trojan agents that won't go away

[alexinc]

ComboFix 12-05-18.03 - Administrator 05/18/2012 16:16:44.4.2 - x86

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

.

FILE ::

"c:\windows\system32\02000000c27ec2a91406C.manifest"

"c:\windows\system32\02000000c27ec2a91406O.manifest"

"c:\windows\system32\02000000c27ec2a91406P.manifest"

"c:\windows\system32\02000000c27ec2a91406S.manifest"

"c:\windows\system32\atipdlxx32.dll"

c:\windows\system32\vbscript.dll is missing

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\02000000c27ec2a91406C.manifest

c:\windows\system32\02000000c27ec2a91406O.manifest

c:\windows\system32\02000000c27ec2a91406P.manifest

c:\windows\system32\02000000c27ec2a91406S.manifest

c:\windows\system32\atipdlxx32.dll

.

.

((((((((((((((((((((((((( Files Created from 2012-04-18 to 2012-05-18 )))))))))))))))))))))))))))))))

.

.

2012-05-18 22:47 . 2011-08-16 22:08 1208832 ----a-w- c:\windows\system32\odpdx3232.exe

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\windows\system32\wbem\snmp

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\windows\system32\xircom

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\windows\system32\oobe

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\windows\srchasst

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\windows\msagent

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\program files\microsoft frontpage

2012-05-14 23:57 . 2012-05-14 23:57 -------- d-----w- C:\TDSSKiller_Quarantine

2012-05-14 23:17 . 2012-05-14 23:22 -------- d-----w- c:\windows\SxsCaPendDel

2012-05-14 23:14 . 2012-05-14 23:14 -------- d-----w- c:\windows\system32\syncdb

2012-04-29 23:41 . 2012-04-29 23:41 -------- d-----w- c:\program files\Common Files\Java

2012-04-29 23:40 . 2012-04-29 23:40 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-04-29 23:40 . 2012-04-29 23:40 476960 ----a-w- c:\windows\system32\npdeployJava1.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-29 23:40 . 2010-08-02 04:07 472864 -c--a-w- c:\windows\system32\deployJava1.dll

2012-04-04 22:56 . 2010-02-08 23:45 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-26 21:24 . 2012-03-30 21:48 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(5).sys

2012-03-26 21:24 . 2012-03-30 21:48 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(4).sys

2012-03-26 21:24 . 2012-03-30 21:48 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(3).sys

2012-03-26 21:24 . 2012-03-30 21:48 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(2).sys

2012-03-26 21:24 . 2012-03-30 21:47 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2009-03-03 . A29E1209F925A0E9B330E11DA5FC7BAB . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((((((( SnapShot@2012-05-16_22.38.27 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-05-18 23:21 . 2012-05-18 23:21 16384 c:\windows\Temp\Perflib_Perfdata_730.dat

+ 2001-08-23 13:00 . 2012-05-18 23:12 58170 c:\windows\system32\perfc009.dat

- 2001-08-23 13:00 . 2012-05-16 22:29 58170 c:\windows\system32\perfc009.dat

+ 2001-08-23 13:00 . 2012-05-18 23:12 392690 c:\windows\system32\perfh009.dat

- 2001-08-23 13:00 . 2012-05-16 22:29 392690 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_3"="advpack.dll" [2008-04-14 99840]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2008-10-17 03:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi1"=ma_cmidn.dll

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]

R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2012-03-26 25704]

R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2012-03-26 25704]

R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2012-03-26 25704]

R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2012-03-26 25704]

R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2012-03-26 25704]

S0 mv614x;mv614x;c:\windows\system32\DRIVERS\mv614x.sys [2006-01-06 34432]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-09-30 691696]

S2 iPod Service32;iPod Service ;c:\windows\system32\atipdlxx32.exe [2011-08-16 1208832]

S3 LynxWDM;LynxWDM;c:\windows\system32\DRIVERS\LynxWDM.sys [2008-06-27 196744]

S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys [2007-10-24 23288]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]

.

2012-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1425521274-1177238915-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-22 21:52]

.

2012-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1425521274-1177238915-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-22 21:52]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://gmail.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-05-18 16:21

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(892)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\LMIinit.dll

.

- - - - - - - > 'explorer.exe'(3968)

c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\odpdx3232.exe

c:\windows\system32\wdfmgr.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2012-05-18 16:23:24 - machine was rebooted

ComboFix-quarantined-files.txt 2012-05-18 23:23

ComboFix2.txt 2012-05-18 22:34

ComboFix3.txt 2012-05-16 22:40

.

Pre-Run: 34,929,643,520 bytes free

Post-Run: 34,985,824,256 bytes free

.

- - End Of File - - F082CB6E869ED7D6170F1D4124FAE054

[MrCharlie]

Please upload this file to one of these free virus scan sires:

c:\windows\system32\odpdx3232.exe

http://www.virustotal.com/

http://virusscan.jotti.org/en

Let me know the results, just copy back the url.

MrC

[alexinc]

http://virusscan.jotti.org/en/scanresult/3ab910e3c25c889e1e5be6a048c8d72f943da4e3

same result as before basically..

[MrCharlie]

OK, I want you to run VIPRE Rescue Program.

Please create a new system restore point before you run it.

I may take 2 or more hours to run.

http://live.sunbeltsoftware.com/

Just download and run it to start the program.

Let me know, MrC

[alexinc]

Thanks, I'll run it and report back Monday.

