Jump to content

raiden1701

Members
  • Content Count

    8
  • Joined

  • Last visited

About raiden1701

  • Rank
    Newbie
  1. aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software Run date: 2011-06-15 13:05:12 ----------------------------- 13:05:12.062 OS Version: Windows 5.1.2600 Service Pack 3 13:05:12.062 Number of processors: 2 586 0xF0B 13:05:12.062 ComputerName: LORNE-5C72D303D UserName: LH 13:05:18.875 Initialize success 13:05:20.390 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 13:05:20.406 Disk 0 Vendor: WDC_WD3200AAKS-75VYA0 12.01B02 Size: 305245MB BusType: 3 13:05:20.406 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-e 13:05:20.406 Disk 1 Vendor: ST3250310AS 3.ADA Size: 238418MB BusType: 3 13:05:22.453 Disk 0 MBR read successfully 13:05:22.453 Disk 0 MBR scan 13:05:22.453 Disk 0 Windows XP default MBR code 13:05:24.453 Disk 0 scanning sectors +625121280 13:05:24.531 Disk 0 scanning C:\WINDOWS\system32\drivers 13:05:33.718 Service scanning 13:05:41.453 Disk 0 trace - called modules: 13:05:41.484 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys 13:05:41.484 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac55ab8] 13:05:41.484 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000006c[0x8ac701c0] 13:05:41.484 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ac6b940] 13:05:41.484 Scan finished successfully 13:05:47.765 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\LH\Desktop\MBR.dat" 13:05:47.765 The log file has been saved successfully to "C:\Documents and Settings\LH\Desktop\aswMBR.txt" MBR.zip
  2. Here is the combofix log: ComboFix 11-06-15.01 - LH 15/06/2011 11:19:27.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2938 [GMT -7:00] Running from: c:\documents and settings\LH\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\LH\Application Data\inst.exe c:\documents and settings\LH\Local Settings\Application Data\wxpfree\CuSTomsearch.dll C:\readme.txt c:\windows\Downloaded Program Files\popcaploader.dll c:\windows\Downloaded Program Files\popcaploader.inf c:\windows\system32\Temp c:\windows\system32\Temp\DE99B447R3 . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_SSHNAS . . ((((((((((((((((((((((((( Files Created from 2011-05-15 to 2011-06-15 ))))))))))))))))))))))))))))))) . . 2011-06-14 06:21 . 2009-03-09 22:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll 2011-06-14 06:21 . 2011-06-14 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PassMark 2011-06-14 06:21 . 2011-06-14 06:21 -------- d-----w- c:\program files\BurnInTest 2011-06-14 05:29 . 2011-06-14 05:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-06-14 03:56 . 2011-06-14 03:56 -------- d-----w- c:\program files\WOT 2011-06-14 03:39 . 2011-06-14 03:39 -------- d-----w- C:\~ErdUserProfile.$$$ 2011-06-13 19:13 . 2011-06-13 19:13 -------- d-----w- c:\documents and settings\LH\Application Data\SUPERAntiSpyware.com 2011-06-13 19:13 . 2011-06-13 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2011-06-13 19:13 . 2011-06-14 05:32 -------- d-----w- c:\program files\SUPERAntiSpyware 2011-06-13 19:11 . 2011-06-13 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2011-06-13 19:11 . 2011-06-13 19:13 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-06-13 19:10 . 2011-06-13 19:10 -------- d-----w- c:\documents and settings\LH\Application Data\Malwarebytes 2011-06-13 19:10 . 2011-06-13 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-06-13 19:10 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-06-13 19:10 . 2011-06-13 19:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-06-13 19:10 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-13 19:08 . 2011-06-13 19:08 -------- d-----w- c:\program files\Common Files\Java 2011-06-13 19:06 . 2011-06-13 19:06 -------- d-----w- c:\program files\CCleaner 2011-06-13 19:05 . 2011-06-13 19:05 -------- d-----w- c:\program files\Raxco 2011-06-13 19:05 . 2011-06-13 19:05 -------- d-----w- c:\program files\Common Files\Raxco 2011-06-13 19:05 . 2011-06-13 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco 2011-06-13 19:05 . 2011-06-13 19:05 -------- d-----w- c:\program files\VS Revo Group 2011-06-02 22:35 . 2011-06-02 22:35 -------- d-----w- c:\documents and settings\Dagen\Application Data\Search Settings 2011-06-02 15:26 . 2011-02-23 23:54 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe 2011-06-02 15:26 . 2011-02-24 00:04 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys 2011-06-02 15:25 . 2011-06-02 16:43 -------- d-----w- c:\documents and settings\LH\Application Data\Search Settings 2011-06-02 15:25 . 2011-06-02 15:25 -------- d-----w- c:\program files\Application Updater 2011-06-02 15:25 . 2011-06-02 15:25 -------- d-----w- c:\program files\IObit Toolbar 2011-06-02 15:25 . 2011-06-02 15:25 -------- d-----w- c:\program files\Common Files\Spigot 2011-06-02 02:30 . 