4600-9646-2bdca9c9d681.exe" [2009-02-17 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"="c:\program files\Compaq\EAB\EabServr.exe" [2002-03-07 171665]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"LTWinModem1"="ltmsg.exe" [2002-02-28 c:\windows\system32\ltmsg.exe]
"AtiPTA"="atiptaxx.exe" [2002-02-14 c:\windows\system32\atiptaxx.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Premier8\\Myobp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Anti\\anti.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 EterlogicVirtualSerialDriver;EterlogicVirtualSerialDriver;c:\windows\system32\drivers\VSPE.sys [7/23/2008 1:27:11 PM 24192]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43:28 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43:28 AM 55024]
R2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [3/7/2009 9:55:57 PM 1431440]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [4/19/2007 3:07:41 PM 20352]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\ATICDSDr.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\ATICDSDr.sys [?]
S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [4/20/2007 9:45:28 AM 81152]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [4/20/2007 9:45:37 AM 90368]
S3 NDMSHLP;Device Monitor Helper Driver;c:\program files\Common Files\HHD Software\Device Monitor\NDMSHLP.sys [5/25/2005 12:23:52 AM 7632]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43:30 AM 7408]
S3 SerMon;Serial Monitor Filter Driver;c:\program files\HHD Software\Free Serial Port Monitor\sermon.sys [5/25/2005 12:26:16 AM 18432]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder
2009-03-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-BigPondWirelessBroadbandCM - c:\program files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe
HKLM-Run-POINTER - point32.exe
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\icgjck5a.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 23:55:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(580)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-03-15 23:57:53
ComboFix-quarantined-files.txt 2009-03-15 12:57:49
Pre-Run: 47,928,369,152 bytes free
Post-Run: 48,017,612,800 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\Windows
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\Windows="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
180 --- E O F --- 2009-03-08 08:45:47
HijackTHis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:48 AM, on 16/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Windows\System32\Ati2evxx.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\System32\svchost.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\726799cc-78e6-4600-9646-2bdca9c9d681.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ArcGIS License Manager - Acresso Software Inc. - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
--
End of file - 5579 bytes
RootRepeal
ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/03/15 23:59
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xF88B6000 Size: 30592 File Visible: No
Status: -
Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF8606000 Size: 60416 File Visible: No
Status: -
Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0xEFD37000 Size: 98304 File Visible: No
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\Windows\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8AF8000 Size: 8192 File Visible: No
Status: -
Name: PROCEXP90.SYS
Image Path: C:\Windows\system32\Drivers\PROCEXP90.SYS
Address: 0xF8B62000 Size: 6464 File Visible: No
Status: -
Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xBAB8B000 Size: 45056 File Visible: No
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\WINDOWS\Prefetch\SETUP50.EXE-362FF7C9.pf
Status: Visible to the Windows API, but not on disk.
SSDT
-------------------
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf8ce429c
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf8ce4288
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf8ce428d
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf8ce4297
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xf8ce4292
Bootlog
Too big to paste in thread. Attached. Sorry hope this is ok.
Too big to paste in thread. Attached. Sorry hope this is ok.
STEP 01
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe
Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .
Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
Post back the Combofix log on your next reply.
STEP 02
Update and Scan with Malwarebytes' Anti-Malware
Then post back the MBAM log and a new Hijackthis log.
STEP 03
Please delete this file: C:\Windows\ntbtlog.txt
Then restart your computer and re-post that log. The file is rebuilt every time the computer starts.
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe
Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines
CODE
KILLALL::
Driver::
ATICDSDr
File::
c:\docume~1\ADMINI~1\LOCALS~1\Temp\ATICDSDr.sys
c:\windows\system32\drivers\gaopdxwviwesscosxacbrxnsvxextkbeetasmr.sys
Driver::
ATICDSDr
File::
c:\docume~1\ADMINI~1\LOCALS~1\Temp\ATICDSDr.sys
c:\windows\system32\drivers\gaopdxwviwesscosxacbrxnsvxextkbeetasmr.sys
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .
Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:
- Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
- Disconnect from the Internet.
- Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
- A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
- It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
When the scan completes Notepad will open with with your results log open. Do a File, Exit.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
Post back the Combofix log on your next reply.
STEP 02
Update and Scan with Malwarebytes' Anti-Malware
- Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
- Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
- Update Malwarebytes' Anti-Malware
- Select the Update tab
- Click Update
- When the update is complete, select the Scanner tab
- Select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Then post back the MBAM log and a new Hijackthis log.
STEP 03
Please delete this file: C:\Windows\ntbtlog.txt
Then restart your computer and re-post that log. The file is rebuilt every time the computer starts.
Combofix Log
ComboFix 09-03-15.01 - Administrator 2009-03-18 7:59:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.646 [GMT 11:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
* Created a new restore point
FILE ::
c:\docume~1\ADMINI~1\LOCALS~1\Temp\ATICDSDr.sys
c:\windows\system32\drivers\gaopdxwviwesscosxacbrxnsvxextkbeetasmr.sys
.
((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
.
2009-03-17 23:22 . 2009-03-17 23:22 <DIR> d-------- c:\program files\Western Digital Technologies
2009-03-17 22:17 . 2009-03-18 07:57 <DIR> d-------- C:\New Folder
2009-03-17 17:49 . 2009-01-10 06:19 1,089,593 --------- c:\windows\system32\dllcache\ntprint.cat
2009-03-16 15:34 . 2009-03-18 00:12 <DIR> d-------- c:\documents and settings\All Users\ShortcutBar
2009-03-16 12:52 . 2009-03-16 12:52 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-16 12:17 . 2009-03-16 12:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-03-16 12:16 . 2009-03-16 12:16 <DIR> d-------- c:\program files\NOS
2009-03-16 11:04 . 2009-03-16 11:04 <DIR> d-------- c:\program files\ATI Technologies
2009-03-16 11:03 . 2009-03-16 11:03 <DIR> d-------- C:\swsetup
2009-03-16 10:37 . 2009-03-16 10:37 <DIR> d-------- C:\ATI
2009-03-16 10:35 . 2009-03-16 10:35 <DIR> d-------- c:\windows\system32\XPSViewer
2009-03-16 10:35 . 2009-03-16 10:35 <DIR> d-------- c:\program files\MSBuild
2009-03-16 10:34 . 2009-03-16 10:34 <DIR> d-------- c:\program files\Reference Assemblies
2009-03-16 10:34 . 2009-03-16 10:34 <DIR> d-------- C:\5928a8ecd7ae082322c4
2009-03-16 10:34 . 2008-07-06 23:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-03-16 10:34 . 2008-07-06 23:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2009-03-16 10:34 . 2008-07-06 21:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-16 10:34 . 2008-07-06 23:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-03-16 10:34 . 2008-07-06 23:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-16 10:34 . 2008-07-06 23:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-03-16 10:34 . 2008-07-06 23:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-16 10:17 . 2009-03-16 10:18 <DIR> d-------- C:\ce0c6b92b18ab0d136022f0fe8e939
2009-03-16 10:17 . 2009-03-16 10:21 <DIR> d-------- C:\89c2510aac5b00fc8c88
2009-03-16 10:09 . 2009-03-16 10:09 29,696 --a------ c:\windows\system32\ATMenuxx.FTG
2009-03-16 10:09 . 2009-03-16 10:16 23,151 --ah----- c:\windows\system32\ATMenuxx.GID
2009-03-16 09:16 . 2008-04-14 11:11 21,504 --a------ c:\windows\system32\hidserv.dll
2009-03-16 09:16 . 2008-04-14 11:11 21,504 --a------ c:\windows\system32\dllcache\hidserv.dll
2009-03-15 23:58 . 2009-03-16 00:03 <DIR> d-------- C:\RootRepeal
2009-03-13 20:17 . 2009-03-13 20:17 <DIR> d-------- c:\program files\Common Files\AnswerWorks 4.0
2009-03-13 20:16 . 2009-03-13 20:16 <DIR> d-------- c:\program files\Leica Geosystems
2009-03-13 20:11 . 2009-03-13 20:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESRI
2009-03-10 20:53 . 2009-03-10 20:53 <DIR> d-------- c:\windows\system32\QuickTime
2009-03-10 20:52 . 2009-03-10 20:53 <DIR> d-------- c:\program files\QuickTime
2009-03-10 20:51 . 2009-03-10 20:51 <DIR> d-------- c:\program files\Red Orb