[MrCharlie]

OK...Thanks, MrC

[alexinc]

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Richard Devine Kit 2\Ric

hard Devine Kit 2 Samples\DevinePlong2.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Richard Devine Kit 2\Ric

hard Devine Kit 2 Samples\DevinePlong5.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Richard Devine Kit 2\Ric

hard Devine Kit 2 Samples\DevineRuck.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Richard Devine Kit 2\Ric

hard Devine Kit 2 Samples\Devinesnit.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Richard Devine Kit 2\Ric

hard Devine Kit 2 Samples\metal 20.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Richard Devine Kit 2\Ric

hard Devine Kit 2.kt2:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Schmutz Kit\Schmutz Kit

Samples\40_wingbit1.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Schmutz Kit\Schmutz Kit

Samples\45_bollydrum3.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Schmutz Kit\Schmutz Kit

Samples\46_birdslice_hi.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Schmutz Kit\Schmutz Kit

Samples\50_zither_hit.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Schmutz Kit\Schmutz Kit

Samples\55_wings_procnoise.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Schmutz Kit\Schmutz Kit

Samples\58_zitherstrumcut.nov:AFP_RESOURCE

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Schmutz Kit\Schmutz Kit

Samples\63_trumpetnomore.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Schmutz Kit\Schmutz Kit

Samples\67_bowlamp.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Schmutz Kit\Schmutz Kit

Samples\71_erp_02.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Schmutz Kit\Schmutz Kit

Samples\77_pianopedal_01.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Schmutz Kit\Schmutz Kit

Samples\80_waterwind_01.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Schmutz Kit\Schmutz Kit

Samples\crash_01.wav:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Schmutz Kit\Schmutz Kit

Samples\crash_04.wav

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Schmutz Kit\Schmutz Kit

Samples\tom_h.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Schmutz Kit\Schmutz Kit.

kt2:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman05.nov

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman10.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman14.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman21.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman27.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman28.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman31.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman36.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman37.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman38.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman41.nov

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman45.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman55.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman58.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman60.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman61.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman66.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Sgerman Kit\Sgerman Kit

Samples\sgerman72.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Starwars Disco Kit\Starw

ars Disco Kit Samples\base.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Starwars Disco Kit\Starw

ars Disco Kit Samples\fm11.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Starwars Disco Kit\Starw

ars Disco Kit Samples\fm3.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Starwars Disco Kit\Starw

ars Disco Kit Samples\fm6.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Starwars Disco Kit\Starw

ars Disco Kit Samples\gr6.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Starwars Disco Kit\Starw

ars Disco Kit Samples\ic_zap.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Starwars Disco Kit\Starw

ars Disco Kit Samples\noi4.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Starwars Disco Kit\Starw

ars Disco Kit Samples\spr1.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Starwars Disco Kit\Starw

ars Disco Kit Samples\spr15.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Starwars Disco Kit\Starw

ars Disco Kit Samples\sto_bd.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Starwars Disco Kit\Starw

ars Disco Kit Samples\tik_sn.nov:AFP_RESOURCE

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Telefon Tel Aviv Kit\Tel

efon Tel Aviv Kit Samples\chirp 3.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Telefon Tel Aviv Kit\Tel

efon Tel Aviv Kit Samples\clap st 3.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Telefon Tel Aviv Kit\Tel

efon Tel Aviv Kit Samples\clap verb 1.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Telefon Tel Aviv Kit\Tel

efon Tel Aviv Kit Samples\clap verb 3.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Telefon Tel Aviv Kit\Tel

efon Tel Aviv Kit Samples\hat 1.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Telefon Tel Aviv Kit\Tel

efon Tel Aviv Kit Samples\hat 4.wav:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Telefon Tel Aviv Kit\Tel

efon Tel Aviv Kit Samples\kick 10.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Telefon Tel Aviv Kit\Tel

efon Tel Aviv Kit Samples\kick 7.wav:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Telefon Tel Aviv Kit\Tel

efon Tel Aviv Kit Samples\rim 2.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Telefon Tel Aviv Kit\Tel

efon Tel Aviv Kit Samples\snap st 4.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Telefon Tel Aviv Kit\Tel

efon Tel Aviv Kit Samples\snare 7.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Telefon Tel Aviv Kit\Tel

efon Tel Aviv Kit Samples\TTA 2.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Un_Skool Kit\Un_Skool Hi

pHop Kit Samples:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Un_Skool Kit\Un_Skool Hi

pHop Kit Samples\aquashaker.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Un_Skool Kit\Un_Skool Hi

pHop Kit Samples\chorus_beat.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Un_Skool Kit\Un_Skool Hi

pHop Kit Samples\cr_congah.wav:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Un_Skool Kit\Un_Skool Hi

pHop Kit Samples\electrorimshot.wav:AFP_RESOURCE

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Un_Skool Kit\Un_Skool Hi

pHop Kit Samples\mouth4.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Un_Skool Kit\Un_Skool Hi

pHop Kit Samples\nordlead6.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Un_Skool Kit\Un_Skool Hi

pHop Kit Samples\quankick.nov:AFP_RESOURCE

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Un_Skool Kit\Un_Skool Hi

pHop Kit Samples\stock2.nov

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Un_Skool Kit\Un_Skool Hi

pHop Kit Samples\typewriter- A2.nov:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Synthetic Drums 2\Un_Skool Kit\Un_Skool Hi

