Sign in to follow this  
psc23351

Trojan.Win32.Kryptik.iaq(V)

Recommended Posts

Cannot remove this piece of malware.
AdWare finds after scan and removes, deletes files on reboot but malware returns.
Have read multiple forum submissions on this topic and tried sugestions such as ComboFix etc.

Anyone can help please

Share this post


Link to post
Share on other sites
Hi psc23351,

Please post the Ad-Aware log so we can see which file that is infected.

ComboFix is powerful tool that shouldn't be used without guidance. Don't run ComboFix again but post its log which is in the C:\ folder and named ComboFix.txt.

Save DDS to your desktop: [url="http://download.bleepingcomputer.com/sUBs/dds.scr"]http://download.bleepingcomputer.com/sUBs/dds.scr[/url]
Double-click on the DDS tool to run it.

When finished, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

Save them to your desktop and paste their content into your answer.

Share this post


Link to post
Share on other sites
[attachment=8862:attach.zip][attachment=8862:attach.zip]Hi CeciliaB

Sorry for the delay in responding been traveling.
Here are the .txt files you requested.
Hope you can help still having problems with this.

Thanks
psc23351 Edited by psc23351

Share this post


Link to post
Share on other sites
Hi psc23351,

No need to apologize :)

Please don't zip the log files since it then is very time-consuming for me to read them, but paste their content directly into your answer (preferred) or upload the log files without zipping them.

Is this computer owned by a company and connected to a domain?
My fixes might lead to unexpected side-effects in a company computer.

I see that this ComboFix log is from the second run. Please, paste C:\Qoobox\ComboFix2.txt

Can you find the information in Ad-Aware regarding which file (and folder) that is infected with Trojan.Win32.Kryptik.iaq(V)?

I will paste the logs into the following posts so it will be easy to read them the next time.

Share this post


Link to post
Share on other sites
DDS.txt

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by 1704420 Ontario Inc at 10:24:32 on 2011-07-25
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.208 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe
C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe
C:\Program Files\Common Files\Rockwell\NmspHost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Rockwell\RdcyHost.exe
C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
C:\Program Files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe
C:\PROGRA~1\ROCKWE~2\RSLinx\RSLINX.EXE
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe
C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Siemens\SimaticSecurityControl\ssc_service_x.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
svchost.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Cognex\In-Sight\In-Sight OPC Server 3.3.0\OpcInSight.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe
C:\WINDOWS\system320THotkey.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Siemens\S7ubtoox\S7ubtoox.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiSmartStart.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Siemens\Sqlany\dbsrv9.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [TFncKy] TFncKy.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TAudEffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [CognexOpc] c:\program files\cognex\in-sight\in-sight opc server 3.3.0\OpcInSight.exe -I
mRun: [TOSDCR] TOSDCR.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.exe
mRun: [S7UB Start] "c:\program files\common files\siemens\s7ubtoox\s7ubtstx.exe" -StartDB
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [UsbCipHelper] c:\program files\rockwell automation\rockwell automation usb cip driver package\usbciphelper\UsbCipHelper.exe
mRun: [00THotkey] c:\windows\system320THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TFNF5] TFNF5.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [WinCC flexible Smart Start] "c:\program files\siemens\simatic wincc flexible\wincc flexible 2008\HmiSmartStart.exe" /startup
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\170442~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
uPolicies-explorer: DisablePersonalDirChange = 1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 64.89.70.2 64.89.74.2
TCP: Interfaces\{8E112997-EA3C-4EE4-8704-6BFE07518B62} : DhcpNameServer = 64.89.70.2 64.89.74.2
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\1704420 ontario inc\application data\mozilla\firefox\profiles\[email protected]\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-3 64288]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-3-22 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-9 6528]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-7-1 21592]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-11-10 101720]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2007-11-30 5888]
R2 almservice;Automation License Manager Service;c:\program files\common files\siemens\sws\almsrv\almsrvx.exe [2010-3-29 1594368]
R2 dpmconv;dpmconv;c:\windows\system32\drivers\dpmconv.sys [2007-6-25 266240]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [2007-6-25 28363]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 2151640]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-1-6 10384]
R2 LogReceiver;LogReceiver;c:\program files\rockwell software\rslinx enterprise\LogReceiver.exe [2007-7-9 94208]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2006-5-9 203552]
R2 MSSQL$WINCC;SQL Server (WINCC);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-5-9 28938072]
R2 MSSQL$WINCCFLEXEXPRESS;SQL Server (WINCCFLEXEXPRESS);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R2 MSSQL$WINCCFLEXIBLE;MSSQL$WINCCFLEXIBLE;c:\program files\microsoft sql server\mssql$winccflexible\binn\sqlservr.exe [2005-5-4 9150464]
R2 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;c:\program files\rockwell software\rsview enterprise\RsAlarmLogServ.exe [2007-9-18 77824]
R2 Rockwell HMI Framework;Rockwell HMI Framework;c:\program files\rockwell software\rsview enterprise\ServerFramework.exe [2007-9-18 491520]
R2 s7asysvx;S7 Global Services;c:\program files\siemens\step7\s7bin\s7asysvx.exe [2008-7-14 69685]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [2010-3-2 77312]
R2 s7opcmcx;s7opcmcx;c:\windows\system32\drivers\s7opcmcx.sys [2010-3-2 209920]
R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [2010-3-1 31232]
R2 s7osmcax;s7osmcax;c:\windows\system32\drivers\s7osmcax.sys [2010-3-2 173568]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [2009-2-24 73088]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\common files\siemens\automation\traceengine\bin\S7TraceServiceX.exe [2010-3-2 240776]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-6-29 74968]
R2 SSCService;SIMATIC Security Control Service;c:\program files\common files\siemens\simaticsecuritycontrol\ssc_service_x.exe [2007-7-17 339968]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R2 vsnl2ada;SIMATIC MPI/PROFIBUS FDL Transport Driver;c:\windows\system32\drivers\vsnl2ada.sys [2007-11-5 115654]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2009-5-14 26137]
R3 EventServer;Rockwell Event Server;c:\program files\common files\rockwell\EventServer.exe [2007-9-17 217088]
R3 fwkbdrtm;fwkbdrtm;c:\windows\system32\drivers\fwkbdrtm.sys [2010-4-8 12112]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-4-22 35968]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-24 15232]
R3 NmspHost;Rockwell Namespace Services;c:\program files\common files\rockwell\NmspHost.exe [2007-9-18 212992]
R3 RdcyHost;Rockwell Redundancy Services;c:\program files\common files\rockwell\RdcyHost.exe [2007-9-18 212992]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2007-11-30 435072]
S1 abpicw2k;AB PIC/AIC+ Driver;c:\windows\system32\drivers\abpicw2k.sys [2001-10-29 113600]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\drivers\virtualbackplane.sys --> c:\windows\system32\drivers\VirtualBackplane.sys [?]
S2 CCAgent;CCAgent;c:\program files\common files\siemens\ace\bin\ccagent.exe --> c:\program files\common files\siemens\ace\bin\CCAgent.exe [?]
S2 CCEClient;CCEClient;c:\program files\common files\siemens\ace\bin\cceclient.exe --> c:\program files\common files\siemens\ace\bin\CCEClient.exe [?]
S2 CCEServer;CCEServer;c:\program files\common files\siemens\ace\bin\cceserver.exe --> c:\program files\common files\siemens\ace\bin\CCEServer.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 RedundancyControl;RedundancyControl;c:\program files\common files\siemens\ace\bin\redundancycontrol.exe --> c:\program files\common files\siemens\ace\bin\RedundancyControl.exe [?]
S2 RedundancyState;RedundancyState;c:\program files\common files\siemens\ace\bin\redundancystate.exe --> c:\program files\common files\siemens\ace\bin\RedundancyState.exe [?]
S2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\common files\siemens\s7iepg\s7oiehsx.exe [2010-3-2 1576072]
S2 SCSMonitor;SCSMonitor;c:\program files\common files\siemens\ace\bin\scsmx.exe --> c:\program files\common files\siemens\ace\bin\SCSMX.exe [?]
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [2000-5-31 71448]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;\??\c:\windows\system32\drivers\awrtpd.sys --> c:\windows\system32\drivers\AWRTPD.sys [?]
S3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;\??\c:\windows\system32\drivers\awrtrd.sys --> c:\windows\system32\drivers\AWRTRD.sys [?]
S3 c5511w2k;c5511w2k;c:\windows\system32\drivers\c5511w2k.sys [2000-4-5 8192]
S3 cgnxcdc;cgnxcdc;c:\windows\system32\drivers\cgnxcdc.sys [2010-5-5 49152]
S3 CogISSvc;Cognex In-Sight Port Service;c:\program files\cognex\in-sight\in-sight explorer 3.3.0\utilities\cogissvc.exe [2006-7-18 172632]
S3 Cognex.InSight.OpcServer;Cognex OPC Server;c:\program files\cognex\in-sight\in-sight opc server 3.3.0\OpcInSightService.exe [2006-7-18 24576]
S3 dpmcslv;dpmcslv;c:\windows\system32\drivers\dpmcslv.sys [2005-7-4 68280]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\textron vpn client\Extranet_serv.exe [2009-5-14 835584]
S3 FTAE_Archiver;Rockwell Alarm History Archiver;c:\program files\common files\rockwell\FTAEArchiver.exe [2007-9-17 61440]
S3 FTAE_HistServ;Rockwell Alarm Historian;c:\program files\common files\rockwell\FTAE_HistServ.exe [2007-9-17 143360]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2009-5-14 155152]
S3 pcidnt;A-B 1784-PCIDS;c:\windows\system32\drivers\pcidnt.sys --> c:\windows\system32\drivers\pcidnt.sys [?]
S3 RnaAeServer;Rockwell Alarm Server;c:\program files\common files\rockwell\RnaAeServer.exe [2007-9-17 270336]
S3 RnaAlarmMux;Rockwell Alarm Multiplexer;c:\program files\common files\rockwell\RnaAlarmMux.exe [2007-9-21 753664]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [1999-11-10 142592]
S3 RSI-PKTX-A;RSI-PKTX-A;c:\windows\system32\drivers\RSI-PKTX-A.sys [2002-11-13 16447]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [2006-1-18 39067]
S3 RSLINXNGKtControl;RSLINXNGKtControl;c:\windows\system32\drivers\rsiktNG.sys [2002-4-23 38999]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [1999-5-11 155440]
S3 S5AS511;S5AS511;c:\windows\system32\drivers\S5AS511.SYS [2007-12-5 15360]
S3 S5MCD;S5MCD;c:\windows\system32\drivers\S5MCD.SYS [2007-12-5 188416]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [2002-10-18 30512]
S3 s7oppinx;s7oppinx;c:\windows\system32\drivers\s7oppinx.sys [2010-3-2 124928]
S3 S7OUSBPX;S7OUSBPX;c:\windows\system32\drivers\S7OUSBPX.sys [2008-11-26 27212]
S3 Sim9Sync;SIMATIC NET Synchronization Service;c:\windows\system32\sim9sync.exe [2008-4-28 94208]
S3 SQLAgent$WINCC;SQL Server Agent (WINCC);c:\program files\microsoft sql server\mssql.1\mssql\binn\SQLAGENT90.EXE [2006-4-14 319776]
S3 SQLAgent$WINCCFLEXIBLE;SQLAgent$WINCCFLEXIBLE;c:\program files\microsoft sql server\mssql$winccflexible\binn\sqlagent.EXE [2005-5-3 323584]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
.
=============== Created Last 30 ================
.
2011-07-25 05:01:27 66 ---ha-w- C:\aaw7boot.cmd
2011-07-25 04:06:36 -------- d-----w- c:\documents and settings\1704420 ontario inc\application data\ElevatedDiagnostics
2011-07-20 00:03:24 -------- d-sha-r- C:\cmdcons
2011-07-19 23:53:56 -------- d-----w- C:\ComboFix
2011-07-18 17:44:52 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-07-18 17:44:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-15 23:07:52 208896 ----a-w- c:\windows\MBR.exe
2011-07-15 23:07:50 256000 ----a-w- c:\windows\PEV.exe
2011-07-05 21:56:11 -------- d-----w- c:\program files\common files\Merge Modules
2011-07-05 20:41:32 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-05 20:41:32 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-01 04:56:06 21592 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-06-30 19:42:34 -------- d-----w- c:\program files\Atlas Copco Tools AB
2011-06-29 13:27:21 74968 ----a-w- c:\windows\system32\drivers\sbapifs.sys
.
==================== Find3M ====================
.
2011-07-18 18:24:13 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-18 17:42:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-29 13:26:27 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-07 18:33:44 10532 --sh--r- C:\EVRSI.SYS
2011-05-02 15:31:52 692736 ------w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-29 02:47:42 16432 ----a-w- c:\windows\system32\lsdelete.exe
1998-04-28 00:15:06 570128 ------w- c:\program files\common files\dao350.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Windows 5.1.2600 Disk: Hitachi_ rev.SBDO -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x869DDF16]<<
_asm { PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x8]; CMP DWORD [EAX+0x2c], 0x7; PUSH EBX; MOV EBX, [EBP+0xc]; PUSH ESI; PUSH EDI; MOV EDI, [EBX+0x60]; JNZ 0x17e; MOV ESI, [EDI+0x4]; MOV EAX, [ESI+0xc]; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x87370030]
3 CLASSPNP[0xF75DCFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\THPDRV[0x87375030]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; PUSH CS; POP DS; PUSH CS; POP ES; PUSHAD ; MOV [0x7e00], DL; MOV BYTE [0x7e04], 0x1e; MOV AH, 0x48; MOV SI, 0x7e04; INT 0x13; MOV AL, 0x50; JB 0x19b; }
user != kernel MBR !!!
sectors 234441646 (+255): user != kernel
.
============= FINISH: 10:33:47.18 ===============