2009-03-09 21:07 . 2009-03-09 21:07 <DIR> d-------- c:\program files\Avira
2009-03-09 21:07 . 2009-03-09 21:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-09 20:34 . 2009-03-09 20:34 <DIR> d-------- c:\program files\Trend Micro
2009-03-08 23:35 . 2009-03-08 23:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-08 23:35 . 2009-03-16 07:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-08 21:52 . 2001-08-18 07:00 18,944 --a------ c:\windows\system32\simptcp.dll
2009-03-08 21:52 . 2001-08-18 07:00 18,944 --a------ c:\windows\system32\dllcache\simptcp.dll
2009-03-08 19:35 . 2009-03-08 19:35 <DIR> d-------- c:\windows\system32\scripting
2009-03-08 19:34 . 2009-03-08 19:34 <DIR> d-------- c:\windows\system32\en
2009-03-08 19:34 . 2009-03-08 19:34 <DIR> d-------- c:\windows\l2schemas
2009-03-08 16:49 . 2009-03-08 16:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-08 16:47 . 2009-03-08 16:49 <DIR> d-------- c:\program files\Anti
2009-03-08 16:41 . 2009-03-16 00:25 <DIR> d-------- c:\program files\Malwarebytes
2009-03-08 16:41 . 2009-03-08 16:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-08 16:41 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-08 16:41 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-08 14:09 . 2009-03-08 16:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-08 11:25 . 2009-03-08 19:16 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-08 09:31 . 2009-03-08 09:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-08 09:28 . 2009-03-08 09:28 <DIR> d-------- c:\windows\system32\drivers\NAV
2009-03-08 09:28 . 2009-03-08 09:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-08 09:28 . 2009-03-08 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-08 09:18 . 2009-03-08 19:16 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner
2009-03-07 21:25 . 2009-03-15 23:50 <DIR> d-------- c:\windows\SxsCaPendDel
2009-03-07 20:39 . 2009-03-07 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Macrovision
2009-03-07 20:30 . 2009-03-07 20:30 <DIR> d-------- c:\windows\Downloaded Installations
2009-03-07 20:30 . 2009-03-07 20:30 <DIR> d-------- c:\program files\SafeNet Sentinel
2009-03-07 20:30 . 2009-03-07 20:30 <DIR> d-------- c:\program files\Common Files\SafeNet Sentinel
2009-03-07 20:24 . 2008-12-21 10:15 6,066,688 --------- c:\windows\system32\dllcache\ieframe.dll
2009-03-07 20:24 . 2007-04-17 20:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2009-03-07 20:24 . 2007-03-08 16:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-07 20:24 . 2008-12-21 10:15 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-07 20:24 . 2008-12-21 10:15 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-07 20:24 . 2008-12-21 10:15 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2009-03-07 20:24 . 2008-12-21 10:15 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-03-07 20:24 . 2008-12-21 10:15 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-07 20:24 . 2008-12-19 20:10 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2009-03-07 17:12 . 2009-03-07 17:12 <DIR> d-------- c:\program files\ESRI
2009-03-07 17:12 . 2007-04-18 08:51 2,113,536 --a------ c:\windows\system32\python25.dll
2009-03-07 17:11 . 2009-03-16 16:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ESRI
2009-03-07 16:57 . 2009-03-13 20:15 <DIR> d-------- c:\program files\Common Files\ESRI
2009-03-07 16:54 . 2009-03-07 17:12 <DIR> d-------- C:\Python25
2009-03-07 16:54 . 2009-03-13 20:54 <DIR> d-------- c:\program files\ArcGIS
2009-03-07 15:06 . 2009-03-07 21:00 <DIR> d-------- C:\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 01:51 --------- d-----w c:\program files\Common Files\Adobe
2009-03-16 00:04 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-07 03:54 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2009-03-07 03:46 --------- d-----w c:\program files\Microsoft ActiveSync
2009-03-07 03:46 --------- d-----w c:\program files\EPSON
2009-03-07 03:42 --------- d-----w c:\program files\KODAK
2009-03-07 03:38 --------- d-----w c:\program files\Creative Designer
2009-03-01 09:06 --------- d-----w c:\program files\Google
2009-02-08 08:06 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2009-02-08 07:13 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
.