pHop Kit Samples\typewriter_b1.wav:AFP_AFPINFO

D:\Sample Libraries\Battery 3 Library\Template Kits\GM2 Template.kt3:AFP_AFPINFO

D:\Sample Libraries\Elektrik Piano Library\Default\Impulses\EP Room.wav:AFP_AFPI

NFO

D:\Sample Libraries\Elektrik Piano Library\ElektrikPiano_Lib_part1.nks:AFP_AFPIN

FO

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\1 - MK1\MK 1 - Martin

is Con Queso.nki:AFP_AFPINFO

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\1 - MK1 (Medium)\MK 1

- Essential (Medium).nki:AFP_AFPINFO

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\1 - MK1 (Medium)\MK 1

- Reverb (M).nki:AFP_AFPINFO

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\1 - MK1 (Small)\MK 1

- Delay (S).nki:AFP_AFPINFO

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\1 - MK1 (Small)\MK 1

- XFX Mars Rumors (S).nki:AFP_RESOURCE

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\2 - MK2\MK 2 - Phaser

.nki

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\2 - MK2 (Medium)\MK 2

- Flanger (M).nki:AFP_RESOURCE

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\2 - MK2 (Small)\MK 2

- Chorus (S).nki:AFP_AFPINFO

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\3 - A200

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\3 - A200\A200 - Mello

w.nki

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\3 - A200 (Medium)\A20

0 - Delay and Comp (M).nki

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\3 - A200 (Small)\A200

- ADSR Envelope (S).nki:AFP_AFPINFO

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\3 - A200 (Small)\A200

- XFX Underworld (S).nki:AFP_AFPINFO

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\4 - E7\E7 - Funky Mam

a!.nki:AFP_AFPINFO

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\4 - E7 (Medium)\E7 -

Chorus (M).nki:AFP_AFPINFO

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\4 - E7 (Small):AFP_AF

PINFO

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\4 - E7 (Small)\E7 - D

ubsichord (S).nki:AFP_RESOURCE

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\5 - Authentic Instrum

ents

D:\Sample Libraries\Elektrik Piano Library\Instruments 1.5\5 - Authentic Instrum

ents\MK 1 - Authentic Amp.nki:AFP_AFPINFO

D:\Sample Libraries\Elektrik Piano Library\Performances 1.5\2 - MK2 FX Basics.nk

b:AFP_AFPINFO

D:\Sample Libraries\Elektrik Piano Library\Performances 1.5\4 Instruments (Small

).nkb:AFP_RESOURCE

Scanning registry...

HKEY_USERS\S-1-5-19_Classes\

HKEY_LOCAL_MACHINE\Software\Classes\OWS.PptUI\

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{525F116F-04AD-40A2-AE2F-A0C4E1AFEF98}

\

HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00000564-0000-0010-8000-00AA006D2

EA4}\

HKEY_LOCAL_MACHINE\Software\Classes\Interface\{3EBEAA5B-5166-4FEC-8625-56F078646

3D4}\

HKEY_LOCAL_MACHINE\Software\Classes\Interface\{B66A7A1B-8FC6-448C-A2EB-3C5595747

8A1}\

HKEY_USERS\.DEFAULT\software\microsoft\windows\currentversion\policies\shell\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\efs\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Enum\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Null\Enum\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy\Pipelin

e\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

Scan completed.

Scan time: 02:34:52

Rootkits: 4740 scanned, 0 found

Processes: 37 scanned, 1 found

Modules: 1810 scanned, 0 found

Folders: 16226 scanned, 0 found

Files: 209126 scanned, 37 found

Registry: 23719 scanned, 0 found

Total: 255658 scanned, 38 found

38 threat traces were detected.

Starting clean.

[CLEANING] Item: D:\My Documents\AIMLogger\alexincorporate\IM Logs\alexincorpora

te.html, ID: 4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\AIMLogger\alexincorporate\IM Logs\atomsk4.html,

ID: 4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\AIMLogger\alexincorporate\IM Logs\chewyandgummy

.html, ID: 4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\AIMLogger\alexincorporate\IM Logs\clutch1616.ht

ml, ID: 4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\AIMLogger\alexincorporate\IM Logs\gweed11.html,

ID: 4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\AIMLogger\alexincorporate\IM Logs\ihypergg.html

, ID: 4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\AIMLogger\alexincorporate\IM Logs\jin149.html,

ID: 4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\AIMLogger\alexincorporate\IM Logs\kikkoboyie.ht

ml, ID: 4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\AIMLogger\alexincorporate\IM Logs\lemonsong1.ht

ml, ID: 4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\AIMLogger\alexincorporate\IM Logs\llinhh.html,

ID: 4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\AIMLogger\alexincorporate\IM Logs\meaculpa893.h

tml, ID: 4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\AIMLogger\alexincorporate\IM Logs\ngayth0.html,

ID: 4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\AIMLogger\alexincorporate\IM Logs\qtcooki.html,

ID: 4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\AIMLogger\alexincorporate\IM Logs\remedybix.htm

l, ID: 4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\AIMLogger\alexincorporate\IM Logs\stopscurvynow

.html, ID: 4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\AIMLogger\alexincorporate\IM Logs\wizardjon1.ht

ml, ID: 4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\My Assignments\blackdaveonsummer.htm, ID: 41110

72, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\My Assignments\chewandgummy.htm, ID: 4111072, N

ame: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\My Assignments\chewy2.htm, ID: 4111072, Name: T

rojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\My Assignments\chewy3.htm, ID: 4111072, Name: T

rojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\My Assignments\chewy4.htm, ID: 4111072, Name: T

rojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\My Assignments\diamondyang.com\index.html, ID:

4111072, Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\My Assignments\katesoo.htm, ID: 4111072, Name:

Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\My Assignments\qtcookisummer2.htm, ID: 4111072,

Name: Trojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\My Assignments\remedy.htm, ID: 4111072, Name: T

rojan-Clicker.HTML.IFrame (v)

[CLEANING] Item: D:\My Documents\My Assignments\remedy2.htm, ID: 4111072, Name:

Trojan-Clicker.HTML.IFrame (v)

Quarantine {9E4B3814-AFD7-4615-BD04-4DB3A442A09D} completed.