Share this post


Link to post
Share on other sites
Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/30/2007 1:30:20 PM
System Uptime: 7/25/2011 1:13:12 AM (9 hours ago)
.
Motherboard: TOSHIBA | | Portable PC
Processor: Intel® Core(tm)2 Duo CPU T7100 @ 1.80GHz | uFC-PGA Socket | 1795/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 108 GiB total, 21.951 GiB free.
D: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 7/20/2011 6:52:36 AM - System Checkpoint
RP2: 7/20/2011 7:58:28 AM - Removed Google Update Helper
RP3: 7/21/2011 8:28:39 AM - System Checkpoint
RP4: 7/22/2011 10:40:56 AM - System Checkpoint
RP5: 7/23/2011 1:05:17 PM - System Checkpoint
RP6: 7/24/2011 6:15:26 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Reader 8.3.0
FactoryTalk® View Site Edition 5.00.00 (CPR 9)
HijackThis 2.0.2
Java Auto Updater
Java(tm) 6 Update 26
RSView Supervisory Edition 5.00.00.55 (CPR 9)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2555917)
.
==== Event Viewer Messages From Past Week ========
.
7/24/2011 11:23:12 PM, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
7/23/2011 4:25:24 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 480 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
7/23/2011 12:25:24 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
7/23/2011 10:25:23 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
7/22/2011 7:06:40 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
7/22/2011 6:36:40 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
7/22/2011 6:21:41 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
7/22/2011 2:18:05 AM, error: Service Control Manager [7034] - The Diskeeper service terminated unexpectedly. It has done this 1 time(s).
7/22/2011 2:16:02 AM, error: Service Control Manager [7000] - The Siemens PC/PPI Cable service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/22/2011 2:16:02 AM, error: Service Control Manager [7000] - The SCSMonitor service failed to start due to the following error: The system cannot find the file specified.
7/22/2011 2:16:02 AM, error: Service Control Manager [7000] - The RedundancyState service failed to start due to the following error: The system cannot find the file specified.
7/22/2011 2:16:02 AM, error: Service Control Manager [7000] - The RedundancyControl service failed to start due to the following error: The system cannot find the file specified.
7/22/2011 2:16:02 AM, error: Service Control Manager [7000] - The DS1410D service failed to start due to the following error: The system cannot find the file specified.
7/22/2011 2:16:02 AM, error: Service Control Manager [7000] - The CCEServer service failed to start due to the following error: The system cannot find the file specified.
7/22/2011 2:16:02 AM, error: Service Control Manager [7000] - The CCEClient service failed to start due to the following error: The system cannot find the file specified.
7/22/2011 2:16:02 AM, error: Service Control Manager [7000] - The CCAgent service failed to start due to the following error: The system cannot find the file specified.
7/22/2011 2:11:57 AM, error: Service Control Manager [7034] - The SIMATIC IEPG Help Service service terminated unexpectedly. It has done this 1 time(s).
7/22/2011 2:11:48 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
.
==== End Of File ===========================

Share this post


Link to post
Share on other sites
ComboFix.txt

ComboFix 11-07-18.04 - 1704420 Ontario Inc 07/19/2011 20:15:54.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.447 [GMT -4:00]
Running from: c:\documents and settings\1704420 Ontario Inc\My Documents\Downloads\ComboFix\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-20 to 2011-07-20 )))))))))))))))))))))))))))))))
.
.
2011-07-19 22:03 . 2011-07-19 22:05 66 ---ha-w- C:\aaw7boot.cmd
2011-07-19 02:15 . 2011-07-19 23:53 -------- d-----w- C:\32788R22FWJFW
2011-07-18 17:44 . 2011-07-18 17:43 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-07-18 17:44 . 2011-07-18 17:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-05 21:56 . 2011-07-05 21:56 -------- d-----w- c:\program files\Common Files\Merge Modules
2011-07-05 20:41 . 2011-07-05 20:41 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-05 04:06 . 2011-07-05 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-07-01 04:56 . 2011-06-29 13:25 21592 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-06-30 19:42 . 2011-06-30 19:42 -------- d-----w- c:\program files\Atlas Copco Tools AB
2011-06-29 13:27 . 2011-06-29 13:25 74968 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-06-20 01:42 . 2011-07-18 18:24 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-18 17:42 . 2007-04-22 21:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-29 13:26 . 2009-11-10 14:12 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-02 14:02 . 2007-04-22 19:44 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2007-04-22 20:15 692736 ------w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2007-04-22 19:43 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2007-04-22 19:43 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-29 02:47 . 2009-03-04 03:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-26 11:07 . 2007-04-22 19:44 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-26 11:07 . 2007-04-22 19:43 33280 ------w- c:\windows\system32\csrsrv.dll
2011-04-25 16:11 . 2007-04-22 19:44 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2007-04-22 19:43 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2007-04-22 19:43 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2007-04-22 19:43 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2007-04-22 19:43 105472 ------w- c:\windows\system32\drivers\mup.sys
1998-04-28 00:15 . 2007-12-03 02:49 570128 ------w- c:\program files\Common Files\dao350.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPSMain"="TPSMain.exe" [2006-07-26 315392]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-26 90112]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2011-06-28 1191216]
"TFncKy"="TFncKy.exe" [BU]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSODDCtl"="TPSODDCtl.exe" [2007-02-02 110592]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]
"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
"CognexOpc"="c:\program files\Cognex\In-Sight\In-Sight OPC Server 3.3.0\OpcInSight.exe" [2006-07-18 90112]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-20 124512]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.exe" [2005-06-29 126976]
"S7UB Start"="c:\program files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2008-07-15 102453]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920]
"UsbCipHelper"="c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2006-09-28 434176]
"00THotkey"="c:\windows\system320THotkey.exe" [2006-07-05 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-12 16125440]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"TFNF5"="TFNF5.exe" [2006-04-10 622592]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"WinCC flexible Smart Start"="c:\program files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiSmartStart.exe" [2010-04-20 118784]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-06-11 273544]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
IEHOME.LNK - c:\documents and settings\Default User\Local Settings\Temp\iehome.bat [2007-11-30 298]
.
c:\documents and settings\1704420 Ontario Inc\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-1 813584]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
IEHOME.LNK - c:\documents and settings\Default User\Local Settings\Temp\iehome.bat [2007-11-30 298]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\Siemens\\SQLANY\\dbsrv9.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\Miniweb.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\SmartServer.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\HmiLoad.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/3/2009 9:54 PM 64288]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [3/22/2007 4:07 PM 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 6:23 PM 6528]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [7/1/2011 12:56 AM 21592]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [11/10/2009 10:12 AM 101720]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [11/30/2007 2:38 PM 5888]
R2 almservice;Automation License Manager Service;c:\program files\Common Files\Siemens\SWS\almsrv\almsrvx.exe [3/29/2010 9:13 AM 1594368]
R2 dpmconv;dpmconv;c:\windows\system32\drivers\dpmconv.sys [6/25/2007 4:46 PM 266240]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [6/25/2007 4:47 PM 28363]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/6/2009 10:26 AM 10384]
R2 LogReceiver;LogReceiver;c:\program files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe [7/9/2007 10:47 AM 94208]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [5/9/2006 8:31 AM 203552]
R2 MSSQL$WINCC;SQL Server (WINCC);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/9/2006 8:32 AM 28938072]
R2 MSSQL$WINCCFLEXEXPRESS;SQL Server (WINCCFLEXEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2/10/2007 9:29 AM 29178224]
R2 MSSQL$WINCCFLEXIBLE;MSSQL$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe [5/4/2005 12:04 AM 9150464]
R2 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;c:\program files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe [9/18/2007 9:35 PM 77824]
R2 Rockwell HMI Framework;Rockwell HMI Framework;c:\program files\Rockwell Software\RSView Enterprise\ServerFramework.exe [9/18/2007 8:21 PM 491520]
R2 s7asysvx;S7 Global Services;c:\program files\Siemens\Step7\S7BIN\s7asysvx.exe [7/14/2008 8:02 PM 69685]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [3/2/2010 8:37 AM 77312]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [3/2/2010 8:47 AM 1576072]
R2 s7opcmcx;s7opcmcx;c:\windows\system32\drivers\s7opcmcx.sys [3/2/2010 8:38 AM 209920]
R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [3/1/2010 4:51 PM 31232]
R2 s7osmcax;s7osmcax;c:\windows\system32\drivers\s7osmcax.sys [3/2/2010 8:40 AM 173568]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [2/24/2009 5:39 PM 73088]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [3/2/2010 8:47 AM 240776]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [6/29/2011 9:27 AM 74968]
R2 SSCService;SIMATIC Security Control Service;c:\program files\Common Files\Siemens\SimaticSecurityControl\ssc_service_x.exe [7/17/2007 11:36 AM 339968]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 3:22 PM 105856]
R2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\TMESRV31.exe [11/30/2007 2:38 PM 126976]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 3:15 PM 134016]
R2 vsnl2ada;SIMATIC MPI/PROFIBUS FDL Transport Driver;c:\windows\system32\drivers\vsnl2ada.sys [11/5/2007 12:31 PM 115654]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [5/14/2009 10:54 AM 26137]
R3 EventServer;Rockwell Event Server;c:\program files\Common Files\Rockwell\EventServer.exe [9/17/2007 11:36 PM 217088]
R3 fwkbdrtm;fwkbdrtm;c:\windows\system32\drivers\fwkbdrtm.sys [4/8/2010 11:15 AM 12112]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/22/2007 4:20 PM 35968]
R3 NmspHost;Rockwell Namespace Services;c:\program files\Common Files\Rockwell\NmspHost.exe [9/18/2007 12:57 AM 212992]
R3 RdcyHost;Rockwell Redundancy Services;c:\program files\Common Files\Rockwell\RdcyHost.exe [9/18/2007 12:57 AM 212992]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [11/30/2007 2:41 PM 435072]
S1 abpicw2k;AB PIC/AIC+ Driver;c:\windows\system32\drivers\abpicw2k.sys [10/29/2001 1:53 PM 113600]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?]
S2 CCAgent;CCAgent;c:\program files\Common Files\Siemens\ACE\bin\CCAgent.exe --> c:\program files\Common Files\Siemens\ACE\bin\CCAgent.exe [?]
S2 CCEClient;CCEClient;c:\program files\Common Files\Siemens\ACE\bin\CCEClient.exe --> c:\program files\Common Files\Siemens\ACE\bin\CCEClient.exe [?]
S2 CCEServer;CCEServer;c:\program files\Common Files\Siemens\ACE\bin\CCEServer.exe --> c:\program files\Common Files\Siemens\ACE\bin\CCEServer.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 2151640]
S2 RedundancyControl;RedundancyControl;c:\program files\Common Files\Siemens\ACE\bin\RedundancyControl.exe --> c:\program files\Common Files\Siemens\ACE\bin\RedundancyControl.exe [?]
S2 RedundancyState;RedundancyState;c:\program files\Common Files\Siemens\ACE\bin\RedundancyState.exe --> c:\program files\Common Files\Siemens\ACE\bin\RedundancyState.exe [?]
S2 SCSMonitor;SCSMonitor;c:\program files\Common Files\Siemens\ACE\bin\SCSMX.exe --> c:\program files\Common Files\Siemens\ACE\bin\SCSMX.exe [?]
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [5/31/2000 7:13 PM 71448]
S3 c5511w2k;c5511w2k;c:\windows\system32\drivers\c5511w2k.sys [4/5/2000 2:22 PM 8192]
S3 cgnxcdc;cgnxcdc;c:\windows\system32\drivers\cgnxcdc.sys [5/5/2010 4:42 PM 49152]
S3 CogISSvc;Cognex In-Sight Port Service;c:\program files\Cognex\In-Sight\In-Sight Explorer 3.3.0\Utilities\cogissvc.exe [7/18/2006 8:20 AM 172632]
S3 Cognex.InSight.OpcServer;Cognex OPC Server;c:\program files\Cognex\In-Sight\In-Sight OPC Server 3.3.0\OpcInSightService.exe [7/18/2006 8:46 AM 24576]
S3 dpmcslv;dpmcslv;c:\windows\system32\drivers\dpmcslv.sys [7/4/2005 4:04 PM 68280]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Textron VPN Client\Extranet_serv.exe [5/14/2009 10:54 AM 835584]
S3 FTAE_Archiver;Rockwell Alarm History Archiver;c:\program files\Common Files\Rockwell\FTAEArchiver.exe [9/17/2007 11:29 PM 61440]
S3 FTAE_HistServ;Rockwell Alarm Historian;c:\program files\Common Files\Rockwell\FTAE_HistServ.exe [9/17/2007 11:29 PM 143360]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/11/2011 1:50 PM 136176]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [5/14/2009 10:54 AM 155152]
S3 pcidnt;A-B 1784-PCIDS;c:\windows\system32\Drivers\pcidnt.sys --> c:\windows\system32\Drivers\pcidnt.sys [?]
S3 RnaAeServer;Rockwell Alarm Server;c:\program files\Common Files\Rockwell\RnaAeServer.exe [9/17/2007 11:32 PM 270336]
S3 RnaAlarmMux;Rockwell Alarm Multiplexer;c:\program files\Common Files\Rockwell\RnaAlarmMux.exe [9/21/2007 2:27 PM 753664]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [11/10/1999 8:27 AM 142592]
S3 RSI-PKTX-A;RSI-PKTX-A;c:\windows\system32\drivers\RSI-PKTX-A.sys [11/13/2002 2:38 PM 16447]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [1/18/2006 10:33 AM 39067]
S3 RSLINXNGKtControl;RSLINXNGKtControl;c:\windows\system32\drivers\rsiktNG.sys [4/23/2002 7:02 PM 38999]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [5/11/1999 1:48 PM 155440]
S3 S5AS511;S5AS511;c:\windows\system32\drivers\S5AS511.SYS [12/5/2007 11:25 AM 15360]
S3 S5MCD;S5MCD;c:\windows\system32\drivers\S5MCD.SYS [12/5/2007 11:25 AM 188416]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [10/18/2002 2:34 AM 30512]
S3 s7oppinx;s7oppinx;c:\windows\system32\drivers\s7oppinx.sys [3/2/2010 8:39 AM 124928]
S3 S7OUSBPX;S7OUSBPX;c:\windows\system32\drivers\S7OUSBPX.sys [11/26/2008 9:34 AM 27212]
S3 Sim9Sync;SIMATIC NET Synchronization Service;c:\windows\system32\sim9sync.exe [4/28/2008 11:24 PM 94208]
S3 SQLAgent$WINCC;SQL Server Agent (WINCC);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [4/14/2006 10:06 AM 319776]
S3 SQLAgent$WINCCFLEXIBLE;SQLAgent$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlagent.EXE [5/3/2005 9:42 PM 323584]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/22/2007 3:44 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - Lavasoft Kernexplorer
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-19 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-19 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-19 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-19 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-11 17:50]
.
2011-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-11 17:50]
.
2011-07-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3879435519-312499763-1611728940-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3879435519-312499763-1611728940-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\1704420 Ontario Inc\Application Data\Mozilla\Firefox\Profiles\[email protected]\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-07-19 20:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Windows 5.1.2600 Disk: Hitachi_ rev.SBDO -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 234441646 (+255): user != kernel
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3879435519-312499763-1611728940-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1900)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'explorer.exe'(4532)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\TOSHIBA\TME3\TMEEJMD.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\windows\system32\xpsp3res.dll
.
Completion time: 2011-07-19 21:15:01
ComboFix-quarantined-files.txt 2011-07-20 01:14
ComboFix2.txt 2011-07-16 12:22
.
Pre-Run: 24,188,145,664 bytes free
Post-Run: 24,229,396,480 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg
.
Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 75168AC61AAE1964C1CE98103F9F7163