((((((((((((((((((((((((((((( SnapShot_2009-03-16_13.10.53.73 )))))))))))))))))))))))))))))))))))))))))
.
- 1998-10-29 05:45:06 306,688 ----a-w c:\windows\IsUninst.exe
+ 1998-10-29 04:45:06 306,688 ----a-w c:\windows\IsUninst.exe
- 2009-03-15 23:48:58 191,384 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-17 01:28:14 191,384 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-21 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"="c:\program files\Compaq\EAB\EabServr.exe" [2002-03-07 171665]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 344064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"LTWinModem1"="ltmsg.exe" [2002-02-28 c:\windows\system32\ltmsg.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Premier8\\Myobp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Anti\\anti.exe"=
"c:\\Program Files\\Malwarebytes\\mbam.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 EterlogicVirtualSerialDriver;EterlogicVirtualSerialDriver;c:\windows\system32\drivers\VSPE.sys [2008-07-23 24192]
R2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [2009-03-07 1431440]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [2007-04-19 20352]
S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [2007-04-20 81152]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [2007-04-20 90368]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-16 33176]
S3 NDMSHLP;Device Monitor Helper Driver;c:\program files\Common Files\HHD Software\Device Monitor\NDMSHLP.sys [2005-05-25 7632]
S3 SerMon;Serial Monitor Filter Driver;c:\program files\HHD Software\Free Serial Port Monitor\sermon.sys [2005-05-25 18432]
.
Contents of the 'Scheduled Tasks' folder
2009-03-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\icgjck5a.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-18 08:06:13
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\windows\system32\tcpsvcs.exe
c:\progra~1\ESRI\License\arcgis9x\ARCGIS.EXE
c:\windows\system32\ati2evxx.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-03-18 8:10:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-17 21:09:59
ComboFix2.txt 2009-03-16 02:12:24
ComboFix3.txt 2009-03-15 12:57:55
Pre-Run: 19,565,330,432 bytes free
Post-Run: 19,642,413,056 bytes free
203 --- E O F --- 2009-03-17 10:35:05
MBam Log
Malwarebytes' Anti-Malware 1.34
Database version: 1860
Windows 5.1.2600 Service Pack 3
18/03/2009 8:22:32 AM
mbam-log-2009-03-18 (08-22-32).txt
Scan type: Quick Scan
Objects scanned: 86590
Time elapsed: 4 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
NTBootlog
Service Pack 3 3 18 2009 08:30:27.500
Loaded driver \Windows\system32\ntoskrnl.exe
Loaded driver \Windows\system32\hal.dll
Loaded driver \Windows\system32\KDCOM.DLL
Loaded driver \Windows\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \Windows\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver compbatt.sys
Loaded driver \Windows\System32\DRIVERS\BATTC.SYS
Loaded driver intelide.sys
Loaded driver \Windows\System32\DRIVERS\PCIIDEX.SYS
Loaded driver pcmcia.sys
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver PartMgr.sys
Loaded driver ACPIEC.sys
Loaded driver \Windows\System32\DRIVERS\OPRGHDLR.SYS
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \Windows\System32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver Mup.sys
Loaded driver agp440.sys
Loaded driver \SystemRoot\System32\DRIVERS\intelppm.sys
Loaded driver \SystemRoot\System32\DRIVERS\ati2mtag.sys
Loaded driver \SystemRoot\System32\DRIVERS\ltmdmxp.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\System32\DRIVERS\e100b325.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\System32\DRIVERS\serial.sys
Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\nscirda.sys
Loaded driver \SystemRoot\System32\DRIVERS\irenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\Drivers\Imapi.SYS
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\drivers\smwdm.sys
Loaded driver \SystemRoot\System32\DRIVERS\CmBatt.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\Drivers\RootMdm.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasirda.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\system32\DRIVERS\swivspnt.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Did not load driver \SystemRoot\System32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\DRIVERS\p3.sys
Did not load driver \SystemRoot\System32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\system32\DRIVERS\ssmdrv.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \??\C:\Windows\system32\drivers\VSPE.sys
Loaded driver \??\C:\Windows\System32\drivers\EABFiltr.sys
Loaded driver \SystemRoot\System32\Drivers\ClntMgmt.sys
Loaded driver \SystemRoot\system32\DRIVERS\avipbb.sys
Loaded driver \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\irda.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \??\C:\Windows\System32\drivers\Haspnt.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \SystemRoot\System32\Drivers\SENTINEL.SYS
Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \??\C:\Windows\System32\drivers\hardlock.sys
Loaded driver \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
ComboFix 09-03-15.01 - Administrator 2009-03-18 7:59:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.646 [GMT 11:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
* Created a new restore point
FILE ::
c:\docume~1\ADMINI~1\LOCALS~1\Temp\ATICDSDr.sys
c:\windows\system32\drivers\gaopdxwviwesscosxacbrxnsvxextkbeetasmr.sys
.
((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
.
2009-03-17 23:22 . 2009-03-17 23:22 <DIR> d-------- c:\program files\Western Digital Technologies
2009-03-17 22:17 . 2009-03-18 07:57 <DIR> d-------- C:\New Folder
2009-03-17 17:49 . 2009-01-10 06:19 1,089,593 --------- c:\windows\system32\dllcache\ntprint.cat
2009-03-16 15:34 . 2009-03-18 00:12 <DIR> d-------- c:\documents and settings\All Users\ShortcutBar
2009-03-16 12:52 . 2009-03-16 12:52 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-16 12:17 . 2009-03-16 12:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-03-16 12:16 . 2009-03-16 12:16 <DIR> d-------- c:\program files\NOS
2009-03-16 11:04 . 2009-03-16 11:04 <DIR> d-------- c:\program files\ATI Technologies
2009-03-16 11:03 . 2009-03-16 11:03 <DIR> d-------- C:\swsetup
2009-03-16 10:37 . 2009-03-16 10:37 <DIR> d-------- C:\ATI
2009-03-16 10:35 . 2009-03-16 10:35 <DIR> d-------- c:\windows\system32\XPSViewer
2009-03-16 10:35 . 2009-03-16 10:35 <DIR> d-------- c:\program files\MSBuild
2009-03-16 10:34 . 2009-03-16 10:34 <DIR> d-------- c:\program files\Reference Assemblies
2009-03-16 10:34 . 2009-03-16 10:34 <DIR> d-------- C:\5928a8ecd7ae082322c4
2009-03-16 10:34 . 2008-07-06 23:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-03-16 10:34 . 2008-07-06 23:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2009-03-16 10:34 . 2008-07-06 21:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-16 10:34 . 2008-07-06 23:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-03-16 10:34 . 2008-07-06 23:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-16 10:34 . 2008-07-06 23:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-03-16 10:34 . 2008-07-06 23:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-16 10:17 . 2009-03-16 10:18 <DIR> d-------- C:\ce0c6b92b18ab0d136022f0fe8e939