[CLEANING] Item: C:\Documents and Settings\Administrator\Application Data\E67E.0

B8, ID: 4742528, Name: Backdoor.Win32.Cycbot.cfg (v)

Quarantine {C3F9AAAC-AF73-4210-AB17-8CB996222DB6} completed.

Quarantine {D7518AC2-8914-49A8-86AB-3471CAC9F367} completed.

[CLEANING] Item: C:\Qoobox\Quarantine\C\WINDOWS\system32\atipdlxx32.dll.vir, ID:

4150696, Name: Trojan.Win32.Generic!BT

Quarantine {12043099-F6BB-4F83-8024-99F1B3E8F944} completed.

Quarantine {2CBA0543-4AF5-4483-9045-8A69A6E9AAF2} completed.

[CLEANING] Item: C:\temp\atudiodevil\keygen.exe, ID: 4150696, Name: Trojan.Win32

.Generic!BT

Quarantine {DFCA85B2-185D-453C-83FF-8D45D44C98EB} completed.

Quarantine {0BD4A3EA-157D-4343-9D61-08C6F48979FC} completed.

[CLEANING] Item: D:\My Documents\Downloads\Antares Autotune\Auto-Tune_evo_VST_PC

_v6.09.exe, ID: 4150696, Name: Trojan.Win32.Generic!BT

Quarantine {F92BB632-CF2E-408D-AD61-80A977CC4AA8} completed.

Clean completed.

Clean time: 00:01:06

8 threats were cleaned.

[MrCharlie]

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how it is, MrC

[alexinc]

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.21.03

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 6.0.2900.5512

Administrator :: ALEXXX-12E93458 [administrator]

5/21/2012 12:41:21

mbam-log-2012-05-21 (12-41-21).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 202985

Time elapsed: 1 minute(s), 51 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 4

C:\WINDOWS\system32\02000000c27ec2a91406C.manifest (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\02000000c27ec2a91406O.manifest (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\02000000c27ec2a91406P.manifest (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\02000000c27ec2a91406S.manifest (Malware.Trace) -> Quarantined and deleted successfully.

(end)

[MrCharlie]

Scan for rootkits with GMER Rootkit Scanner

Download GMER Rootkit Scanner from HERE to your desktop.

Double click the .exe file (it will be named some random characters). If asked to allow gmer.sys driver to load, please consent .

If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ...

Sections

IAT/EAT

Drives/Partition other than Systemdrive (typically C:\)

Show All (don't miss this one)

Then click the Scan button & wait for it to finish.

Once done click on the [save..] button, and in the File name area, type in Gmer.txt or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and post it in your reply.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

NOTE:

If you cannot run GMER as indicated above, please save a scan from the initial startup scan.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click the gmer.exe file.

The program will begin to run, and perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

After the "initial scan" is complete, click on the Save button, and save the log file to your desktop, and post it in your reply

MrC

[alexinc]

<p><span style="font-size:18px;"><strong>Gmer.txt:</strong></span></p>

<p>-----------------------------------------------------</p>

<p>GMER 1.0.15.15641 - http://www.gmer.net</p>

<div>Rootkit scan 2012-05-21 14:26:09</div>

<div>Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-17 WDC_WD740GD-00FLC0 rev.33.08F33</div>

<div>Running: ie9w8jqn.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awlyiaoc.sys</div>

<div> </div>

<div> </div>

<div>---- System - GMER 1.0.15 ----</div>

<div> </div>

<div>SSDT      spjk.sys                                                                                                            ZwCreateKey [0xF74E40E0]</div>

<div>SSDT      spjk.sys                                                                                                            ZwEnumerateKey [0xF74FCDA4]</div>

<div>SSDT      spjk.sys                                                                                                            ZwEnumerateValueKey [0xF74FD132]</div>

<div>SSDT      spjk.sys                                                                                                            ZwOpenKey [0xF74E40C0]</div>

<div>SSDT      spjk.sys                                                                                                            ZwQueryKey [0xF74FD20A]</div>

<div>SSDT      spjk.sys                                                                                                            ZwQueryValueKey [0xF74FD08A]</div>

<div>SSDT      spjk.sys                                                                                                            ZwSetValueKey [0xF74FD29C]</div>

<div> </div>

<div>INT 0x62  ?                                                                                                                   89BA0BF8</div>

<div>INT 0x63  ?                                                                                                                   89BA3BF8</div>

<div>INT 0x73  ?                                                                                                                   89A39BF8</div>

<div>INT 0x82  ?                                                                                                                   89BA0BF8</div>

<div>INT 0x84  ?                                                                                                                   89A39BF8</div>

<div>INT 0x94  ?                                                                                                                   89A39BF8</div>

<div>INT 0xA4  ?                                                                                                                   89BA0BF8</div>

<div> </div>

<div>---- Devices - GMER 1.0.15 ----</div>

<div> </div>

<div>Device    \FileSystem\Ntfs \Ntfs                                                                                              89C101F8</div>

<div>Device    \FileSystem\Fastfat \FatCdrom                                                                                       891A01F8</div>

<div>Device    \Driver\PCI_PNP4710 \Device\00000040                                                                                spjk.sys</div>

<div>Device    \Driver\PCI_PNP4710 \Device\00000040                                                                                spjk.sys</div>

<div>Device    \Driver\usbuhci \Device\USBPDO-0                                                                                    89A401F8</div>

<div>Device    \Driver\dmio \Device\DmControl\DmIoDaemon                                                                           89C121F8</div>

<div>Device    \Driver\dmio \Device\DmControl\DmConfig                                                                             89C121F8</div>

<div>Device    \Driver\dmio \Device\DmControl\DmPnP                                                                                89C121F8</div>

<div>Device    \Driver\dmio \Device\DmControl\DmInfo                                                                               89C121F8</div>