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='128425' date='Jul 25 2011, 04:23 PM']Hi psc23351,

No need to apologize :)

Please don't zip the log files since it then is very time-consuming for me to read them, but paste their content directly into your answer (preferred) or upload the log files without zipping them.

Is this computer owned by a company and connected to a domain?
My fixes might lead to unexpected side-effects in a company computer.

I see that this ComboFix log is from the second run. Please, paste C:\Qoobox\ComboFix2.txt

Can you find the information in Ad-Aware regarding which file (and folder) that is infected with Trojan.Win32.Kryptik.iaq(V)?

I will paste the logs into the following posts so it will be easy to read them the next time.[/quote]


This is a company computer I'am self employed, no domain just windows network.
Have some clients with access through VPN and token.

The file that is infected is nwwksp.dll and is located in folder C:\WINDOWS\system32
Attached below is the ComboFix2.txt log

Thanks for the help

ComboFix 11-07-15.02 - 1704420 Ontario Inc 07/16/2011 7:25.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.382 [GMT -4:00]
Running from: c:\documents and settings\1704420 Ontario Inc\My Documents\ComboFix\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-16 to 2011-07-16 )))))))))))))))))))))))))))))))
.
.
2011-07-16 11:13 . 2011-07-16 11:16 -------- d-----w- C:\32788R22FWJFW
2011-07-16 11:10 . 2011-07-16 11:10 66 ---ha-w- C:\aaw7boot.cmd
2011-07-05 21:56 . 2011-07-05 21:56 -------- d-----w- c:\program files\Common Files\Merge Modules
2011-07-05 20:41 . 2011-07-05 20:41 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-05 04:06 . 2011-07-05 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-07-01 04:56 . 2011-06-29 13:25 21592 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-06-30 19:42 . 2011-06-30 19:42 -------- d-----w- c:\program files\Atlas Copco Tools AB
2011-06-29 13:27 . 2011-06-29 13:25 74968 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-06-20 01:42 . 2011-06-20 01:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-29 13:26 . 2009-11-10 14:12 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-02 14:02 . 2007-04-22 19:44 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2007-04-22 20:15 692736 ------w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2007-04-22 19:43 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2007-04-22 19:43 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-29 02:47 . 2009-03-04 03:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-26 11:07 . 2007-04-22 19:44 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-26 11:07 . 2007-04-22 19:43 33280 ------w- c:\windows\system32\csrsrv.dll
2011-04-25 16:11 . 2007-04-22 19:44 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2007-04-22 19:43 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2007-04-22 19:43 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2007-04-22 19:43 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2007-04-22 19:43 105472 ------w- c:\windows\system32\drivers\mup.sys
1998-04-28 00:15 . 2007-12-03 02:49 570128 ------w- c:\program files\Common Files\dao350.dll
.
.
((((((((((((((((((((((((((((( [email protected]_00.31.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-16 01:33 . 2011-07-16 01:33 16384 c:\windows\Temp\Perflib_Perfdata_3cc.dat
+ 2011-07-16 01:33 . 2011-07-16 01:33 16384 c:\windows\Temp\Perflib_Perfdata_3bc.dat
+ 2011-07-16 01:33 . 2011-07-16 01:33 16384 c:\windows\Temp\Perflib_Perfdata_38c.dat
- 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2009-12-14 07:08 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2007-04-22 20:19 . 2011-07-15 22:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-04-22 20:19 . 2011-07-16 11:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-07-16 00:52 . 2011-07-16 11:10 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-04-22 20:19 . 2011-07-15 22:23 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-07-05 19:39 . 2011-07-16 11:54 235340 c:\windows\system32\inetsrv\MetaBase.bin
- 2007-04-22 13:11 . 2011-05-08 04:17 435760 c:\windows\system32\FNTCACHE.DAT
+ 2007-04-22 13:11 . 2011-07-16 01:32 435760 c:\windows\system32\FNTCACHE.DAT
- 2010-06-18 17:45 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2010-06-18 17:45 . 2011-04-26 11:07 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2008-10-16 02:31 . 2011-06-02 14:02 1858944 c:\windows\system32\dllcache\win32k.sys
+ 2007-12-04 01:01 . 2011-07-16 01:17 49089992 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPSMain"="TPSMain.exe" [2006-07-26 315392]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-26 90112]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2011-06-28 1191216]
"TFncKy"="TFncKy.exe" [BU]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSODDCtl"="TPSODDCtl.exe" [2007-02-02 110592]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]
"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
"CognexOpc"="c:\program files\Cognex\In-Sight\In-Sight OPC Server 3.3.0\OpcInSight.exe" [2006-07-18 90112]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-20 124512]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.exe" [2005-06-29 126976]
"S7UB Start"="c:\program files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2008-07-15 102453]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920]
"UsbCipHelper"="c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2006-09-28 434176]
"00THotkey"="c:\windows\system320THotkey.exe" [2006-07-05 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-12 16125440]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"TFNF5"="TFNF5.exe" [2006-04-10 622592]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"WinCC flexible Smart Start"="c:\program files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiSmartStart.exe" [2010-04-20 118784]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-06-11 273544]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
IEHOME.LNK - c:\documents and settings\Default User\Local Settings\Temp\iehome.bat [2007-11-30 298]
.
c:\documents and settings\1704420 Ontario Inc\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-1 813584]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
IEHOME.LNK - c:\documents and settings\Default User\Local Settings\Temp\iehome.bat [2007-11-30 298]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\Siemens\\SQLANY\\dbsrv9.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\Miniweb.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\SmartServer.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\HmiLoad.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/3/2009 9:54 PM 64288]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [3/22/2007 4:07 PM 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 6:23 PM 6528]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [7/1/2011 12:56 AM 21592]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [11/10/2009 10:12 AM 101720]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [11/30/2007 2:38 PM 5888]
R2 dpmconv;dpmconv;c:\windows\system32\drivers\dpmconv.sys [6/25/2007 4:46 PM 266240]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [6/25/2007 4:47 PM 28363]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/6/2009 10:26 AM 10384]
R2 LogReceiver;LogReceiver;c:\program files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe [7/9/2007 10:47 AM 94208]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [5/9/2006 8:31 AM 203552]
R2 MSSQL$WINCC;SQL Server (WINCC);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/9/2006 8:32 AM 28938072]
R2 MSSQL$WINCCFLEXEXPRESS;SQL Server (WINCCFLEXEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2/10/2007 9:29 AM 29178224]
R2 MSSQL$WINCCFLEXIBLE;MSSQL$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe [5/4/2005 12:04 AM 9150464]
R2 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;c:\program files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe [9/18/2007 9:35 PM 77824]
R2 Rockwell HMI Framework;Rockwell HMI Framework;c:\program files\Rockwell Software\RSView Enterprise\ServerFramework.exe [9/18/2007 8:21 PM 491520]
R2 s7asysvx;S7 Global Services;c:\program files\Siemens\Step7\S7BIN\s7asysvx.exe [7/14/2008 8:02 PM 69685]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [3/2/2010 8:37 AM 77312]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [3/2/2010 8:47 AM 1576072]
R2 s7opcmcx;s7opcmcx;c:\windows\system32\drivers\s7opcmcx.sys [3/2/2010 8:38 AM 209920]
R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [3/1/2010 4:51 PM 31232]
R2 s7osmcax;s7osmcax;c:\windows\system32\drivers\s7osmcax.sys [3/2/2010 8:40 AM 173568]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [2/24/2009 5:39 PM 73088]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [3/2/2010 8:47 AM 240776]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [6/29/2011 9:27 AM 74968]
R2 SSCService;SIMATIC Security Control Service;c:\program files\Common Files\Siemens\SimaticSecurityControl\ssc_service_x.exe [7/17/2007 11:36 AM 339968]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 3:22 PM 105856]
R2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\TMESRV31.exe [11/30/2007 2:38 PM 126976]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 3:15 PM 134016]
R2 vsnl2ada;SIMATIC MPI/PROFIBUS FDL Transport Driver;c:\windows\system32\drivers\vsnl2ada.sys [11/5/2007 12:31 PM 115654]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [5/14/2009 10:54 AM 26137]
R3 EventServer;Rockwell Event Server;c:\program files\Common Files\Rockwell\EventServer.exe [9/17/2007 11:36 PM 217088]
R3 fwkbdrtm;fwkbdrtm;c:\windows\system32\drivers\fwkbdrtm.sys [4/8/2010 11:15 AM 12112]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/22/2007 4:20 PM 35968]
R3 NmspHost;Rockwell Namespace Services;c:\program files\Common Files\Rockwell\NmspHost.exe [9/18/2007 12:57 AM 212992]
R3 RdcyHost;Rockwell Redundancy Services;c:\program files\Common Files\Rockwell\RdcyHost.exe [9/18/2007 12:57 AM 212992]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [11/30/2007 2:41 PM 435072]
S1 abpicw2k;AB PIC/AIC+ Driver;c:\windows\system32\drivers\abpicw2k.sys [10/29/2001 1:53 PM 113600]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?]
S2 almservice;Automation License Manager Service;c:\program files\Common Files\Siemens\SWS\almsrv\almsrvx.exe [3/29/2010 9:13 AM 1594368]
S2 CCAgent;CCAgent;c:\program files\Common Files\Siemens\ACE\bin\CCAgent.exe --> c:\program files\Common Files\Siemens\ACE\bin\CCAgent.exe [?]
S2 CCEClient;CCEClient;c:\program files\Common Files\Siemens\ACE\bin\CCEClient.exe --> c:\program files\Common Files\Siemens\ACE\bin\CCEClient.exe [?]
S2 CCEServer;CCEServer;c:\program files\Common Files\Siemens\ACE\bin\CCEServer.exe --> c:\program files\Common Files\Siemens\ACE\bin\CCEServer.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 2151640]
S2 RedundancyControl;RedundancyControl;c:\program files\Common Files\Siemens\ACE\bin\RedundancyControl.exe --> c:\program files\Common Files\Siemens\ACE\bin\RedundancyControl.exe [?]
S2 RedundancyState;RedundancyState;c:\program files\Common Files\Siemens\ACE\bin\RedundancyState.exe --> c:\program files\Common Files\Siemens\ACE\bin\RedundancyState.exe [?]
S2 SCSMonitor;SCSMonitor;c:\program files\Common Files\Siemens\ACE\bin\SCSMX.exe --> c:\program files\Common Files\Siemens\ACE\bin\SCSMX.exe [?]
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [5/31/2000 7:13 PM 71448]
S3 c5511w2k;c5511w2k;c:\windows\system32\drivers\c5511w2k.sys [4/5/2000 2:22 PM 8192]
S3 cgnxcdc;cgnxcdc;c:\windows\system32\drivers\cgnxcdc.sys [5/5/2010 4:42 PM 49152]
S3 CogISSvc;Cognex In-Sight Port Service;c:\program files\Cognex\In-Sight\In-Sight Explorer 3.3.0\Utilities\cogissvc.exe [7/18/2006 8:20 AM 172632]
S3 Cognex.InSight.OpcServer;Cognex OPC Server;c:\program files\Cognex\In-Sight\In-Sight OPC Server 3.3.0\OpcInSightService.exe [7/18/2006 8:46 AM 24576]
S3 dpmcslv;dpmcslv;c:\windows\system32\drivers\dpmcslv.sys [7/4/2005 4:04 PM 68280]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Textron VPN Client\Extranet_serv.exe [5/14/2009 10:54 AM 835584]
S3 FTAE_Archiver;Rockwell Alarm History Archiver;c:\program files\Common Files\Rockwell\FTAEArchiver.exe [9/17/2007 11:29 PM 61440]
S3 FTAE_HistServ;Rockwell Alarm Historian;c:\program files\Common Files\Rockwell\FTAE_HistServ.exe [9/17/2007 11:29 PM 143360]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/11/2011 1:50 PM 136176]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [5/14/2009 10:54 AM 155152]
S3 pcidnt;A-B 1784-PCIDS;c:\windows\system32\Drivers\pcidnt.sys --> c:\windows\system32\Drivers\pcidnt.sys [?]
S3 RnaAeServer;Rockwell Alarm Server;c:\program files\Common Files\Rockwell\RnaAeServer.exe [9/17/2007 11:32 PM 270336]
S3 RnaAlarmMux;Rockwell Alarm Multiplexer;c:\program files\Common Files\Rockwell\RnaAlarmMux.exe [9/21/2007 2:27 PM 753664]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [11/10/1999 8:27 AM 142592]
S3 RSI-PKTX-A;RSI-PKTX-A;c:\windows\system32\drivers\RSI-PKTX-A.sys [11/13/2002 2:38 PM 16447]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [1/18/2006 10:33 AM 39067]
S3 RSLINXNGKtControl;RSLINXNGKtControl;c:\windows\system32\drivers\rsiktNG.sys [4/23/2002 7:02 PM 38999]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [5/11/1999 1:48 PM 155440]
S3 S5AS511;S5AS511;c:\windows\system32\drivers\S5AS511.SYS [12/5/2007 11:25 AM 15360]
S3 S5MCD;S5MCD;c:\windows\system32\drivers\S5MCD.SYS [12/5/2007 11:25 AM 188416]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [10/18/2002 2:34 AM 30512]
S3 s7oppinx;s7oppinx;c:\windows\system32\drivers\s7oppinx.sys [3/2/2010 8:39 AM 124928]
S3 S7OUSBPX;S7OUSBPX;c:\windows\system32\drivers\S7OUSBPX.sys [11/26/2008 9:34 AM 27212]
S3 Sim9Sync;SIMATIC NET Synchronization Service;c:\windows\system32\sim9sync.exe [4/28/2008 11:24 PM 94208]
S3 SQLAgent$WINCC;SQL Server Agent (WINCC);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [4/14/2006 10:06 AM 319776]
S3 SQLAgent$WINCCFLEXIBLE;SQLAgent$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlagent.EXE [5/3/2005 9:42 PM 323584]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/22/2007 3:44 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-16 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-16 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-16 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-16 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-11 17:50]
.
2011-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-11 17:50]
.
2011-07-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3879435519-312499763-1611728940-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3879435519-312499763-1611728940-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\1704420 Ontario Inc\Application Data\Mozilla\Firefox\Profiles\[email protected]\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-07-16 08:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Windows 5.1.2600 Disk: Hitachi_ rev.SBDO -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 234441646 (+255): user != kernel
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3879435519-312499763-1611728940-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1740)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(5328)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\TOSHIBA\TME3\TMEEJMD.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2011-07-16 08:22:07
ComboFix-quarantined-files.txt 2011-07-16 12:21
ComboFix2.txt 2011-07-16 00:49
.
Pre-Run: 17,533,501,440 bytes free
Post-Run: 17,505,357,824 bytes free
.
Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 847A6AA98B2426C140307FAB5D4B9A12 Edited by psc23351