2005-01-20 03:48 8192 ----a-w- c:\program files\Mozilla Firefox\plugins\npiPLATO_22.dll 2011-06-02 02:30 . 2005-01-20 03:48 8192 ----a-w- c:\program files\Internet Explorer\Plugins\npiPLATO_22.dll 2011-06-02 02:30 . 2002-04-18 15:39 8192 ----a-w- c:\program files\Mozilla Firefox\plugins\npipcd3.dll 2011-06-02 02:30 . 2002-04-18 15:39 8192 ----a-w- c:\program files\Internet Explorer\Plugins\npipcd3.dll 2011-06-02 02:30 . 2011-06-02 02:30 -------- d-----w- c:\windows\PWLN 2011-06-02 02:30 . 1999-09-22 22:56 32768 ----a-w- c:\windows\system32\PHONETIC.FON 2011-05-17 23:18 . 2009-09-05 00:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll 2011-05-17 23:18 . 2009-09-05 00:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll 2011-05-17 23:18 . 2009-09-05 00:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll 2011-05-17 01:27 . 2011-05-17 22:25 -------- d-----w- C:\LOTRO Standard Res Install Files 2011-05-17 01:26 . 2011-05-17 01:26 -------- d-----w- c:\program files\Pando Networks . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-25 02:14 . 2009-12-24 00:36 222080 ------w- c:\windows\system32\MpSigStub.exe 2011-05-04 11:52 . 2010-04-27 21:01 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-05-04 09:25 . 2010-04-27 21:01 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-04-18 14:37 . 2011-04-18 14:37 0 ----a-w- c:\windows\system32\ConduitEngine.tmp 2011-04-10 19:41 . 2011-04-06 17:11 47360 ----a-w- c:\documents and settings\LH\Application Data\pcouffin.sys 2011-04-09 20:29 . 2011-04-09 20:29 12672524 ----a-w- C:\SD_Setup_20110315.exe 2011-04-06 23:04 . 2011-04-06 17:11 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys 2011-03-18 01:21 . 2011-03-18 01:21 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys 2010-12-12 05:12 . 2010-12-11 21:56 2279803967 ----a-w- c:\program files\MSSetupv93.exe 2011-04-14 16:41 . 2011-05-01 00:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2010-03-09 01:45 . CC08A15B7EFDA14F43D807DFEC18EACB . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys [7] 2010-03-05 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys [7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys [7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504] "UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-09-30 210216] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-09-21 06:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] 2005-05-04 02:43 69632 ----a-w- c:\windows\Alcmtr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer] 2009-06-04 04:59 103720 ------w- c:\program files\CyberLink\Power2Go\CLMLSvc.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] 2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 13:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2007-09-17 16:07 8491008 ----a-w- c:\windows\system32\nvcpl.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster] 2011-05-17 01:26 3071384 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] 2007-05-29 00:32 16132608 ----a-w- c:\windows\RTHDCPL.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchEngineProtection] 2011-03-03 14:33 591248 ----a-w- c:\program files\GamesBar\SearchEngineProtection.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings] 2011-05-07 01:15 532320 ----a-w- c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2011-04-08 19:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2009-12-28 20:27 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] 2006-10-19 04:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "JavaQuickStarterService"=2 (0x2) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"= "c:\\Warcraft III\\Warcraft III.exe"= "c:\\Program Files\\MSN\\MSNCoreFiles\\Install\\msnsusii.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Documents and Settings\\Dagen\\Local Settings\\Apps\\2.0\\AT0X8X4D.YO1\\RC3TWXLM.6RW\\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\\CurseClient.exe"= "c:\\Program Files\\StarCraft II Demo\\StarCraft II.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= "c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"= "c:\\Program Files\\StarCraft II Demo\\Versions\\Base15405\\SC2.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "58714:TCP"= 58714:TCP:Pando Media Booster "58714:UDP"= 58714:UDP:Pando Media Booster "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "56283:TCP"= 56283:TCP:Pando Media Booster "56283:UDP"= 56283:UDP:Pando Media Booster "57500:TCP"= 57500:TCP:Pando Media Booster "57500:UDP"= 57500:UDP:Pando Media Booster "58865:TCP"= 58865:TCP:Pando Media Booster "58865:UDP"= 58865:UDP:Pando Media Booster "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management "56825:TCP"= 56825:TCP:Pando Media Booster "56825:UDP"= 56825:UDP:Pando Media Booster "59079:TCP"= 59079:TCP:Pando Media Booster "59079:UDP"= 59079:UDP:Pando Media Booster "57350:TCP"= 57350:TCP:Pando Media Booster "57350:UDP"= 57350:UDP:Pando Media Booster . R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [02/06/2011 8:26 AM 13496] R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [17/03/2011 6:21 PM 218688] R1 NDISAH;NDISAH;c:\windows\system32\drivers\ndisah.sys [20/02/2011 2:40 PM 24448] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 11:41 AM 67656] R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [20/04/2011 8:11 AM 353168] R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [06/05/2011 5:33 PM 393112] R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [02/06/2011 8:25 AM 821080] S1 MpKsl82860010;MpKsl82860010;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{058D3542-7C4C-4DB7-89BC-B419AD00A5FE}\MpKsl82860010.