<div>Device    \Driver\usbuhci \Device\USBPDO-1                                                                                    89A401F8</div>

<div>Device    \Driver\usbuhci \Device\USBPDO-2                                                                                    89A401F8</div>

<div>Device    \Driver\usbuhci \Device\USBPDO-3                                                                                    89A401F8</div>

<div>Device    \Driver\usbehci \Device\USBPDO-4                                                                                    89A3C1F8</div>

<div>Device    \Driver\Ftdisk \Device\HarddiskVolume1                                                                              89BA11F8</div>

<div>Device    \Driver\Ftdisk \Device\HarddiskVolume2                                                                              89BA11F8</div>

<div>Device    \Driver\Cdrom \Device\CdRom0                                                                                        899B91F8</div>

<div>Device    \Driver\atapi \Device\Ide\IdePort0                                                                                  [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}</div>

<div>Device    \Driver\atapi \Device\Ide\IdePort1                                                                                  [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}</div>

<div>Device    \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4                                                                         [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}</div>

<div>Device    \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-22                                                                        [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}</div>

<div>Device    \Driver\atapi \Device\Ide\IdePort2                                                                                  [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}</div>

<div>Device    \Driver\atapi \Device\Ide\IdePort3                                                                                  [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}</div>

<div>Device    \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c                                                                         [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}</div>

<div>Device    \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-17                                                                        [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}</div>

<div>Device    \Driver\NetBT \Device\NetBT_Tcpip_{FE9C3D2F-3043-4C23-A592-1D6D3FE86BA3}                                            894201F8</div>

<div>Device    \Driver\Cdrom \Device\CdRom1                                                                                        899B91F8</div>

<div>Device    \Driver\NetBT \Device\NetBt_Wins_Export                                                                             894201F8</div>

<div>Device    \Driver\NetBT \Device\NetbiosSmb                                                                                    894201F8</div>

<div>Device    \Driver\sptd \Device\3878850960                                                                                     spjk.sys</div>

<div>Device    \Driver\usbuhci \Device\USBFDO-0                                                                                    89A401F8</div>

<div>Device    \Driver\usbuhci \Device\USBFDO-1                                                                                    89A401F8</div>

<div>Device    \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                   894241F8</div>

<div>Device    \Driver\usbuhci \Device\USBFDO-2                                                                                    89A401F8</div>

<div>Device    \FileSystem\MRxSmb \Device\LanmanRedirector                                                                         894241F8</div>

<div>Device    \Driver\usbuhci \Device\USBFDO-3                                                                                    89A401F8</div>

<div>Device    \Driver\usbehci \Device\USBFDO-4                                                                                    89A3C1F8</div>

<div>Device    \Driver\Ftdisk \Device\FtControl                                                                                    89BA11F8</div>

<div>Device    \Driver\NetBT \Device\NetBT_Tcpip_{6DF6B719-B140-40B1-BA68-29991289C2F8}                                            894201F8</div>

<div>Device    \Driver\avi2gbxl \Device\Scsi\avi2gbxl1                                                                             899B51F8</div>

<div>Device    \Driver\mv614x \Device\Scsi\mv614x1                                                                                 89C111F8</div>

<div>Device    \Driver\avi2gbxl \Device\Scsi\avi2gbxl1Port5Path0Target0Lun0                                                        899B51F8</div>

<div>Device    \FileSystem\Fastfat \Fat                                                                                            891A01F8</div>

<div>Device    \FileSystem\Cdfs \Cdfs                                                                                              893B91F8</div>

<div> </div>

<div>---- Registry - GMER 1.0.15 ----</div>

<div> </div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                  771343423</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                  285507792</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                  2</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    </div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 C:\Program Files\DAEMON Tools Lite\</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 1</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0x3E 0x80 0x69 0x9A ...</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           </div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0x30 0xA6 0x39 0x34 ...</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      </div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0xC5 0x79 0x27 0x7A ...</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                    </div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                 0</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                              0xA1 0xA3 0x77 0x6C ...</div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                </div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files\DAEMON Tools Lite\</div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     1</div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x3E 0x80 0x69 0x9A ...</div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       </div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...</div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x30 0xA6 0x39 0x34 ...</div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  </div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0xC5 0x79 0x27 0x7A ...</div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                </div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                     0</div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                  0xA1 0xA3 0x77 0x6C ...</div>

<div> </div>

<div>---- EOF - GMER 1.0.15 ----</div>

<div> </div>

[alexinc]

<p> </p>

<div>GMER 1.0.15.15641 - http://www.gmer.net</div>

<div>Rootkit scan 2012-05-21 14:26:09</div>

<div>Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-17 WDC_WD740GD-00FLC0 rev.33.08F33</div>

<div>Running: ie9w8jqn.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awlyiaoc.sys</div>

<div> </div>

<div> </div>

<div>---- System - GMER 1.0.15 ----</div>

<div> </div>

<div>SSDT      spjk.sys                                                                                                            ZwCreateKey [0xF74E40E0]</div>

<div>SSDT      spjk.sys                                                                                                            ZwEnumerateKey [0xF74FCDA4]</div>

<div>SSDT      spjk.sys                                                                                                            ZwEnumerateValueKey [0xF74FD132]</div>

<div>SSDT      spjk.sys                                                                                                            ZwOpenKey [0xF74E40C0]</div>

<div>SSDT      spjk.sys                                                                                                            ZwQueryKey [0xF74FD20A]</div>

<div>SSDT      spjk.sys                                                                                                            ZwQueryValueKey [0xF74FD08A]</div>

<div>SSDT      spjk.sys                                                                                                            ZwSetValueKey [0xF74FD29C]</div>

<div> </div>

<div>INT 0x62  ?                                                                                                                   89BA0BF8</div>