Share this post


Link to post
Share on other sites
You are welcome :)

Save TDSSKiller on the Desktop:
[url="http://support.kaspersky.com/downloads/utils/tdsskiller.zip"]http://support.kaspersky.com/downloads/utils/tdsskiller.zip[/url]

Right-click and select [b]Extract all[/b]. Remember the location of the extracted file.
Turn off all programs.
Run the program TDSSKiller.exe which is the file you extracted.

Click on [b]Start Scan[/b].

If any threats are found select [b]Cure [/b]and click [b]Continue[/b]. If [b]Cure [/b]isn't available select [b]Skip. [/b]Do NOT select Quarantine or Delete.
The computer might need a restart.

Paste the content of the TDSSKiller log which is located in the folder C:\ with the name TDSSKiller followed by version and time.

Share this post


Link to post
Share on other sites
Hi CeciliaB

Did the scan here is the .txt log file
It found 1 Rootkit.boot.SST.a, selected cure and rebooted.

2011/07/25 19:22:00.0977 2248 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/25 19:22:01.0196 2248 ================================================================================
2011/07/25 19:22:01.0196 2248 SystemInfo:
2011/07/25 19:22:01.0196 2248
2011/07/25 19:22:01.0196 2248 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/25 19:22:01.0196 2248 Product type: Workstation
2011/07/25 19:22:01.0196 2248 ComputerName: 1704420_1
2011/07/25 19:22:01.0196 2248 UserName: 1704420 Ontario Inc
2011/07/25 19:22:01.0196 2248 Windows directory: C:\WINDOWS
2011/07/25 19:22:01.0196 2248 System windows directory: C:\WINDOWS
2011/07/25 19:22:01.0196 2248 Processor architecture: Intel x86
2011/07/25 19:22:01.0196 2248 Number of processors: 2
2011/07/25 19:22:01.0196 2248 Page size: 0x1000
2011/07/25 19:22:01.0196 2248 Boot type: Normal boot
2011/07/25 19:22:01.0196 2248 ================================================================================
2011/07/25 19:22:02.0055 2248 Initialize success
2011/07/25 19:22:10.0415 3028 ================================================================================
2011/07/25 19:22:10.0415 3028 Scan started
2011/07/25 19:22:10.0415 3028 Mode: Manual;
2011/07/25 19:22:10.0415 3028 ================================================================================
2011/07/25 19:22:12.0602 3028 ABKTCX (f25a62362ae736a5ac670f17ba28642c) C:\WINDOWS\System32\Drivers\ABKTCX.sys
2011/07/25 19:22:12.0680 3028 abpicw2k (654ae24d0719f922754ccbf4481b7661) C:\WINDOWS\system32\DRIVERS\abpicw2k.sys
2011/07/25 19:22:12.0727 3028 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/25 19:22:12.0977 3028 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/25 19:22:13.0165 3028 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/25 19:22:13.0212 3028 AegisP (375eb0b97e3950adef3633c27a82438b) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/07/25 19:22:13.0337 3028 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/25 19:22:13.0462 3028 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/07/25 19:22:13.0665 3028 akshasp (3f9f42085ab5b6a55498a539c54575ab) C:\WINDOWS\system32\DRIVERS\akshasp.sys
2011/07/25 19:22:13.0774 3028 aksusb (d2b95315cc47f9230006fdbcba394d8d) C:\WINDOWS\system32\DRIVERS\aksusb.sys
2011/07/25 19:22:13.0852 3028 ApfiltrService (3ed81e8b4709d13e5a38db2d8e792b28) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2011/07/25 19:22:13.0946 3028 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/07/25 19:22:14.0102 3028 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/25 19:22:14.0133 3028 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/25 19:22:14.0196 3028 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/25 19:22:14.0212 3028 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/25 19:22:14.0227 3028 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/25 19:22:14.0368 3028 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/07/25 19:22:14.0383 3028 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/07/25 19:22:14.0415 3028 c5511w2k (544b08b12cb67a7be43d231200cf3e62) C:\WINDOWS\system32\DRIVERS\c5511w2k.sys
2011/07/25 19:22:14.0571 3028 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/25 19:22:14.0633 3028 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/25 19:22:14.0805 3028 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/25 19:22:14.0868 3028 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/25 19:22:14.0946 3028 cgnxcdc (ef2c28136fa438fffa4eae7c5cbf1557) C:\WINDOWS\system32\DRIVERS\cgnxcdc.sys
2011/07/25 19:22:15.0087 3028 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/07/25 19:22:15.0196 3028 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/07/25 19:22:15.0383 3028 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/25 19:22:15.0493 3028 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/25 19:22:15.0602 3028 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/25 19:22:15.0618 3028 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/25 19:22:15.0665 3028 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/25 19:22:15.0743 3028 dpmconv (abb186a0b070fa91b379f9fc3a198b8b) C:\WINDOWS\System32\Drivers\dpmconv.sys
2011/07/25 19:22:15.0899 3028 dpmcslv (0bd72e62c3974c4f5e4372dba971901b) C:\WINDOWS\system32\drivers\dpmcslv.sys
2011/07/25 19:22:15.0930 3028 Dpmtrcdd (cddebaba436c8564ab4224ccea58a620) C:\WINDOWS\system32\DRIVERS\dpmtrcdd.sys
2011/07/25 19:22:15.0993 3028 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/25 19:22:16.0102 3028 e1express (8942419786970adb32b05bb7950aee72) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/07/25 19:22:16.0212 3028 Eacfilt (3271c60b98bff0a9d4bf9bf66f90d2eb) C:\WINDOWS\system32\DRIVERS\eacfilt.sys
2011/07/25 19:22:16.0274 3028 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/25 19:22:16.0337 3028 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/07/25 19:22:16.0399 3028 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/25 19:22:16.0415 3028 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/07/25 19:22:16.0508 3028 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/25 19:22:16.0540 3028 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/25 19:22:16.0618 3028 FTDIBUS (b7aa8283ec551d3a3b924e520e0621a7) C:\WINDOWS\system32\drivers\ftdibus.sys
2011/07/25 19:22:16.0649 3028 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/25 19:22:16.0712 3028 FTSER2K (596d31583ce332b5514520d74837f434) C:\WINDOWS\system32\drivers\ftser2k.sys
2011/07/25 19:22:16.0774 3028 fwkbdrtm (7e4d38e22513b0af200fa6f94c77a2a6) C:\WINDOWS\system32\drivers\fwkbdrtm.sys
2011/07/25 19:22:16.0821 3028 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/25 19:22:16.0883 3028 Hardlock (d95554949082fd29a04d351b58396718) C:\WINDOWS\system32\drivers\hardlock.sys
2011/07/25 19:22:17.0071 3028 Haspnt (2dd25f060dc9f79b5cdf33d90ed93669) C:\WINDOWS\system32\drivers\Haspnt.sys
2011/07/25 19:22:17.0118 3028 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/25 19:22:17.0165 3028 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/25 19:22:17.0227 3028 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/25 19:22:17.0446 3028 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/25 19:22:17.0665 3028 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/07/25 19:22:17.0993 3028 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\drivers\iaStor.sys
2011/07/25 19:22:18.0055 3028 IFXTPM (0b556e950404d90d097c687e65238730) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
2011/07/25 19:22:18.0118 3028 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/25 19:22:18.0337 3028 IntcAzAudAddService (474d59c18652c8ef0151a9efae9ee619) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/07/25 19:22:18.0649 3028 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/25 19:22:18.0696 3028 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/25 19:22:18.0743 3028 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/25 19:22:18.0774 3028 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/25 19:22:18.0821 3028 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/25 19:22:18.0946 3028 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/25 19:22:19.0008 3028 IPSECEXT (a45ed7b412ff678c61f83a6723bcec17) C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
2011/07/25 19:22:19.0024 3028 IPSECSHM (a45ed7b412ff678c61f83a6723bcec17) C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
2011/07/25 19:22:19.0040 3028 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/25 19:22:19.0102 3028 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/25 19:22:19.0149 3028 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/25 19:22:19.0274 3028 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/25 19:22:19.0305 3028 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/25 19:22:19.0368 3028 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/07/25 19:22:19.0399 3028 LBeepKE (8f4d784b3f22f468eea99da02b0e39e5) C:\WINDOWS\system32\Drivers\LBeepKE.sys
2011/07/25 19:22:19.0477 3028 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2011/07/25 19:22:19.0633 3028 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2011/07/25 19:22:19.0696 3028 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/25 19:22:19.0758 3028 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/25 19:22:19.0805 3028 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/25 19:22:19.0837 3028 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/25 19:22:20.0008 3028 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/25 19:22:20.0055 3028 MQAC (70c14f5cca5cf73f8a645c73a01d8726) C:\WINDOWS\system32\drivers\mqac.sys
2011/07/25 19:22:20.0118 3028 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/25 19:22:20.0165 3028 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/25 19:22:20.0337 3028 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/25 19:22:20.0383 3028 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/25 19:22:20.0446 3028 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/25 19:22:20.0477 3028 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/25 19:22:20.0524 3028 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/25 19:22:20.0727 3028 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/25 19:22:20.0774 3028 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/25 19:22:20.0805 3028 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/25 19:22:20.0837 3028 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/25 19:22:20.0868 3028 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/25 19:22:21.0024 3028 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/25 19:22:21.0071 3028 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/25 19:22:21.0087 3028 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/25 19:22:21.0149 3028 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