2009-03-16 10:17 . 2009-03-16 10:21 <DIR> d-------- C:\89c2510aac5b00fc8c88
2009-03-16 10:09 . 2009-03-16 10:09 29,696 --a------ c:\windows\system32\ATMenuxx.FTG
2009-03-16 10:09 . 2009-03-16 10:16 23,151 --ah----- c:\windows\system32\ATMenuxx.GID
2009-03-16 09:16 . 2008-04-14 11:11 21,504 --a------ c:\windows\system32\hidserv.dll
2009-03-16 09:16 . 2008-04-14 11:11 21,504 --a------ c:\windows\system32\dllcache\hidserv.dll
2009-03-15 23:58 . 2009-03-16 00:03 <DIR> d-------- C:\RootRepeal
2009-03-13 20:17 . 2009-03-13 20:17 <DIR> d-------- c:\program files\Common Files\AnswerWorks 4.0
2009-03-13 20:16 . 2009-03-13 20:16 <DIR> d-------- c:\program files\Leica Geosystems
2009-03-13 20:11 . 2009-03-13 20:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESRI
2009-03-10 20:53 . 2009-03-10 20:53 <DIR> d-------- c:\windows\system32\QuickTime
2009-03-10 20:52 . 2009-03-10 20:53 <DIR> d-------- c:\program files\QuickTime
2009-03-10 20:51 . 2009-03-10 20:51 <DIR> d-------- c:\program files\Red Orb
2009-03-09 21:07 . 2009-03-09 21:07 <DIR> d-------- c:\program files\Avira
2009-03-09 21:07 . 2009-03-09 21:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-09 20:34 . 2009-03-09 20:34 <DIR> d-------- c:\program files\Trend Micro
2009-03-08 23:35 . 2009-03-08 23:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-08 23:35 . 2009-03-16 07:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-08 21:52 . 2001-08-18 07:00 18,944 --a------ c:\windows\system32\simptcp.dll
2009-03-08 21:52 . 2001-08-18 07:00 18,944 --a------ c:\windows\system32\dllcache\simptcp.dll
2009-03-08 19:35 . 2009-03-08 19:35 <DIR> d-------- c:\windows\system32\scripting
2009-03-08 19:34 . 2009-03-08 19:34 <DIR> d-------- c:\windows\system32\en
2009-03-08 19:34 . 2009-03-08 19:34 <DIR> d-------- c:\windows\l2schemas
2009-03-08 16:49 . 2009-03-08 16:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-08 16:47 . 2009-03-08 16:49 <DIR> d-------- c:\program files\Anti
2009-03-08 16:41 . 2009-03-16 00:25 <DIR> d-------- c:\program files\Malwarebytes
2009-03-08 16:41 . 2009-03-08 16:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-08 16:41 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-08 16:41 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-08 14:09 . 2009-03-08 16:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-08 11:25 . 2009-03-08 19:16 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-08 09:31 . 2009-03-08 09:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-08 09:28 . 2009-03-08 09:28 <DIR> d-------- c:\windows\system32\drivers\NAV
2009-03-08 09:28 . 2009-03-08 09:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-08 09:28 . 2009-03-08 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-08 09:18 . 2009-03-08 19:16 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner
2009-03-07 21:25 . 2009-03-15 23:50 <DIR> d-------- c:\windows\SxsCaPendDel
2009-03-07 20:39 . 2009-03-07 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Macrovision
2009-03-07 20:30 . 2009-03-07 20:30 <DIR> d-------- c:\windows\Downloaded Installations
2009-03-07 20:30 . 2009-03-07 20:30 <DIR> d-------- c:\program files\SafeNet Sentinel
2009-03-07 20:30 . 2009-03-07 20:30 <DIR> d-------- c:\program files\Common Files\SafeNet Sentinel
2009-03-07 20:24 . 2008-12-21 10:15 6,066,688 --------- c:\windows\system32\dllcache\ieframe.dll