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{058D3542-7C4C-4DB7-89BC-B419AD00A5FE}\MpKsl82860010.sys [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23/12/2009 5:34 PM 135664] S2 IObitBarService;IObit Toolbar Service;c:\progra~1\IObitBar\toolbar\1.bin\i0barsvc.exe --> c:\progra~1\IObitBar\toolbar\1.bin\i0barsvc.exe [?] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [23/12/2009 5:34 PM 135664] S3 LiveTurbineMessageService;Turbine Message Service - Live;"c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe" --> c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [?] S3 LiveTurbineNetworkService;Turbine Network Service - Live;"c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe" --> c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [?] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [13/06/2011 12:10 PM 39984] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [14/04/2008 5:00 AM 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [08/05/2010 3:48 PM 691696] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WINRM REG_MULTI_SZ WINRM . Contents of the 'Scheduled Tasks' folder . 2011-06-15 c:\windows\Tasks\ASC4_PerformanceMonitor.job - c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-04-20 21:46] . 2011-06-15 c:\windows\Tasks\Game_Booster_Startup.job - c:\program files\IObit\Game Booster\gbtray.exe [2011-06-02 23:20] . 2011-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 00:34] . 2011-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 00:34] . 2011-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-1078145449-682003330-1005Core.job - c:\documents and settings\Dagen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-04 02:02] . 2011-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-1078145449-682003330-1005UA.job - c:\documents and settings\Dagen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-04 02:02] . 2011-06-15 c:\windows\Tasks\SmartDefrag_Startup.job - c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-06-02 00:31] . 2011-06-14 c:\windows\Tasks\User_Feed_Synchronization-{045420DF-F4CA-49F0-BEA4-419B986CAA19}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 12:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.ca/ IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html TCP: DhcpNameServer = 192.168.1.254 192.168.1.254 FF - ProfilePath - c:\documents and settings\LH\Application Data\Mozilla\Firefox\Profiles\g5fjla11.default\ FF - prefs.js: browser.search.selectedEngine - bing FF - prefs.js: browser.startup.homepage - hxxp://start.msn.iplay.com/?o=shp FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=685749&p= FF - user.js: browser.cache.memory.capacity - 65536 FF - user.js: browser.chrome.favicons - false FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: browser.xul.error_pages.enabled - true FF - user.js: content.interrupt.parsing - true FF - user.js: content.max.tokenizing.time - 3000000 FF - user.js: content.maxtextrun - 8191 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: network.http.max-connections - 32 FF - user.js: network.http.max-connections-per-server - 8 FF - user.js: network.http.max-persistent-connections-per-proxy - 8 FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 0 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 . - - - - ORPHANS REMOVED - - - - . URLSearchHooks-{7757CBCC-0975-4b79-A519-90B142CA3A23} - (no file) BHO-{EFA17361-CDC0-4927-9AFC-BAAD1F96B2AE} - (no file) Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) MSConfigStartUp-MSC - c:\program files\Microsoft Security Client\msseces.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-06-15 11:38 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1085031214-1078145449-682003330-1003\Software\SecuROM\License information*] "datasecu"=hex:4e,4f,68,26,14,c2,32,d2,fa,03,6e,ac,33,2c,ef,55,d0,60,d0,23,5b, 8c,ec,b8,05,02,d7,48,d5,b6,a3,b0,1a,fa,5c,34,30,75,42,ef,7f,27,fe,e3,d2,18,\ "rkeysecu"=hex:c0,1c,20,f6,42,a6,8d,d3,81,a0,ba,39,c1,ce,ab,36 . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(828) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll . - - - - - - - > 'explorer.exe'(2200) c:\windows\system32\WININET.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Windows Media Player\WMPNetwk.exe . ************************************************************************** . Completion time: 2011-06-15 11:41:56 - machine was rebooted ComboFix-quarantined-files.txt 2011-06-15 18:41 . Pre-Run: 148,591,001,600 bytes free Post-Run: 148,898,729,984 bytes free . - - End Of File - - D7CC5262003B996B9DB3C086A4EB88ED