2011/07/25 19:22:21.0274 3028 NETw4x32 (12b0d99865434387f784268b70e23360) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
2011/07/25 19:22:21.0524 3028 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/07/25 19:22:21.0555 3028 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/25 19:22:21.0602 3028 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/25 19:22:21.0805 3028 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/25 19:22:21.0837 3028 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/25 19:22:21.0852 3028 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/25 19:22:21.0899 3028 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/07/25 19:22:21.0930 3028 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/07/25 19:22:21.0962 3028 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/25 19:22:21.0993 3028 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/25 19:22:22.0149 3028 PCI (9c8f3cc31f7e2a3373af70d0da6cb58a) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/25 19:22:22.0227 3028 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/25 19:22:22.0258 3028 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/07/25 19:22:22.0415 3028 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/25 19:22:22.0446 3028 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/25 19:22:22.0477 3028 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/25 19:22:22.0618 3028 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/25 19:22:22.0743 3028 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/25 19:22:22.0805 3028 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/25 19:22:22.0837 3028 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/25 19:22:22.0868 3028 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/25 19:22:22.0993 3028 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/25 19:22:23.0008 3028 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/25 19:22:23.0087 3028 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/25 19:22:23.0118 3028 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/25 19:22:23.0165 3028 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/25 19:22:23.0352 3028 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys
2011/07/25 19:22:23.0446 3028 RSI-PKTX-A (9d1aff516d727612363c03abdc203380) C:\WINDOWS\System32\drivers\RSI-PKTX-A.SYS
2011/07/25 19:22:23.0493 3028 RsiKtControl (2af65117091a47732f0997330e3daae6) C:\WINDOWS\system32\RSIKT.SYS
2011/07/25 19:22:23.0790 3028 RSLINXNGKtControl (9e866a7c540c6a4b21bd5255a2a2bd0d) C:\WINDOWS\System32\drivers\RSIKTNG.SYS
2011/07/25 19:22:23.0837 3028 RSSERIAL (b089419975668e2a701178032d652a24) C:\WINDOWS\SYSTEM32\RSSERIAL.SYS
2011/07/25 19:22:23.0883 3028 RS_SS_NT (e4fab1cdfaed6ef7542606aa055b104a) C:\WINDOWS\SYSTEM32\RS_SS_NT.SYS
2011/07/25 19:22:23.0930 3028 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/07/25 19:22:23.0977 3028 s24trans (e2c6abcbefb1d44f6aaeb1cd5d6062d4) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/07/25 19:22:24.0024 3028 S5AS511 (0dc8be05f9d9b0bf6e5a0c40bfdcd38f) C:\WINDOWS\system32\drivers\S5AS511.sys
2011/07/25 19:22:24.0180 3028 S5MCD (4044af405d5de24321b58d7f6af408a0) C:\WINDOWS\system32\drivers\S5MCD.sys
2011/07/25 19:22:24.0243 3028 s7odpx2x (fea94d6320c1c813ab79b74db83f468f) C:\WINDOWS\System32\Drivers\S7odpx2x.sys
2011/07/25 19:22:24.0305 3028 s7oefs_x (f4e4348f0ecc78a61a190e447eb2467d) C:\WINDOWS\System32\drivers\s7oefs_x.sys
2011/07/25 19:22:24.0337 3028 s7opcmcx (3e89156b70c39a8fe0b1962440f83c15) C:\WINDOWS\System32\Drivers\s7opcmcx.sys
2011/07/25 19:22:24.0415 3028 S7opcsrtx (a8114fc3bb7de5feeae32e854574ef57) C:\WINDOWS\system32\DRIVERS\s7opcsrtx.sys
2011/07/25 19:22:24.0555 3028 S7oppilx (dc00bcd3176780b488cd74a17af0eae9) C:\WINDOWS\system32\Drivers\S7oppilx.sys
2011/07/25 19:22:24.0712 3028 s7oppinx (95aebab91051fb2d071375700571f339) C:\WINDOWS\System32\Drivers\s7oppinx.sys
2011/07/25 19:22:24.0743 3028 s7osmcax (588feeaafbda18c00a8f697f19c2bde7) C:\WINDOWS\System32\Drivers\s7osmcax.sys
2011/07/25 19:22:24.0883 3028 s7otranx (d60b08e3251cd16c60dc03e36764a081) C:\WINDOWS\System32\Drivers\s7otranx.sys
2011/07/25 19:22:24.0977 3028 S7OUSBPX (3c0b3f2ee858520ebb1627a4cfc6765f) C:\WINDOWS\system32\drivers\S7OUSBPX.sys
2011/07/25 19:22:25.0008 3028 s7snsrtx (1b2666464be6719e1122c53eba487dd6) C:\WINDOWS\system32\DRIVERS\s7snsrtx.sys
2011/07/25 19:22:25.0149 3028 sbaphd (65a36563c0207824c8240662043c5304) C:\WINDOWS\system32\drivers\sbaphd.sys
2011/07/25 19:22:25.0165 3028 sbapifs (3d6ba67c758735918e323d4d6f64449a) C:\WINDOWS\system32\drivers\sbapifs.sys
2011/07/25 19:22:25.0212 3028 SBRE (0505da5d357f18a5d42fc5dede6bc9a0) C:\WINDOWS\system32\drivers\SBREdrv.sys
2011/07/25 19:22:25.0321 3028 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/07/25 19:22:25.0430 3028 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/25 19:22:25.0477 3028 Sentinel (aebba7428a6c40cce3c5abde45190b24) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
2011/07/25 19:22:25.0524 3028 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/25 19:22:25.0555 3028 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/25 19:22:25.0649 3028 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/07/25 19:22:25.0821 3028 SNTIE (d953a20a0ad1052e44e5dfce6d352bba) C:\WINDOWS\system32\DRIVERS\sntie.sys
2011/07/25 19:22:25.0930 3028 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/25 19:22:26.0040 3028 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/25 19:22:26.0087 3028 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/25 19:22:26.0196 3028 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/07/25 19:22:26.0290 3028 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/25 19:22:26.0368 3028 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/25 19:22:26.0477 3028 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/25 19:22:26.0540 3028 TBiosDrv (1f26d86828039c0b594399f7f2ffef09) C:\WINDOWS\system32\Drivers\Tbiosdrv.sys
2011/07/25 19:22:26.0618 3028 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/25 19:22:26.0712 3028 TcUsb (fc6fe02f400308606a911640e72326b5) C:\WINDOWS\system32\Drivers\tcusb.sys
2011/07/25 19:22:26.0758 3028 tdcmdpst (2f8bfbdb5824c71f672779b4b8cf8b01) C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys
2011/07/25 19:22:26.0821 3028 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/25 19:22:26.0899 3028 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/25 19:22:26.0977 3028 tdudf (f56a9327c58ff985616c5e197472932c) C:\WINDOWS\system32\DRIVERS\tdudf.sys
2011/07/25 19:22:27.0040 3028 TEchoCan (65855534483d0c1330703100b31cac00) C:\WINDOWS\system32\DRIVERS\TEchoCan.sys
2011/07/25 19:22:27.0165 3028 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/25 19:22:27.0258 3028 Thpdrv (557cfdb7869499d357da1877ed93043f) C:\WINDOWS\system32\DRIVERS\thpdrv.sys
2011/07/25 19:22:27.0290 3028 Thpevm (beeca51c9ef368a1038e455278e4715e) C:\WINDOWS\system32\DRIVERS\Thpevm.SYS
2011/07/25 19:22:27.0415 3028 tifm21 (e4c85c291ddb3dc5e4a2f227ca465ba6) C:\WINDOWS\system32\drivers\tifm21.sys
2011/07/25 19:22:27.0493 3028 TMEI3E (684bfb1e9abb05d3f48c53f3cd16a3e6) C:\WINDOWS\system32\Drivers\TMEI3E.SYS
2011/07/25 19:22:27.0587 3028 tosrfec (5c4103544612e5011ef46301b93d1aa6) C:\WINDOWS\system32\DRIVERS\tosrfec.sys
2011/07/25 19:22:27.0618 3028 trudf (3f9ba8878aa26d0831116733f9bc53ff) C:\WINDOWS\system32\DRIVERS\trudf.sys
2011/07/25 19:22:27.0727 3028 TVALZ (73d3312955f805054e32fabdca5230b1) C:\WINDOWS\system32\DRIVERS\TVALZ.SYS
2011/07/25 19:22:27.0790 3028 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/25 19:22:27.0868 3028 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/25 19:22:27.0993 3028 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/25 19:22:28.0040 3028 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/25 19:22:28.0118 3028 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/25 19:22:28.0165 3028 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/25 19:22:28.0274 3028 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/25 19:22:28.0352 3028 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/25 19:22:28.0368 3028 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/25 19:22:28.0415 3028 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
2011/07/25 19:22:28.0462 3028 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/25 19:22:28.0712 3028 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/25 19:22:28.0758 3028 vsnl2ada (7ed275a019948cf77b91313addd1f459) C:\WINDOWS\System32\Drivers\vsnl2ada.sys
2011/07/25 19:22:28.0821 3028 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/25 19:22:28.0883 3028 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/07/25 19:22:29.0102 3028 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/25 19:22:29.0180 3028 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/07/25 19:22:29.0290 3028 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/25 19:22:29.0446 3028 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/25 19:22:29.0493 3028 MBR (0x1B8) (6f9a1d528242bc09104b85e0becf5554) \Device\Harddisk0\DR0
2011/07/25 19:22:29.0493 3028 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.a (0)
2011/07/25 19:22:29.0508 3028 Boot (0x1200) (e4764e29a897927d88e63851e22d3f41) \Device\Harddisk0\DR0\Partition0
2011/07/25 19:22:29.0508 3028 ================================================================================
2011/07/25 19:22:29.0508 3028 Scan finished
2011/07/25 19:22:29.0508 3028 ================================================================================
2011/07/25 19:22:29.0524 4364 Detected object count: 1
2011/07/25 19:22:29.0524 4364 Actual detected object count: 1
2011/07/25 19:22:58.0962 4364 \Device\Harddisk0\DR0 (Rootkit.Boot.SST.a) - will be cured after reboot
2011/07/25 19:22:58.0977 4364 \Device\Harddisk0\DR0 - ok
2011/07/25 19:22:58.0977 4364 Rootkit.Boot.SST.a(\Device\Harddisk0\DR0) - User select action: Cure
2011/07/25 19:23:13.0212 5064 Deinitialize success


psc23351

Share this post


Link to post
Share on other sites
Good! :)

The ComboFix you have is old and you need the latest version.
Please, follow the instructions on [url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingcomputer.com/combofix/how-to-use-combofix[/url] for installing and running ComboFix.

Read carefully and note the "Disclaimer of warranty"!

Paste the content of the log into your answer.

Share this post


Link to post
Share on other sites
Downloaded and ran the new copy of ComboFix.
I still see the nwwksp.dll file in C:\Windows\System32 but I think the Date Modified has changed.
I'am not sure but earlier today it was 07/21/2011 now it is 02/17/2011.
Attached is the new Log file.