<div>INT 0x63  ?                                                                                                                   89BA3BF8</div>

<div>INT 0x73  ?                                                                                                                   89A39BF8</div>

<div>INT 0x82  ?                                                                                                                   89BA0BF8</div>

<div>INT 0x84  ?                                                                                                                   89A39BF8</div>

<div>INT 0x94  ?                                                                                                                   89A39BF8</div>

<div>INT 0xA4  ?                                                                                                                   89BA0BF8</div>

<div> </div>

<div>---- Devices - GMER 1.0.15 ----</div>

<div> </div>

<div>Device    \FileSystem\Ntfs \Ntfs                                                                                              89C101F8</div>

<div>Device    \FileSystem\Fastfat \FatCdrom                                                                                       891A01F8</div>

<div>Device    \Driver\PCI_PNP4710 \Device\00000040                                                                                spjk.sys</div>

<div>Device    \Driver\PCI_PNP4710 \Device\00000040                                                                                spjk.sys</div>

<div>Device    \Driver\usbuhci \Device\USBPDO-0                                                                                    89A401F8</div>

<div>Device    \Driver\dmio \Device\DmControl\DmIoDaemon                                                                           89C121F8</div>

<div>Device    \Driver\dmio \Device\DmControl\DmConfig                                                                             89C121F8</div>

<div>Device    \Driver\dmio \Device\DmControl\DmPnP                                                                                89C121F8</div>

<div>Device    \Driver\dmio \Device\DmControl\DmInfo                                                                               89C121F8</div>

<div>Device    \Driver\usbuhci \Device\USBPDO-1                                                                                    89A401F8</div>

<div>Device    \Driver\usbuhci \Device\USBPDO-2                                                                                    89A401F8</div>

<div>Device    \Driver\usbuhci \Device\USBPDO-3                                                                                    89A401F8</div>

<div>Device    \Driver\usbehci \Device\USBPDO-4                                                                                    89A3C1F8</div>

<div>Device    \Driver\Ftdisk \Device\HarddiskVolume1                                                                              89BA11F8</div>

<div>Device    \Driver\Ftdisk \Device\HarddiskVolume2                                                                              89BA11F8</div>

<div>Device    \Driver\Cdrom \Device\CdRom0                                                                                        899B91F8</div>

<div>Device    \Driver\atapi \Device\Ide\IdePort0                                                                                  [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}</div>

<div>Device    \Driver\atapi \Device\Ide\IdePort1                                                                                  [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}</div>

<div>Device    \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4                                                                         [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}</div>

<div>Device    \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-22                                                                        [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}</div>

<div>Device    \Driver\atapi \Device\Ide\IdePort2                                                                                  [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}</div>

<div>Device    \Driver\atapi \Device\Ide\IdePort3                                                                                  [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}</div>

<div>Device    \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c                                                                         [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}</div>

<div>Device    \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-17                                                                        [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}</div>

<div>Device    \Driver\NetBT \Device\NetBT_Tcpip_{FE9C3D2F-3043-4C23-A592-1D6D3FE86BA3}                                            894201F8</div>

<div>Device    \Driver\Cdrom \Device\CdRom1                                                                                        899B91F8</div>

<div>Device    \Driver\NetBT \Device\NetBt_Wins_Export                                                                             894201F8</div>

<div>Device    \Driver\NetBT \Device\NetbiosSmb                                                                                    894201F8</div>

<div>Device    \Driver\sptd \Device\3878850960                                                                                     spjk.sys</div>

<div>Device    \Driver\usbuhci \Device\USBFDO-0                                                                                    89A401F8</div>

<div>Device    \Driver\usbuhci \Device\USBFDO-1                                                                                    89A401F8</div>

<div>Device    \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                   894241F8</div>

<div>Device    \Driver\usbuhci \Device\USBFDO-2                                                                                    89A401F8</div>

<div>Device    \FileSystem\MRxSmb \Device\LanmanRedirector                                                                         894241F8</div>

<div>Device    \Driver\usbuhci \Device\USBFDO-3                                                                                    89A401F8</div>

<div>Device    \Driver\usbehci \Device\USBFDO-4                                                                                    89A3C1F8</div>

<div>Device    \Driver\Ftdisk \Device\FtControl                                                                                    89BA11F8</div>

<div>Device    \Driver\NetBT \Device\NetBT_Tcpip_{6DF6B719-B140-40B1-BA68-29991289C2F8}                                            894201F8</div>

<div>Device    \Driver\avi2gbxl \Device\Scsi\avi2gbxl1                                                                             899B51F8</div>

<div>Device    \Driver\mv614x \Device\Scsi\mv614x1                                                                                 89C111F8</div>

<div>Device    \Driver\avi2gbxl \Device\Scsi\avi2gbxl1Port5Path0Target0Lun0                                                        899B51F8</div>

<div>Device    \FileSystem\Fastfat \Fat                                                                                            891A01F8</div>

<div>Device    \FileSystem\Cdfs \Cdfs                                                                                              893B91F8</div>

<div> </div>

<div>---- Registry - GMER 1.0.15 ----</div>

<div> </div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                  771343423</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                  285507792</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                  2</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    </div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 C:\Program Files\DAEMON Tools Lite\</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 1</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0x3E 0x80 0x69 0x9A ...</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           </div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0x30 0xA6 0x39 0x34 ...</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      </div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0xC5 0x79 0x27 0x7A ...</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                    </div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                 0</div>

<div>Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                              0xA1 0xA3 0x77 0x6C ...</div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                </div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files\DAEMON Tools Lite\</div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     1</div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x3E 0x80 0x69 0x9A ...</div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       </div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...</div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x30 0xA6 0x39 0x34 ...</div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  </div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0xC5 0x79 0x27 0x7A ...</div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                </div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                     0</div>