  3. Here are the 4 logs. dds.txt attach.txt Report.txt defogger_disable.log.txt
  4. OK, here is the scan. It didn't seem to find anything though. 2011/06/14 13:35:14.0390 3360 TDSS rootkit removing tool 2.5.4.0 Jun 7 2011 17:31:48 2011/06/14 13:35:15.0031 3360 ================================================================================ 2011/06/14 13:35:15.0031 3360 SystemInfo: 2011/06/14 13:35:15.0031 3360 2011/06/14 13:35:15.0031 3360 OS Version: 5.1.2600 ServicePack: 3.0 2011/06/14 13:35:15.0031 3360 Product type: Workstation 2011/06/14 13:35:15.0031 3360 ComputerName: LORNE-5C72D303D 2011/06/14 13:35:15.0031 3360 UserName: LH 2011/06/14 13:35:15.0031 3360 Windows directory: C:\WINDOWS 2011/06/14 13:35:15.0031 3360 System windows directory: C:\WINDOWS 2011/06/14 13:35:15.0031 3360 Processor architecture: Intel x86 2011/06/14 13:35:15.0031 3360 Number of processors: 2 2011/06/14 13:35:15.0031 3360 Page size: 0x1000 2011/06/14 13:35:15.0031 3360 Boot type: Normal boot 2011/06/14 13:35:15.0031 3360 ================================================================================ 2011/06/14 13:35:16.0593 3360 Initialize success 2011/06/14 13:35:49.0093 1624 ================================================================================ 2011/06/14 13:35:49.0093 1624 Scan started 2011/06/14 13:35:49.0093 1624 Mode: Manual; 2011/06/14 13:35:49.0093 1624 ================================================================================ 2011/06/14 13:35:49.0593 1624 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/06/14 13:35:49.0640 1624 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2011/06/14 13:35:49.0703 1624 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2011/06/14 13:35:49.0750 1624 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys 2011/06/14 13:35:49.0828 1624 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2011/06/14 13:35:49.0859 1624 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/06/14 13:35:49.0875 1624 atapi (cc08a15b7efda14f43d807dfec18eacb) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/06/14 13:35:49.0921 1624 atksgt (5b80e84af6b02ecab72dae9afee06309) C:\WINDOWS\system32\DRIVERS\atksgt.sys 2011/06/14 13:35:49.0921 1624 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/06/14 13:35:49.0968 1624 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/06/14 13:35:50.0015 1624 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/06/14 13:35:50.0078 1624 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/06/14 13:35:50.0125 1624 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/06/14 13:35:50.0140 1624 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/06/14 13:35:50.0187 1624 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/06/14 13:35:50.0265 1624 DefragFS (d7ac073bafcf98786d3b85100d4288ab) C:\WINDOWS\system32\drivers\DefragFS.sys 2011/06/14 13:35:50.0281 1624 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/06/14 13:35:50.0312 1624 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2011/06/14 13:35:50.0328 1624 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2011/06/14 13:35:50.0359 1624 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/06/14 13:35:50.0359 1624 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2011/06/14 13:35:50.0390 1624 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/06/14 13:35:50.0421 1624 dtsoftbus01 (555e54ac2f601a8821cef58961653991) C:\WINDOWS\system32\DRIVERS\dtsoftbus01.sys 2011/06/14 13:35:50.0468 1624 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys 2011/06/14 13:35:50.0500 1624 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/06/14 13:35:50.0546 1624 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 2011/06/14 13:35:50.0546 1624 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2011/06/14 13:35:50.0562 1624 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 2011/06/14 13:35:50.0578 1624 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys 2011/06/14 13:35:50.0625 1624 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys 2011/06/14 13:35:50.0625 1624 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/06/14 13:35:50.0640 1624 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/06/14 13:35:50.0656 1624 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/06/14 13:35:50.0671 1624 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2011/06/14 13:35:50.0687 1624 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2011/06/14 13:35:50.0734 1624 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/06/14 13:35:50.0765 