ComboFix 11-07-25.03 - 1704420 Ontario Inc 07/25/2011 21:51:37.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.278 [GMT -4:00]
Running from: c:\documents and settings\1704420 Ontario Inc\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-26 to 2011-07-26 )))))))))))))))))))))))))))))))
.
.
2011-07-25 15:01 . 2011-07-25 15:01 -------- d-----w- c:\program files\HD Tune
2011-07-25 04:06 . 2011-07-25 04:06 -------- d-----w- c:\documents and settings\1704420 Ontario Inc\Application Data\ElevatedDiagnostics
2011-07-18 17:44 . 2011-07-18 17:43 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-07-18 17:44 . 2011-07-18 17:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-05 21:56 . 2011-07-05 21:56 -------- d-----w- c:\program files\Common Files\Merge Modules
2011-07-05 20:41 . 2011-07-05 20:41 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-05 04:06 . 2011-07-05 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-07-01 04:56 . 2011-06-29 13:25 21592 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-06-30 19:42 . 2011-06-30 19:42 -------- d-----w- c:\program files\Atlas Copco Tools AB
2011-06-29 13:27 . 2011-06-29 13:25 74968 ----a-w- c:\windows\system32\drivers\sbapifs.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-18 18:24 . 2011-06-20 01:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-18 17:42 . 2007-04-22 21:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-29 13:26 . 2009-11-10 14:12 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-02 14:02 . 2007-04-22 19:44 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2007-04-22 20:15 692736 ------w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2007-04-22 19:43 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2007-04-22 19:43 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-29 02:47 . 2009-03-04 03:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
1998-04-28 00:15 . 2007-12-03 02:49 570128 ------w- c:\program files\Common Files\dao350.dll
.
.
((((((((((((((((((((((((((((( [email protected]_00.58.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-26 01:23 . 2011-07-26 01:23 16384 c:\windows\Temp\Perflib_Perfdata_3d0.dat
+ 2011-07-26 01:23 . 2011-07-26 01:23 16384 c:\windows\Temp\Perflib_Perfdata_370.dat
+ 2011-07-26 01:23 . 2011-07-26 01:23 16384 c:\windows\Temp\Perflib_Perfdata_35c.dat
+ 2011-07-26 01:23 . 2011-07-26 01:23 16384 c:\windows\Temp\Perflib_Perfdata_254.dat
- 2007-04-22 20:19 . 2011-07-19 21:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-04-22 20:19 . 2011-07-26 01:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-07-16 12:29 . 2011-07-19 21:56 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-07-20 01:20 . 2011-07-26 01:25 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-07-05 19:39 . 2011-07-26 01:27 235335 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPSMain"="TPSMain.exe" [2006-07-26 315392]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-26 90112]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2011-06-28 1191216]
"TFncKy"="TFncKy.exe" [BU]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSODDCtl"="TPSODDCtl.exe" [2007-02-02 110592]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]
"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
"CognexOpc"="c:\program files\Cognex\In-Sight\In-Sight OPC Server 3.3.0\OpcInSight.exe" [2006-07-18 90112]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-20 124512]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.exe" [2005-06-29 126976]
"S7UB Start"="c:\program files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2008-07-15 102453]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920]
"UsbCipHelper"="c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2006-09-28 434176]
"00THotkey"="c:\windows\system320THotkey.exe" [2006-07-05 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-12 16125440]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"TFNF5"="TFNF5.exe" [2006-04-10 622592]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"WinCC flexible Smart Start"="c:\program files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiSmartStart.exe" [2010-04-20 118784]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
IEHOME.LNK - c:\documents and settings\Default User\Local Settings\Temp\iehome.bat [2007-11-30 298]
.
c:\documents and settings\1704420 Ontario Inc\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-1 813584]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
IEHOME.LNK - c:\documents and settings\Default User\Local Settings\Temp\iehome.bat [2007-11-30 298]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\Siemens\\SQLANY\\dbsrv9.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\Miniweb.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\SmartServer.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\HmiLoad.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/3/2009 9:54 PM 64288]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [3/22/2007 4:07 PM 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 6:23 PM 6528]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [7/1/2011 12:56 AM 21592]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [11/10/2009 10:12 AM 101720]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [11/30/2007 2:38 PM 5888]
R2 almservice;Automation License Manager Service;c:\program files\Common Files\Siemens\SWS\almsrv\almsrvx.exe [3/29/2010 9:13 AM 1594368]
R2 dpmconv;dpmconv;c:\windows\system32\drivers\dpmconv.sys [6/25/2007 4:46 PM 266240]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [6/25/2007 4:47 PM 28363]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/6/2009 10:26 AM 10384]
R2 LogReceiver;LogReceiver;c:\program files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe [7/9/2007 10:47 AM 94208]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [5/9/2006 8:31 AM 203552]
R2 MSSQL$WINCC;SQL Server (WINCC);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/9/2006 8:32 AM 28938072]
R2 MSSQL$WINCCFLEXEXPRESS;SQL Server (WINCCFLEXEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2/10/2007 9:29 AM 29178224]
R2 MSSQL$WINCCFLEXIBLE;MSSQL$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe [5/4/2005 12:04 AM 9150464]
R2 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;c:\program files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe [9/18/2007 9:35 PM 77824]
R2 Rockwell HMI Framework;Rockwell HMI Framework;c:\program files\Rockwell Software\RSView Enterprise\ServerFramework.exe [9/18/2007 8:21 PM 491520]
R2 s7asysvx;S7 Global Services;c:\program files\Siemens\Step7\S7BIN\s7asysvx.exe [7/14/2008 8:02 PM 69685]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [3/2/2010 8:37 AM 77312]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [3/2/2010 8:47 AM 1576072]
R2 s7opcmcx;s7opcmcx;c:\windows\system32\drivers\s7opcmcx.sys [3/2/2010 8:38 AM 209920]
R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [3/1/2010 4:51 PM 31232]
R2 s7osmcax;s7osmcax;c:\windows\system32\drivers\s7osmcax.sys [3/2/2010 8:40 AM 173568]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [2/24/2009 5:39 PM 73088]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [3/2/2010 8:47 AM 240776]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [6/29/2011 9:27 AM 74968]
R2 SSCService;SIMATIC Security Control Service;c:\program files\Common Files\Siemens\SimaticSecurityControl\ssc_service_x.exe [7/17/2007 11:36 AM 339968]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 3:22 PM 105856]
R2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\TMESRV31.exe [11/30/2007 2:38 PM 126976]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 3:15 PM 134016]
R2 vsnl2ada;SIMATIC MPI/PROFIBUS FDL Transport Driver;c:\windows\system32\drivers\vsnl2ada.sys [11/5/2007 12:31 PM 115654]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [5/14/2009 10:54 AM 26137]
R3 EventServer;Rockwell Event Server;c:\program files\Common Files\Rockwell\EventServer.exe [9/17/2007 11:36 PM 217088]
R3 fwkbdrtm;fwkbdrtm;c:\windows\system32\drivers\fwkbdrtm.sys [4/8/2010 11:15 AM 12112]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/22/2007 4:20 PM 35968]
R3 NmspHost;Rockwell Namespace Services;c:\program files\Common Files\Rockwell\NmspHost.exe [9/18/2007 12:57 AM 212992]
R3 RdcyHost;Rockwell Redundancy Services;c:\program files\Common Files\Rockwell\RdcyHost.exe [9/18/2007 12:57 AM 212992]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [11/30/2007 2:41 PM 435072]
S1 abpicw2k;AB PIC/AIC+ Driver;c:\windows\system32\drivers\abpicw2k.sys [10/29/2001 1:53 PM 113600]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?]
S2 CCAgent;CCAgent;c:\program files\Common Files\Siemens\ACE\bin\CCAgent.exe --> c:\program files\Common Files\Siemens\ACE\bin\CCAgent.exe [?]
S2 CCEClient;CCEClient;c:\program files\Common Files\Siemens\ACE\bin\CCEClient.exe --> c:\program files\Common Files\Siemens\ACE\bin\CCEClient.exe [?]
S2 CCEServer;CCEServer;c:\program files\Common Files\Siemens\ACE\bin\CCEServer.exe --> c:\program files\Common Files\Siemens\ACE\bin\CCEServer.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 2151640]
S2 RedundancyControl;RedundancyControl;c:\program files\Common Files\Siemens\ACE\bin\RedundancyControl.exe --> c:\program files\Common Files\Siemens\ACE\bin\RedundancyControl.exe [?]
S2 RedundancyState;RedundancyState;c:\program files\Common Files\Siemens\ACE\bin\RedundancyState.exe --> c:\program files\Common Files\Siemens\ACE\bin\RedundancyState.exe [?]
S2 SCSMonitor;SCSMonitor;c:\program files\Common Files\Siemens\ACE\bin\SCSMX.exe --> c:\program files\Common Files\Siemens\ACE\bin\SCSMX.exe [?]
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [5/31/2000 7:13 PM 71448]
S3 c5511w2k;c5511w2k;c:\windows\system32\drivers\c5511w2k.sys [4/5/2000 2:22 PM 8192]
S3 cgnxcdc;cgnxcdc;c:\windows\system32\drivers\cgnxcdc.sys [5/5/2010 4:42 PM 49152]
S3 CogISSvc;Cognex In-Sight Port Service;c:\program files\Cognex\In-Sight\In-Sight Explorer 3.3.0\Utilities\cogissvc.exe [7/18/2006 8:20 AM 172632]
S3 Cognex.InSight.OpcServer;Cognex OPC Server;c:\program files\Cognex\In-Sight\In-Sight OPC Server 3.3.0\OpcInSightService.exe [7/18/2006 8:46 AM 24576]
S3 dpmcslv;dpmcslv;c:\windows\system32\drivers\dpmcslv.sys [7/4/2005 4:04 PM 68280]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Textron VPN Client\Extranet_serv.exe [5/14/2009 10:54 AM 835584]
S3 FTAE_Archiver;Rockwell Alarm History Archiver;c:\program files\Common Files\Rockwell\FTAEArchiver.exe [9/17/2007 11:29 PM 61440]
S3 FTAE_HistServ;Rockwell Alarm Historian;c:\program files\Common Files\Rockwell\FTAE_HistServ.exe [9/17/2007 11:29 PM 143360]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [5/14/2009 10:54 AM 155152]
S3 pcidnt;A-B 1784-PCIDS;c:\windows\system32\Drivers\pcidnt.sys --> c:\windows\system32\Drivers\pcidnt.sys [?]
S3 RnaAeServer;Rockwell Alarm Server;c:\program files\Common Files\Rockwell\RnaAeServer.exe [9/17/2007 11:32 PM 270336]
S3 RnaAlarmMux;Rockwell Alarm Multiplexer;c:\program files\Common Files\Rockwell\RnaAlarmMux.exe [9/21/2007 2:27 PM 753664]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [11/10/1999 8:27 AM 142592]
S3 RSI-PKTX-A;RSI-PKTX-A;c:\windows\system32\drivers\RSI-PKTX-A.sys [11/13/2002 2:38 PM 16447]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [1/18/2006 10:33 AM 39067]
S3 RSLINXNGKtControl;RSLINXNGKtControl;c:\windows\system32\drivers\rsiktNG.sys [4/23/2002 7:02 PM 38999]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [5/11/1999 1:48 PM 155440]
S3 S5AS511;S5AS511;c:\windows\system32\drivers\S5AS511.SYS [12/5/2007 11:25 AM 15360]
S3 S5MCD;S5MCD;c:\windows\system32\drivers\S5MCD.SYS [12/5/2007 11:25 AM 188416]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [10/18/2002 2:34 AM 30512]
S3 s7oppinx;s7oppinx;c:\windows\system32\drivers\s7oppinx.sys [3/2/2010 8:39 AM 124928]
S3 S7OUSBPX;S7OUSBPX;c:\windows\system32\drivers\S7OUSBPX.sys [11/26/2008 9:34 AM 27212]
S3 Sim9Sync;SIMATIC NET Synchronization Service;c:\windows\system32\sim9sync.exe [4/28/2008 11:24 PM 94208]
S3 SQLAgent$WINCC;SQL Server Agent (WINCC);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [4/14/2006 10:06 AM 319776]
S3 SQLAgent$WINCCFLEXIBLE;SQLAgent$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlagent.EXE [5/3/2005 9:42 PM 323584]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/22/2007 3:44 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S4 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - Lavasoft Kernexplorer
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-26 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-26 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-26 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-26 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3879435519-312499763-1611728940-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3879435519-312499763-1611728940-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\1704420 Ontario Inc\Application Data\Mozilla\Firefox\Profiles\[email protected]\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-07-25 22:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3879435519-312499763-1611728940-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1808)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(3044)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\TOSHIBA\TME3\TMEEJMD.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2011-07-25 22:21:22
ComboFix-quarantined-files.txt 2011-07-26 02:21
ComboFix2.txt 2011-07-16 12:22
.
Pre-Run: 23,694,782,464 bytes free
Post-Run: 23,731,146,752 bytes free
.
Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - B682915A070EC9E0C20C7ADFB478CA40

Share this post


Link to post
Share on other sites
Hi psc23351,

Much better log now after TDSSKiller.

Upload this file to [url="http://www.virustotal.com/"]http://www.virustotal.com/[/url] using the "Upload a file" function and post back the link to the scan report:
C:\Windows\System32\nwwksp.dll

Post new DDS logs, too.