<div>Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                  0xA1 0xA3 0x77 0x6C ...</div>

<div> </div>

<div>---- EOF - GMER 1.0.15 ----</div>

<div> </div>

[alexinc]

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2012-05-21 14:26:09

Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-17 WDC_WD740GD-00FLC0 rev.33.08F33

Running: ie9w8jqn.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awlyiaoc.sys

---- System - GMER 1.0.15 ----

SSDT spjk.sys ZwCreateKey [0xF74E40E0]

SSDT spjk.sys ZwEnumerateKey [0xF74FCDA4]

SSDT spjk.sys ZwEnumerateValueKey [0xF74FD132]

SSDT spjk.sys ZwOpenKey [0xF74E40C0]

SSDT spjk.sys ZwQueryKey [0xF74FD20A]

SSDT spjk.sys ZwQueryValueKey [0xF74FD08A]

SSDT spjk.sys ZwSetValueKey [0xF74FD29C]

INT 0x62 ? 89BA0BF8

INT 0x63 ? 89BA3BF8

INT 0x73 ? 89A39BF8

INT 0x82 ? 89BA0BF8

INT 0x84 ? 89A39BF8

INT 0x94 ? 89A39BF8

INT 0xA4 ? 89BA0BF8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89C101F8

Device \FileSystem\Fastfat \FatCdrom 891A01F8

Device \Driver\PCI_PNP4710 \Device\00000040 spjk.sys

Device \Driver\PCI_PNP4710 \Device\00000040 spjk.sys

Device \Driver\usbuhci \Device\USBPDO-0 89A401F8

Device \Driver\dmio \Device\DmControl\DmIoDaemon 89C121F8

Device \Driver\dmio \Device\DmControl\DmConfig 89C121F8

Device \Driver\dmio \Device\DmControl\DmPnP 89C121F8

Device \Driver\dmio \Device\DmControl\DmInfo 89C121F8

Device \Driver\usbuhci \Device\USBPDO-1 89A401F8

Device \Driver\usbuhci \Device\USBPDO-2 89A401F8

Device \Driver\usbuhci \Device\USBPDO-3 89A401F8

Device \Driver\usbehci \Device\USBPDO-4 89A3C1F8

Device \Driver\Ftdisk \Device\HarddiskVolume1 89BA11F8

Device \Driver\Ftdisk \Device\HarddiskVolume2 89BA11F8

Device \Driver\Cdrom \Device\CdRom0 899B91F8

Device \Driver\atapi \Device\Ide\IdePort0 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort1 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-22 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort2 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-17 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\NetBT \Device\NetBT_Tcpip_{FE9C3D2F-3043-4C23-A592-1D6D3FE86BA3} 894201F8

Device \Driver\Cdrom \Device\CdRom1 899B91F8

Device \Driver\NetBT \Device\NetBt_Wins_Export 894201F8

Device \Driver\NetBT \Device\NetbiosSmb 894201F8

Device \Driver\sptd \Device\3878850960 spjk.sys

Device \Driver\usbuhci \Device\USBFDO-0 89A401F8

Device \Driver\usbuhci \Device\USBFDO-1 89A401F8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 894241F8

Device \Driver\usbuhci \Device\USBFDO-2 89A401F8

Device \FileSystem\MRxSmb \Device\LanmanRedirector 894241F8

Device \Driver\usbuhci \Device\USBFDO-3 89A401F8

Device \Driver\usbehci \Device\USBFDO-4 89A3C1F8

Device \Driver\Ftdisk \Device\FtControl 89BA11F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{6DF6B719-B140-40B1-BA68-29991289C2F8} 894201F8

Device \Driver\avi2gbxl \Device\Scsi\avi2gbxl1 899B51F8

Device \Driver\mv614x \Device\Scsi\mv614x1 89C111F8

Device \Driver\avi2gbxl \Device\Scsi\avi2gbxl1Port5Path0Target0Lun0 899B51F8

Device \FileSystem\Fastfat \Fat 891A01F8

Device \FileSystem\Cdfs \Cdfs 893B91F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3E 0x80 0x69 0x9A ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x30 0xA6 0x39 0x34 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC5 0x79 0x27 0x7A ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA1 0xA3 0x77 0x6C ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3E 0x80 0x69 0x9A ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x30 0xA6 0x39 0x34 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC5 0x79 0x27 0x7A ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA1 0xA3 0x77 0x6C ...

---- EOF - GMER 1.0.15 ----

Gmer.txt

[alexinc]

Ignore post #36 & #37, I don't know where those are from.

[MrCharlie]

The log looks OK.

I'll get back to you asap, MrC

[MrCharlie]

Looking back I forgot to delete this file:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

File::

c:\windows\system32\odpdx3232.exe

C:\WINDOWS\system32\02000000c27ec2a91406C.manifest

C:\WINDOWS\system32\02000000c27ec2a91406O.manifest

C:\WINDOWS\system32\02000000c27ec2a91406P.manifest

C:\WINDOWS\system32\02000000c27ec2a91406S.manifest

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

[alexinc]

Combofix.txt:

---------------

ComboFix 12-05-22.02 - Administrator 05/22/2012 17:02:09.5.2 - x86

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

.

FILE ::

"c:\windows\system32\02000000c27ec2a91406C.manifest"

"c:\windows\system32\02000000c27ec2a91406O.manifest"

"c:\windows\system32\02000000c27ec2a91406P.manifest"

"c:\windows\system32\02000000c27ec2a91406S.manifest"

"c:\windows\system32\odpdx3232.exe"

c:\windows\system32\vbscript.dll is missing

.

.