1624 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys 2011/06/14 13:35:50.0796 1624 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/06/14 13:35:50.0937 1624 IntcAzAudAddService (39a817320087ef1c851d7a8f1701b3e0) C:\WINDOWS\system32\drivers\RtkHDAud.sys 2011/06/14 13:35:50.0984 1624 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2011/06/14 13:35:51.0000 1624 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys 2011/06/14 13:35:51.0031 1624 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2011/06/14 13:35:51.0031 1624 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/06/14 13:35:51.0046 1624 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/06/14 13:35:51.0046 1624 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/06/14 13:35:51.0062 1624 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/06/14 13:35:51.0062 1624 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/06/14 13:35:51.0093 1624 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/06/14 13:35:51.0109 1624 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2011/06/14 13:35:51.0140 1624 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2011/06/14 13:35:51.0171 1624 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/06/14 13:35:51.0218 1624 lirsgt (975b6cf65f44e95883f3855bae8cecaf) C:\WINDOWS\system32\DRIVERS\lirsgt.sys 2011/06/14 13:35:51.0250 1624 MBAMSwissArmy (b309912717c29fc67e1ba4730a82b6dd) C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2011/06/14 13:35:51.0265 1624 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/06/14 13:35:51.0281 1624 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2011/06/14 13:35:51.0281 1624 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/06/14 13:35:51.0296 1624 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2011/06/14 13:35:51.0312 1624 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/06/14 13:35:51.0312 1624 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys 2011/06/14 13:35:51.0390 1624 MpKsl5a5880a8 (5f53edfead46fa7adb78eee9ecce8fdf) C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8D715B13-39BF-4890-A2E7-2B94965E271C}\MpKsl5a5880a8.sys 2011/06/14 13:35:51.0437 1624 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/06/14 13:35:51.0484 1624 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/06/14 13:35:51.0500 1624 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2011/06/14 13:35:51.0531 1624 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/06/14 13:35:51.0546 1624 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/06/14 13:35:51.0546 1624 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/06/14 13:35:51.0562 1624 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/06/14 13:35:51.0578 1624 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2011/06/14 13:35:51.0578 1624 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2011/06/14 13:35:51.0593 1624 NDISAH (7f41e6c6261224e509c6d6ecc23ab8d8) C:\WINDOWS\system32\drivers\NDISAH.sys 2011/06/14 13:35:51.0625 1624 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/06/14 13:35:51.0671 1624 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/06/14 13:35:51.0671 1624 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/06/14 13:35:51.0718 1624 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/06/14 13:35:51.0734 1624 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/06/14 13:35:51.0750 1624 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/06/14 13:35:51.0765 1624 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2011/06/14 13:35:51.0781 1624 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2011/06/14 13:35:51.0796 1624 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/06/14 13:35:51.0859 1624 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 2011/06/14 13:35:51.0921 1624 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/06/14 13:35:52.0078 1624 nv (5950e6cc9fb3fabb61604d395dbc8550) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 2011/06/14 13:35:52.0140 1624 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/06/14 13:35:52.0171 1624 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/06/14 13:35:52.0203 1624 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2011/06/14 13:35:52.0234 1624 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys 2011/06/14 13:35:52.0265 1624 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/06/14 13:35:52.0265 1624 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/06/14 13:35:52.0281 1624 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/06/14 13:35:52.0296 1624 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/06/14 13:35:52.0328 1624 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2011/06/14 13:35:52.0375 1624 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys 2011/06/14 13:35:52.0437 1624 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/06/14 13:35:52.0453 