Share this post


Link to post
Share on other sites
Hi CeciliaB

I uploaded the file but do not see were to get the scan results to post the link.
Do I need to download and install the Virus Loader Upload Utility to get the scan results in my browser.
Can you point me in the right direction to find the scan results link to post.

Thanks
psc23351

Share this post


Link to post
Share on other sites
Hi psc23351,

You don't need the upload utility.
When you have clicked on the send button you wait until the file has been analysed by all antivirus programs and when finished you copy the address in the address field of the browser and paste it in you answer here.
If you get a message that the file has been analysed before you click the 'analyse again' button.

Was this easier to understand?

Share this post


Link to post
Share on other sites
Hi CeciliaB

Struggling with this Virus Total analysis.
After selecting send file a popup screen telling you not to navigate away until analysis is completed.
But this screen pops up and disappears so fast had to redue this 6 times to be able to read it.
The screen returns immediately to the send file and remains there doing nothing, waited for over 30min each time tried.

Just out of curiousity tried to analyze another Windows\System32 file and it returned file already analized, comment page
and link to the report.

Found a file that would be propriatory to my machine and sent it, the screen went to an analizer screen analized the file and gave me a URL for the report as you said it should.

What do you think.
Am I still doing something wrong or is this file crashing there analizer. Edited by psc23351

Share this post


Link to post
Share on other sites
Hi psc23351,

It must be the infection stopping you from analysing the file.

Is it possible to make a copy of the file and analyse the copy?

Run an online scan with Eset [url="http://www.eset.com/onlinescan/"]http://www.eset.com/onlinescan/[/url]
To shorten the scanning time disable your antivirus program while scanning.

Un-check "Remove found threats"
Check "Scan Archives"

Click "Advanced Settings"
Check:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Click Scan

When the scan completes the log file C:\Program\Eset\Eset Online Scanner\log.txt is created. Open it in Notepad and paste its content in your answer.

Share this post


Link to post
Share on other sites
Hi CeciliaB

Could not copy file says access is denied.
Running ESET online scan currently but will take awhile have 500,000 files only at 75,000 in one hour.
will post results when done.

Thanks
psc23351

Share this post


Link to post
Share on other sites
Hi psc23351,

Please, run GMER as well.

Download GMER from the following location and save it to your desktop.:
[url="http://www2.gmer.net/download.php"]http://www2.gmer.net/download.php[/url]
It will be randomly named so write down the name so you remember what it is.

Disconnect from the Internet.
Turn off all programs, including antivirus and similar programs.
How? See [url="http://www.bleepingcomputer.com/forums/topic114351.html"]http://www.bleepingcomputer.com/forums/topic114351.html[/url]

Start Gmer.
It will perform a quick scan.
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system, click NO.

Configuration of Gmer:
In the right panel, uncheck the following:

* IAT/EAT
* Files
* Drives/Partitions other than C:\
* Show All (don't miss this one)

Click the Scan button & wait for it to finish.

When finished click on the Save button.
Select your desktop as destination folder and in the File name field enter "Gmer.log".
Restart computer and make sure your antivirus program is running again.
Paste the content of Gmer.log in your post.

Share this post


Link to post
Share on other sites
Hi CeciliaB

Here is the Eset log.
The scanner said there was not viruses.

[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=aeca907ec66a8440a31eb59338a8809c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-07-27 06:18:12
# local_time=2011-07-27 02:18:12 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 75183832 75183832 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=453948
# found=0
# cleaned=0
# scan_time=14378

DDS.log
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by 1704420 Ontario Inc at 8:42:01 on 2011-07-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.303 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe
C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe
C:\Program Files\Common Files\Rockwell\NmspHost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Rockwell\RdcyHost.exe
C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
C:\Program Files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe
C:\PROGRA~1\ROCKWE~2\RSLinx\RSLINX.EXE
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe
C:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe
C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Siemens\SimaticSecurityControl\ssc_service_x.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
svchost.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\Cognex\In-Sight\In-Sight OPC Server 3.3.0\OpcInSight.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe
C:\WINDOWS\system320THotkey.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Siemens\S7ubtoox\S7ubtoox.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiSmartStart.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Siemens\Sqlany\dbsrv9.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [TFncKy] TFncKy.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TAudEffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [CognexOpc] c:\program files\cognex\in-sight\in-sight opc server 3.3.0\OpcInSight.exe -I
mRun: [TOSDCR] TOSDCR.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.exe
mRun: [S7UB Start] "c:\program files\common files\siemens\s7ubtoox\s7ubtstx.exe" -StartDB
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [UsbCipHelper] c:\program files\rockwell automation\rockwell automation usb cip driver package\usbciphelper\UsbCipHelper.exe
mRun: [00THotkey] c:\windows\system320THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TFNF5] TFNF5.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [WinCC flexible Smart Start] "c:\program files\siemens\simatic wincc flexible\wincc flexible 2008\HmiSmartStart.exe" /startup
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\170442~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
uPolicies-explorer: DisablePersonalDirChange = 1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{8E112997-EA3C-4EE4-8704-6BFE07518B62} : DhcpNameServer = 192.168.0.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\1704420 ontario inc\application data\mozilla\firefox\profiles\[email protected]\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-3 64288]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-3-22 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-9 6528]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-7-1 21592]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-11-10 101720]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2007-11-30 5888]
R2 almservice;Automation License Manager Service;c:\program files\common files\siemens\sws\almsrv\almsrvx.exe [2010-3-29 1594368]
R2 dpmconv;dpmconv;c:\windows\system32\drivers\dpmconv.sys [2007-6-25 266240]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [2007-6-25 28363]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-1-6 10384]
R2 LogReceiver;LogReceiver;c:\program files\rockwell software\rslinx enterprise\LogReceiver.exe [2007-7-9 94208]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2006-5-9 203552]
R2 MSSQL$WINCC;SQL Server (WINCC);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-5-9 28938072]
R2 MSSQL$WINCCFLEXEXPRESS;SQL Server (WINCCFLEXEXPRESS);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R2 MSSQL$WINCCFLEXIBLE;MSSQL$WINCCFLEXIBLE;c:\program files\microsoft sql server\mssql$winccflexible\binn\sqlservr.exe [2005-5-4 9150464]
R2 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;c:\program files\rockwell software\rsview enterprise\RsAlarmLogServ.exe [2007-9-18 77824]
R2 Rockwell HMI Framework;Rockwell HMI Framework;c:\program files\rockwell software\rsview enterprise\ServerFramework.exe [2007-9-18 491520]
R2 s7asysvx;S7 Global Services;c:\program files\siemens\step7\s7bin\s7asysvx.exe [2008-7-14 69685]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [2010-3-2 77312]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\common files\siemens\s7iepg\s7oiehsx.exe [2010-3-2 1576072]
R2 s7opcmcx;s7opcmcx;c:\windows\system32\drivers\s7opcmcx.sys [2010-3-2 209920]
R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [2010-3-1 31232]
R2 s7osmcax;s7osmcax;c:\windows\system32\drivers\s7osmcax.sys [2010-3-2 173568]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [2009-2-24 73088]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\common files\siemens\automation\traceengine\bin\S7TraceServiceX.exe [2010-3-2 240776]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-6-29 74968]
R2 SSCService;SIMATIC Security Control Service;c:\program files\common files\siemens\simaticsecuritycontrol\ssc_service_x.exe [2007-7-17 339968]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2007-11-30 126976]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R2 vsnl2ada;SIMATIC MPI/PROFIBUS FDL Transport Driver;c:\windows\system32\drivers\vsnl2ada.sys [2007-11-5 115654]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2009-5-14 26137]
R3 EventServer;Rockwell Event Server;c:\program files\common files\rockwell\EventServer.exe [2007-9-17 217088]
R3 fwkbdrtm;fwkbdrtm;c:\windows\system32\drivers\fwkbdrtm.sys [2010-4-8 12112]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-4-22 35968]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-24 15232]
R3 NmspHost;Rockwell Namespace Services;c:\program files\common files\rockwell\NmspHost.exe [2007-9-18 212992]
R3 RdcyHost;Rockwell Redundancy Services;c:\program files\common files\rockwell\RdcyHost.exe [2007-9-18 212992]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2007-11-30 435072]
S1 abpicw2k;AB PIC/AIC+ Driver;c:\windows\system32\drivers\abpicw2k.sys [2001-10-29 113600]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\drivers\virtualbackplane.sys --> c:\windows\system32\drivers\VirtualBackplane.sys [?]
S2 CCAgent;CCAgent;c:\program files\common files\siemens\ace\bin\ccagent.exe --> c:\program files\common files\siemens\ace\bin\CCAgent.exe [?]
S2 CCEClient;CCEClient;c:\program files\common files\siemens\ace\bin\cceclient.exe --> c:\program files\common files\siemens\ace\bin\CCEClient.exe [?]
S2 CCEServer;CCEServer;c:\program files\common files\siemens\ace\bin\cceserver.exe --> c:\program files\common files\siemens\ace\bin\CCEServer.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 2151640]
S2 RedundancyControl;RedundancyControl;c:\program files\common files\siemens\ace\bin\redundancycontrol.exe --> c:\program files\common files\siemens\ace\bin\RedundancyControl.exe [?]
S2 RedundancyState;RedundancyState;c:\program files\common files\siemens\ace\bin\redundancystate.exe --> c:\program files\common files\siemens\ace\bin\RedundancyState.exe [?]
S2 SCSMonitor;SCSMonitor;c:\program files\common files\siemens\ace\bin\scsmx.exe --> c:\program files\common files\siemens\ace\bin\SCSMX.exe [?]
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [2000-5-31 71448]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;\??\c:\windows\system32\drivers\awrtpd.sys --> c:\windows\system32\drivers\AWRTPD.sys [?]
S3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;\??\c:\windows\system32\drivers\awrtrd.sys --> c:\windows\system32\drivers\AWRTRD.sys [?]
S3 c5511w2k;c5511w2k;c:\windows\system32\drivers\c5511w2k.sys [2000-4-5 8192]
S3 cgnxcdc;cgnxcdc;c:\windows\system32\drivers\cgnxcdc.sys [2010-5-5 49152]
S3 CogISSvc;Cognex In-Sight Port Service;c:\program files\cognex\in-sight\in-sight explorer 3.3.0\utilities\cogissvc.exe [2006-7-18 172632]
S3 Cognex.InSight.OpcServer;Cognex OPC Server;c:\program files\cognex\in-sight\in-sight opc server 3.3.0\OpcInSightService.exe [2006-7-18 24576]
S3 dpmcslv;dpmcslv;c:\windows\system32\drivers\dpmcslv.sys [2005-7-4 68280]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\textron vpn client\Extranet_serv.exe [2009-5-14 835584]
S3 FTAE_Archiver;Rockwell Alarm History Archiver;c:\program files\common files\rockwell\FTAEArchiver.exe [2007-9-17 61440]
S3 FTAE_HistServ;Rockwell Alarm Historian;c:\program files\common files\rockwell\FTAE_HistServ.exe [2007-9-17 143360]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2009-5-14 155152]
S3 pcidnt;A-B 1784-PCIDS;c:\windows\system32\drivers\pcidnt.sys --> c:\windows\system32\drivers\pcidnt.sys [?]
S3 RnaAeServer;Rockwell Alarm Server;c:\program files\common files\rockwell\RnaAeServer.exe [2007-9-17 270336]
S3 RnaAlarmMux;Rockwell Alarm Multiplexer;c:\program files\common files\rockwell\RnaAlarmMux.exe [2007-9-21 753664]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [1999-11-10 142592]
S3 RSI-PKTX-A;RSI-PKTX-A;c:\windows\system32\drivers\RSI-PKTX-A.sys [2002-11-13 16447]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [2006-1-18 39067]
S3 RSLINXNGKtControl;RSLINXNGKtControl;c:\windows\system32\drivers\rsiktNG.sys [2002-4-23 38999]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [1999-5-11 155440]
S3 S5AS511;S5AS511;c:\windows\system32\drivers\S5AS511.SYS [2007-12-5 15360]
S3 S5MCD;S5MCD;c:\windows\system32\drivers\S5MCD.SYS [2007-12-5 188416]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [2002-10-18 30512]
S3 s7oppinx;s7oppinx;c:\windows\system32\drivers\s7oppinx.sys [2010-3-2 124928]
S3 S7OUSBPX;S7OUSBPX;c:\windows\system32\drivers\S7OUSBPX.sys [2008-11-26 27212]
S3 Sim9Sync;SIMATIC NET Synchronization Service;c:\windows\system32\sim9sync.exe [2008-4-28 94208]
S3 SQLAgent$WINCC;SQL Server Agent (WINCC);c:\program files\microsoft sql server\mssql.1\mssql\binn\SQLAGENT90.EXE [2006-4-14 319776]
S3 SQLAgent$WINCCFLEXIBLE;SQLAgent$WINCCFLEXIBLE;c:\program files\microsoft sql server\mssql$winccflexible\binn\sqlagent.EXE [2005-5-3 323584]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2007-4-22 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
.
=============== Created Last 30 ================
.
2011-07-27 02:04:30 -------- d-----w- c:\program files\ESET
2011-07-25 15:01:01 -------- d-----w- c:\program files\HD Tune
2011-07-25 04:06:36 -------- d-----w- c:\documents and settings\1704420 ontario inc\application data\ElevatedDiagnostics
2011-07-20 00:03:24 -------- d-sha-r- C:\cmdcons
2011-07-18 17:44:52 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-07-18 17:44:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-15 23:07:52 208896 ----a-w- c:\windows\MBR.exe
2011-07-15 23:07:50 256000 ----a-w- c:\windows\PEV.exe
2011-07-05 21:56:11 -------- d-----w- c:\program files\common files\Merge Modules
2011-07-05 20:41:32 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-05 20:41:32 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-01 04:56:06 21592 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-06-30 19:42:34 -------- d-----w- c:\program files\Atlas Copco Tools AB
2011-06-29 13:27:21 74968 ----a-w- c:\windows\system32\drivers\sbapifs.sys
.
==================== Find3M ====================
.
2011-07-18 18:24:13 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-18 17:42:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-29 13:26:27 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-07 18:33:44 10532 --sh--r- C:\EVRSI.SYS
2011-05-02 15:31:52 692736 ------w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-29 02:47:42 16432 ----a-w- c:\windows\system32\lsdelete.exe
1998-04-28 00:15:06 570128 ------w- c:\program files\common files\dao350.dll
.
============= FINISH: 8:49:06.62 =============== Edited by psc23351