2009-03-07 20:24 . 2007-04-17 20:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2009-03-07 20:24 . 2007-03-08 16:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-07 20:24 . 2008-12-21 10:15 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-07 20:24 . 2008-12-21 10:15 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-07 20:24 . 2008-12-21 10:15 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2009-03-07 20:24 . 2008-12-21 10:15 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-03-07 20:24 . 2008-12-21 10:15 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-07 20:24 . 2008-12-19 20:10 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2009-03-07 17:12 . 2009-03-07 17:12 <DIR> d-------- c:\program files\ESRI
2009-03-07 17:12 . 2007-04-18 08:51 2,113,536 --a------ c:\windows\system32\python25.dll
2009-03-07 17:11 . 2009-03-16 16:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ESRI
2009-03-07 16:57 . 2009-03-13 20:15 <DIR> d-------- c:\program files\Common Files\ESRI
2009-03-07 16:54 . 2009-03-07 17:12 <DIR> d-------- C:\Python25
2009-03-07 16:54 . 2009-03-13 20:54 <DIR> d-------- c:\program files\ArcGIS
2009-03-07 15:06 . 2009-03-07 21:00 <DIR> d-------- C:\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 01:51 --------- d-----w c:\program files\Common Files\Adobe
2009-03-16 00:04 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-07 03:54 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2009-03-07 03:46 --------- d-----w c:\program files\Microsoft ActiveSync
2009-03-07 03:46 --------- d-----w c:\program files\EPSON
2009-03-07 03:42 --------- d-----w c:\program files\KODAK
2009-03-07 03:38 --------- d-----w c:\program files\Creative Designer
2009-03-01 09:06 --------- d-----w c:\program files\Google
2009-02-08 08:06 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2009-02-08 07:13 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
.
((((((((((((((((((((((((((((( SnapShot_2009-03-16_13.10.53.73 )))))))))))))))))))))))))))))))))))))))))
.
- 1998-10-29 05:45:06 306,688 ----a-w c:\windows\IsUninst.exe
+ 1998-10-29 04:45:06 306,688 ----a-w c:\windows\IsUninst.exe
- 2009-03-15 23:48:58 191,384 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-17 01:28:14 191,384 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-21 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"="c:\program files\Compaq\EAB\EabServr.exe" [2002-03-07 171665]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 344064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"LTWinModem1"="ltmsg.exe" [2002-02-28 c:\windows\system32\ltmsg.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Premier8\\Myobp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Anti\\anti.exe"=
"c:\\Program Files\\Malwarebytes\\mbam.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 EterlogicVirtualSerialDriver;EterlogicVirtualSerialDriver;c:\windows\system32\drivers\VSPE.sys [2008-07-23 24192]
R2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [2009-03-07 1431440]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [2007-04-19 20352]
S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [2007-04-20 81152]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [2007-04-20 90368]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-16 33176]
S3 NDMSHLP;Device Monitor Helper Driver;c:\program files\Common Files\HHD Software\Device Monitor\NDMSHLP.sys [2005-05-25 7632]
S3 SerMon;Serial Monitor Filter Driver;c:\program files\HHD Software\Free Serial Port Monitor\sermon.sys [2005-05-25 18432]
.