1624 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/06/14 13:35:52.0453 1624 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/06/14 13:35:52.0468 1624 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2011/06/14 13:35:52.0531 1624 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/06/14 13:35:52.0546 1624 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/06/14 13:35:52.0562 1624 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/06/14 13:35:52.0578 1624 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/06/14 13:35:52.0593 1624 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/06/14 13:35:52.0625 1624 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/06/14 13:35:52.0656 1624 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2011/06/14 13:35:52.0703 1624 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/06/14 13:35:52.0718 1624 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/06/14 13:35:52.0812 1624 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 2011/06/14 13:35:52.0828 1624 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 2011/06/14 13:35:52.0843 1624 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/06/14 13:35:52.0859 1624 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys 2011/06/14 13:35:52.0890 1624 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2011/06/14 13:35:52.0921 1624 SmartDefragDriver (972dea0d8149d73c5b7a2c97b2e749e3) C:\WINDOWS\system32\Drivers\SmartDefragDriver.sys 2011/06/14 13:35:52.0968 1624 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2011/06/14 13:35:53.0015 1624 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys 2011/06/14 13:35:53.0015 1624 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505 2011/06/14 13:35:53.0031 1624 sptd - detected LockedFile.Multi.Generic (1) 2011/06/14 13:35:53.0046 1624 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2011/06/14 13:35:53.0078 1624 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/06/14 13:35:53.0078 1624 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/06/14 13:35:53.0093 1624 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2011/06/14 13:35:53.0156 1624 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/06/14 13:35:53.0203 1624 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/06/14 13:35:53.0234 1624 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/06/14 13:35:53.0250 1624 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/06/14 13:35:53.0250 1624 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/06/14 13:35:53.0296 1624 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2011/06/14 13:35:53.0343 1624 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2011/06/14 13:35:53.0421 1624 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2011/06/14 13:35:53.0484 1624 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/06/14 13:35:53.0531 1624 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/06/14 13:35:53.0578 1624 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2011/06/14 13:35:53.0578 1624 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/06/14 13:35:53.0640 1624 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/06/14 13:35:53.0656 1624 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2011/06/14 13:35:53.0671 1624 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/06/14 13:35:53.0687 1624 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/06/14 13:35:53.0718 1624 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 2011/06/14 13:35:53.0765 1624 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/06/14 13:35:53.0812 1624 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2011/06/14 13:35:53.0828 1624 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 2011/06/14 13:35:53.0875 1624 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0 2011/06/14 13:35:53.0953 1624 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1 2011/06/14 13:35:53.0953 1624 ================================================================================ 2011/06/14 13:35:53.0953 1624 Scan finished 2011/06/14 13:35:53.0953 1624 ================================================================================ 2011/06/14 13:35:53.0968 3324 Detected object count: 1 2011/06/14 13:35:53.0968 3324 Actual detected object count: 1 2011/06/14 13:36:30.0984 3324 LockedFile.Multi.Generic(sptd) - User select action: Skip