((((((((((((((((((((((((( Files Created from 2012-04-23 to 2012-05-23 )))))))))))))))))))))))))))))))

.

.

2012-05-18 23:54 . 2010-11-09 21:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2012-05-18 23:54 . 2010-11-09 21:56 27984 ----a-w- c:\windows\system32\sbbd.exe

2012-05-18 23:53 . 2012-05-19 02:29 -------- d-----w- C:\VIPRERESCUE

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\windows\system32\wbem\snmp

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\windows\system32\xircom

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\windows\system32\oobe

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\windows\srchasst

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\windows\msagent

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\program files\microsoft frontpage

2012-05-14 23:57 . 2012-05-14 23:57 -------- d-----w- C:\TDSSKiller_Quarantine

2012-05-14 23:17 . 2012-05-14 23:22 -------- d-----w- c:\windows\SxsCaPendDel

2012-05-14 23:14 . 2012-05-14 23:14 -------- d-----w- c:\windows\system32\syncdb

2012-04-29 23:41 . 2012-04-29 23:41 -------- d-----w- c:\program files\Common Files\Java

2012-04-29 23:40 . 2012-04-29 23:40 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-04-29 23:40 . 2012-04-29 23:40 476960 ----a-w- c:\windows\system32\npdeployJava1.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-29 23:40 . 2010-08-02 04:07 472864 -c--a-w- c:\windows\system32\deployJava1.dll

2012-04-04 22:56 . 2010-02-08 23:45 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-26 21:24 . 2012-03-30 21:48 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(5).sys

2012-03-26 21:24 . 2012-03-30 21:48 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(4).sys

2012-03-26 21:24 . 2012-03-30 21:48 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(3).sys

2012-03-26 21:24 . 2012-03-30 21:48 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(2).sys

2012-03-26 21:24 . 2012-03-30 21:47 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2009-03-03 . A29E1209F925A0E9B330E11DA5FC7BAB . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((((((( SnapShot@2012-05-16_22.38.27 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-05-18 23:21 . 2012-05-18 23:21 16384 c:\windows\Temp\Perflib_Perfdata_730.dat

+ 2001-08-23 13:00 . 2012-05-18 23:25 58170 c:\windows\system32\perfc009.dat

- 2001-08-23 13:00 . 2012-05-16 22:29 58170 c:\windows\system32\perfc009.dat

+ 2001-08-23 13:00 . 2012-05-18 23:25 392690 c:\windows\system32\perfh009.dat

- 2001-08-23 13:00 . 2012-05-16 22:29 392690 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_3"="advpack.dll" [2008-04-14 99840]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2008-10-17 03:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi1"=ma_cmidn.dll

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - AWLYIAOC

*NewlyCreated* - SBRE

*Deregistered* - awlyiaoc

*Deregistered* - SBRE

.

Contents of the 'Scheduled Tasks' folder

.

2012-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]

.

2012-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1425521274-1177238915-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-22 21:52]

.

2012-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1425521274-1177238915-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-22 21:52]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://gmail.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-05-22 17:06

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(892)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\LMIinit.dll

.

- - - - - - - > 'explorer.exe'(3296)

c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

Completion time: 2012-05-22 17:07:00

ComboFix-quarantined-files.txt 2012-05-23 00:06

ComboFix2.txt 2012-05-18 23:23

ComboFix3.txt 2012-05-18 22:34

ComboFix4.txt 2012-05-16 22:40

.

Pre-Run: 34,490,691,584 bytes free

Post-Run: 34,481,127,424 bytes free

.

- - End Of File - - 26131B4A2DF119DD3C02389A91D5D9D9

MBAM.txt:

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.22.03

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 6.0.2900.5512

Administrator :: ALEXXX-12E93458 [administrator]

5/22/2012 17:08:31

mbam-log-2012-05-22 (17-08-31).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 203105

Time elapsed: 1 minute(s), 27 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[MrCharlie]

Please upload this file to VirusTotal for a free scan, let me know the results (just copy back the url)

c:\windows\system32\drivers\tcpip.sys

http://www.virustotal.com/

--------------------------------------------

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  
  :Filefind
  tcpip.sys
  vbscript.dll
  

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

[alexinc]

SystemLook 30.07.11 by jpshortstuff

Log created at 09:29 on 23/05/2012 by Administrator

Administrator - Elevation successful

========== Filefind ==========

Searching for "tcpip.sys"

C:\WINDOWS\system32\drivers\tcpip.sys --a--c- 361600 bytes [00:36 03/03/2009] [00:36 03/03/2009] A29E1209F925A0E9B330E11DA5FC7BAB

Searching for "vbscript.dll"

No files found.

-= EOF =-

[MrCharlie]

Did you upload c:\windows\system32\drivers\tcpip.sys to VirusTotal for a free scan???

Do you have a XP cd??

MrC

[alexinc]

There was no tcpip.sys to upload for the free scan. I do not have an XP cd...

[MrCharlie]

Yes there is:

C:\WINDOWS\system32\drivers\tcpip.sys

make sure hidden files is enabled:

http://www.howtogeek.com/howto/windows/display-hidden-folders-in-xp/

Do you know someone who does or is running XP so you can get files from?

MrC

[alexinc]

I have hidden files enabled and it isn't showing up:

I will try but I don't know too many people still using Windows. Is there another way to grab the file(s)?

[MrCharlie]

Your looking in the system32 folder...it's not there

It's in the C:\WINDOWS\system32\drivers <---folder

Another way to find it would be to go to Start > Search > Files/Folders > All Files and Folders > enter this > tcpip.sys > now search.

MrC

[alexinc]

http://virusscan.jotti.org/en/scanresult/9d3533f8834c192db03b56b1569264728c41994a