Contents of the 'Scheduled Tasks' folder
2009-03-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\icgjck5a.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-18 08:06:13
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\windows\system32\tcpsvcs.exe
c:\progra~1\ESRI\License\arcgis9x\ARCGIS.EXE
c:\windows\system32\ati2evxx.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-03-18 8:10:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-17 21:09:59
ComboFix2.txt 2009-03-16 02:12:24
ComboFix3.txt 2009-03-15 12:57:55
Pre-Run: 19,565,330,432 bytes free
Post-Run: 19,642,413,056 bytes free
203 --- E O F --- 2009-03-17 10:35:05
MBam Log
Malwarebytes' Anti-Malware 1.34
Database version: 1860
Windows 5.1.2600 Service Pack 3
18/03/2009 8:22:32 AM
mbam-log-2009-03-18 (08-22-32).txt
Scan type: Quick Scan
Objects scanned: 86590
Time elapsed: 4 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
NTBootlog
Service Pack 3 3 18 2009 08:30:27.500
Loaded driver \Windows\system32\ntoskrnl.exe
Loaded driver \Windows\system32\hal.dll
Loaded driver \Windows\system32\KDCOM.DLL
Loaded driver \Windows\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \Windows\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver compbatt.sys
Loaded driver \Windows\System32\DRIVERS\BATTC.SYS
Loaded driver intelide.sys
Loaded driver \Windows\System32\DRIVERS\PCIIDEX.SYS
Loaded driver pcmcia.sys
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver PartMgr.sys
Loaded driver ACPIEC.sys
Loaded driver \Windows\System32\DRIVERS\OPRGHDLR.SYS
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \Windows\System32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver Mup.sys
Loaded driver agp440.sys
Loaded driver \SystemRoot\System32\DRIVERS\intelppm.sys
Loaded driver \SystemRoot\System32\DRIVERS\ati2mtag.sys
Loaded driver \SystemRoot\System32\DRIVERS\ltmdmxp.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\System32\DRIVERS\e100b325.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\System32\DRIVERS\serial.sys
Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\nscirda.sys
Loaded driver \SystemRoot\System32\DRIVERS\irenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\Drivers\Imapi.SYS
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\drivers\smwdm.sys
Loaded driver \SystemRoot\System32\DRIVERS\CmBatt.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\Drivers\RootMdm.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasirda.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\system32\DRIVERS\swivspnt.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Did not load driver \SystemRoot\System32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\DRIVERS\p3.sys
Did not load driver \SystemRoot\System32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\system32\DRIVERS\ssmdrv.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \??\C:\Windows\system32\drivers\VSPE.sys
Loaded driver \??\C:\Windows\System32\drivers\EABFiltr.sys
Loaded driver \SystemRoot\System32\Drivers\ClntMgmt.sys
Loaded driver \SystemRoot\system32\DRIVERS\avipbb.sys
Loaded driver \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\irda.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \??\C:\Windows\System32\drivers\Haspnt.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \SystemRoot\System32\Drivers\SENTINEL.SYS
Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \??\C:\Windows\System32\drivers\hardlock.sys
Loaded driver \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
The logs look good.
How is the computer running now?
Are there still any signs of an infection?
How is the computer running now?
Are there still any signs of an infection?
Yeo all seems good once gain! Scans come up clean and autupdate now functioning.
Fantastic! I really appreciate your help.
A great service. I have recommended your software to half a dozen people already.
Thanks again
Phil
Fantastic! I really appreciate your help.
A great service. I have recommended your software to half a dozen people already.
Thanks again
Phil
Great, all looks good now.
I'll close your post soon so that other don't post into it and leave you with this information and suggestions.
So how did I get infected in the first place?
I'll close your post soon so that other don't post into it and leave you with this information and suggestions.
So how did I get infected in the first place?
At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:
Remove all but the most recent Restore Point on Windows XPYou should Create a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore.
Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.
Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
- Go to Start > Programs > Accessories > System Tools and click "System Restore".
- If the shortcut is missing you can also click on START > RUN > and type in %SystemRoot%\system32\restore\rstrui.exe and click OK
- Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
- Give the new Restore Point a name, then click "Create".
- The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
- Then use the Disk Cleanup to remove all but the most recently created Restore Point.
- Go to Start > Run and type: Cleanmgr.exe
- Select the drive where Windows is installed and click "Ok". Disk Cleanup will scan your files for several minutes, then open.
- Click the "More Options" tab, then click the "Clean up" button under System Restore.
- Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
- Click Yes, then click Ok.
- Click Yes again when prompted with "Are you sure you want to perform these actions?"
- Disk Cleanup will remove the files and close automatically.
- On the Disk Cleanup tab, if the System Restore: Obsolete Data Stores entry is available remove them also.
- These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.
Additional information
Microsoft KB article: How to turn off and turn on System Restore in Windows XP
Bert Kinney's site: All about Windows System Restore
Here are some free programs I recommend that could help you improve your computer's security.
Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here
Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here
Install FireTrust SiteHound
You can find information and download it from here
Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.
The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free
A little outdated but good reading on how to prevent Malware
Keep safe online and happy surfing.
Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.
The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions
Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.