  5. Here is the newest SAS log: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 06/14/2011 at 00:24 AM Application Version : 4.54.1000 Core Rules Database Version : 7263 Trace Rules Database Version: 5075 Scan type : Complete Scan Total Scan Time : 00:25:03 Memory items scanned : 383 Memory threats detected : 0 Registry items scanned : 7346 Registry threats detected : 15 File items scanned : 20511 File threats detected : 4 Trojan.Agent/Gen-TDSS HKLM\System\ControlSet001\Services\atapi C:\WINDOWS\SYSTEM32\DRIVERS\ATAPI.SYS HKLM\System\ControlSet001\Enum\Root\LEGACY_atapi HKLM\System\ControlSet002\Services\atapi HKLM\System\ControlSet002\Enum\Root\LEGACY_atapi HKLM\System\CurrentControlSet\Services\atapi HKLM\System\CurrentControlSet\Enum\Root\LEGACY_atapi C:\SYSTEM VOLUME INFORMATION\_RESTORE{A61960BB-35B8-40B0-BBE3-BB585486DD17}\RP657\A0090702.SYS Trojan.Agent/Gen-SSHNAS HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS#NextInstance HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Service HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Legacy HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ConfigFlags HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Class HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ClassGUID HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#DeviceDesc Adware.MyWebSearch/FunWebProducts C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\MSIMG32.DLL C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\RICHED20.DLL Here is the aswMRB log: aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software Run date: 2011-06-14 12:14:55 ----------------------------- 12:14:55.609 OS Version: Windows 5.1.2600 Service Pack 3 12:14:55.609 Number of processors: 2 586 0xF0B 12:14:55.609 ComputerName: LORNE-5C72D303D UserName: LH 12:14:56.468 Initialize success 12:15:06.031 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 12:15:06.031 Disk 0 Vendor: WDC_WD3200AAKS-75VYA0 12.01B02 Size: 305245MB BusType: 3 12:15:06.031 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-e 12:15:06.031 Disk 1 Vendor: ST3250310AS 3.ADA Size: 238418MB BusType: 3 12:15:06.031 Disk 0 MBR read error 0 12:15:06.031 Disk 0 MBR scan 12:15:06.031 Disk 0 unknown MBR code 12:15:06.031 MBR BIOS signature not found 0 12:15:06.031 Disk 0 scanning sectors +625121280 12:15:06.031 Disk 0 scanning C:\WINDOWS\system32\drivers 12:15:09.890 Service scanning 12:15:10.703 Disk 0 trace - called modules: 12:15:10.718 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spqz.sys >>UNKNOWN [0x8aeb5938]<< 12:15:10.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ade7ab8] 12:15:10.718 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000006c[0x8ae69f18] 12:15:10.718 5 ACPI.sys[b9e74620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8adf0940] 12:15:10.718 Scan finished successfully 12:15:31.125 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\LH\Desktop\MBR.dat" 12:15:31.125 The log file has been saved successfully to "C:\Documents and Settings\LH\Desktop\aswMBR.txt"
  6. I ran a SAS scan and it came up with this: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 06/13/2011 at 08:49 PM Application Version : 4.42.1000 Core Rules Database Version : 7263 Trace Rules Database Version: 5075 Scan type : Quick Scan Total Scan Time : 00:06:53 Memory items scanned : 398 Memory threats detected : 0 Registry items scanned : 1657 Registry threats detected : 17 File items scanned : 5806 File threats detected : 1 Trojan.Agent/Gen-TDSS HKLM\System\ControlSet001\Services\atapi C:\WINDOWS\SYSTEM32\DRIVERS\ATAPI.SYS HKLM\System\ControlSet001\Enum\Root\LEGACY_atapi HKLM\System\ControlSet002\Services\atapi HKLM\System\ControlSet002\Enum\Root\LEGACY_atapi HKLM\System\CurrentControlSet\Services\atapi HKLM\System\CurrentControlSet\Enum\Root\LEGACY_atapi Trojan.Agent/Gen-SSHNAS HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS#NextInstance HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Service HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Legacy HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ConfigFlags HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Class HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ClassGUID HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#DeviceDesc Malware.Trace HKU\.DEFAULT\Software\Microsoft\Handle HKU\S-1-5-18\Software\Microsoft\Handle When I removed them, my PC would boot into Windows XP Pro but then freeze on a BSOD (same in Safe Mode). When I did a system restore (one I created before the SAS scan) with ERD Commander 2007, XP booted properly but upon scanning again with SAS the same trojan results came up. Are these just false positives? Cause removing them mess's up my PC.
  7. I've got the regular SAS latest version. I think you're right. It only happened a few times and never since. Thanks anyways
  8. Lately when I've run SAS on my PC or other peoples PCs, it will cause the PC's (all XP systems) to either not boot or cause the internet to loose connectivity. I can usually boot in Safe Mode and when I restore the quarantined objects the PC's will go back to booting properly and the internet will be restored (but then the spyware is back). When I run Malwarebytes AntiMalware it will remove the spyware and everything will boot and run properly. But I like SAS and I always use it first. So what's going on with SAS?
×
×
  • Create New...