Share this post


Link to post
Share on other sites
Hi CeciliaB

Here is the Gmer.log

GMER 1.0.15.15641 - [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-07-27 09:58:29
Windows 5.1.2600 Service Pack 3
Running: 111htut7.exe; Driver: C:\DOCUME~1\170442~1\LOCALS~1\Temp\uwlorpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwCreateKey [0x9BA994D0]
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwSetValueKey [0x9BA99520]

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) 9B51C16D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) 9B51BFC2

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0x9AD57400, 0x87EE2, 0xE8000020]
.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x9ADFB620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x9ADFB620]
.protectÿÿÿÿhardlockunknown last code section [0x9ADFB400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0x9ADFB400, 0x5126, 0xE0000020]
? C:\DOCUME~1\170442~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2116] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4552] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4552] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A91 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4552] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0CD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4552] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4552] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4552] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4552] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4552] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4552] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4552] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4552] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4552] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4552] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB60 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4552] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5691 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 fwkbdrtm.SYS (WinCC flexible RT Module: FwKbdRTm/Siemens AG)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 fwkbdrtm.SYS (WinCC flexible RT Module: FwKbdRTm/Siemens AG)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] \systemroot\system32\drivers\UACrqpxdoet.sys
Reg HKLM\SYSTEM\ControlSet001\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\drivers\UACrqpxdoet.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACjlkrxkni.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACtrpbpbes.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACnshfntmx.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACehtkorwq.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACodpqqsik.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACmchmtbue.log
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACbxpayvwu.log
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACfxurrwqs.log
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] \systemroot\system32\drivers\UACrqpxdoet.sys
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\drivers\UACrqpxdoet.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACjlkrxkni.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACtrpbpbes.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACnshfntmx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACehtkorwq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACodpqqsik.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACmchmtbue.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACbxpayvwu.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACfxurrwqs.log
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] \systemroot\system32\drivers\UACrqpxdoet.sys
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\drivers\UACrqpxdoet.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACjlkrxkni.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACtrpbpbes.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACnshfntmx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACehtkorwq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACodpqqsik.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACmchmtbue.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACbxpayvwu.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACfxurrwqs.log
Reg HKLM\SYSTEM\ControlSet004\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet004\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet004\Services\[email protected] \systemroot\system32\drivers\UACrqpxdoet.sys
Reg HKLM\SYSTEM\ControlSet004\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\drivers\UACrqpxdoet.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACjlkrxkni.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACtrpbpbes.dat
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACnshfntmx.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACehtkorwq.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACodpqqsik.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACmchmtbue.log
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACbxpayvwu.log
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACfxurrwqs.log

---- EOF - GMER 1.0.15 ----

Share this post


Link to post
Share on other sites
1.
Is the process iexplore.exe visible in Task manager, Process tab, even when you have closed Internet Explorer?

2.
Please, save SystemLook on the desktop from one of these linkes:
[url="http://jpshortstuff.247fixes.com/SystemLook.exe"]http://jpshortstuff.247fixes.com/SystemLook.exe[/url]
[url="http://images.malwareremoval.com/jpshortstuff/SystemLook.exe"]http://images.malwareremoval.com/jpshortstuff/SystemLook.exe[/url]

Double-click on SystemLook file to run it.

Copy all lines in the box
[code]&#58;filefind
UACrqpxdoet.sys
UACjlkrxkni.dll
&#58;file
C&#58;\Windows\System32\nwwksp.dll[/code]
and paste in the big text field in SýstemLook.
Click on the Look button to start the search.
When finished Notepad will pop-up with the log. Copy the log and paste into your answer. If Notepad doesn't pop-up you can find the log as SystemLook.txt on the Desktop.

3.
Run TDSSKiller again and post its log, please.

Share this post


Link to post
Share on other sites
Hi CeciliaB


No there is no iexplore.exe in the Task Manager with Internet Explorer not running.


Here is the log from the SystemLook.

SystemLook 04.09.10 by jpshortstuff
Log created at 14:26 on 27/07/2011 by 1704420 Ontario Inc
Administrator - Elevation successful

========== filefind ==========

Searching for "UACrqpxdoet.sys"
No files found.

Searching for "UACjlkrxkni.dll"
No files found.

========== file ==========

C:\Windows\System32\nwwksp.dll - Unable to find/read file.

-= EOF =-



Here is the new log for TDSSKiller.log


2011/07/27 14:47:07.0625 2724 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/27 14:47:09.0625 2724 ================================================================================
2011/07/27 14:47:09.0625 2724 SystemInfo:
2011/07/27 14:47:09.0625 2724
2011/07/27 14:47:09.0625 2724 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/27 14:47:09.0625 2724 Product type: Workstation
2011/07/27 14:47:09.0625 2724 ComputerName: 1704420_1
2011/07/27 14:47:09.0625 2724 UserName: 1704420 Ontario Inc
2011/07/27 14:47:09.0625 2724 Windows directory: C:\WINDOWS
2011/07/27 14:47:09.0625 2724 System windows directory: C:\WINDOWS
2011/07/27 14:47:09.0625 2724 Processor architecture: Intel x86
2011/07/27 14:47:09.0625 2724 Number of processors: 2
2011/07/27 14:47:09.0625 2724 Page size: 0x1000
2011/07/27 14:47:09.0625 2724 Boot type: Normal boot
2011/07/27 14:47:09.0625 2724 ================================================================================
2011/07/27 14:47:10.0265 2724 Initialize success
2011/07/27 14:47:17.0015 4396 ================================================================================
2011/07/27 14:47:17.0015 4396 Scan started
2011/07/27 14:47:17.0015 4396 Mode: Manual;
2011/07/27 14:47:17.0015 4396 ================================================================================
2011/07/27 14:47:20.0015 4396 ABKTCX (f25a62362ae736a5ac670f17ba28642c) C:\WINDOWS\System32\Drivers\ABKTCX.sys
2011/07/27 14:47:20.0078 4396 abpicw2k (654ae24d0719f922754ccbf4481b7661) C:\WINDOWS\system32\DRIVERS\abpicw2k.sys
2011/07/27 14:47:20.0140 4396 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/27 14:47:20.0281 4396 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/27 14:47:20.0406 4396 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/27 14:47:20.0484 4396 AegisP (375eb0b97e3950adef3633c27a82438b) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/07/27 14:47:20.0531 4396 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/27 14:47:20.0687 4396 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/07/27 14:47:20.0937 4396 akshasp (3f9f42085ab5b6a55498a539c54575ab) C:\WINDOWS\system32\DRIVERS\akshasp.sys
2011/07/27 14:47:21.0078 4396 aksusb (d2b95315cc47f9230006fdbcba394d8d) C:\WINDOWS\system32\DRIVERS\aksusb.sys
2011/07/27 14:47:21.0187 4396 ApfiltrService (3ed81e8b4709d13e5a38db2d8e792b28) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2011/07/27 14:47:21.0218 4396 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/07/27 14:47:21.0328 4396 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/27 14:47:21.0375 4396 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/27 14:47:21.0531 4396 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/27 14:47:21.0578 4396 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/27 14:47:21.0593 4396 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/27 14:47:21.0640 4396 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/07/27 14:47:21.0640 4396 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/07/27 14:47:21.0703 4396 c5511w2k (544b08b12cb67a7be43d231200cf3e62) C:\WINDOWS\system32\DRIVERS\c5511w2k.sys
2011/07/27 14:47:21.0953 4396 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/27 14:47:22.0015 4396 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/27 14:47:22.0078 4396 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/27 14:47:22.0109 4396 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/27 14:47:22.0187 4396 cgnxcdc (ef2c28136fa438fffa4eae7c5cbf1557) C:\WINDOWS\system32\DRIVERS\cgnxcdc.sys
2011/07/27 14:47:22.0390 4396 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/07/27 14:47:22.0437 4396 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/07/27 14:47:22.0531 4396 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/27 14:47:22.0609 4396 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/27 14:47:22.0796 4396 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/27 14:47:22.0828 4396 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/27 14:47:22.0875 4396 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/27 14:47:22.0937 4396 dpmconv (abb186a0b070fa91b379f9fc3a198b8b) C:\WINDOWS\System32\Drivers\dpmconv.sys
2011/07/27 14:47:23.0109 4396 dpmcslv (0bd72e62c3974c4f5e4372dba971901b) C:\WINDOWS\system32\drivers\dpmcslv.sys
2011/07/27 14:47:23.0156 4396 Dpmtrcdd (cddebaba436c8564ab4224ccea58a620) C:\WINDOWS\system32\DRIVERS\dpmtrcdd.sys
2011/07/27 14:47:23.0234 4396 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/27 14:47:23.0296 4396 e1express (8942419786970adb32b05bb7950aee72) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/07/27 14:47:23.0453 4396 Eacfilt (3271c60b98bff0a9d4bf9bf66f90d2eb) C:\WINDOWS\system32\DRIVERS\eacfilt.sys
2011/07/27 14:47:23.0515 4396 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/27 14:47:23.0546 4396 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/07/27 14:47:23.0609 4396 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/27 14:47:23.0625 4396 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/07/27 14:47:23.0781 4396 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/27 14:47:23.0843 4396 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/27 14:47:23.0906 4396 FTDIBUS (b7aa8283ec551d3a3b924e520e0621a7) C:\WINDOWS\system32\drivers\ftdibus.sys
2011/07/27 14:47:23.0937 4396 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/27 14:47:23.0968 4396 FTSER2K (596d31583ce332b5514520d74837f434) C:\WINDOWS\system32\drivers\ftser2k.sys
2011/07/27 14:47:24.0031 4396 fwkbdrtm (7e4d38e22513b0af200fa6f94c77a2a6) C:\WINDOWS\system32\drivers\fwkbdrtm.sys
2011/07/27 14:47:24.0187 4396 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/27 14:47:24.0265 4396 Hardlock (d95554949082fd29a04d351b58396718) C:\WINDOWS\system32\drivers\hardlock.sys
2011/07/27 14:47:24.0468 4396 Haspnt (2dd25f060dc9f79b5cdf33d90ed93669) C:\WINDOWS\system32\drivers\Haspnt.sys
2011/07/27 14:47:24.0515 4396 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/27 14:47:24.0578 4396 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/27 14:47:24.0640 4396 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/27 14:47:24.0828 4396 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/27 14:47:25.0218 4396 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/07/27 14:47:25.0765 4396 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\drivers\iaStor.sys
2011/07/27 14:47:25.0796 4396 IFXTPM (0b556e950404d90d097c687e65238730) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
2011/07/27 14:47:25.0859 4396 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/27 14:47:26.0281 4396 IntcAzAudAddService (474d59c18652c8ef0151a9efae9ee619) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/07/27 14:47:27.0015 4396 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/27 14:47:27.0093 4396 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/27 14:47:27.0187 4396 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/27 14:47:27.0281 4396 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/27 14:47:27.0328 4396 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/27 14:47:27.0375 4396 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/27 14:47:27.0437 4396 IPSECEXT (a45ed7b412ff678c61f83a6723bcec17) C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
2011/07/27 14:47:27.0453 4396 IPSECSHM (a45ed7b412ff678c61f83a6723bcec17) C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
2011/07/27 14:47:27.0531 4396 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/27 14:47:27.0656 4396 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/27 14:47:27.0687 4396 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/27 14:47:27.0734 4396 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/27 14:47:27.0781 4396 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/27 14:47:27.0906 4396 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2011/07/27 14:47:28.0343 4396 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/07/27 14:47:28.0406 4396 LBeepKE (8f4d784b3f22f468eea99da02b0e39e5) C:\WINDOWS\system32\Drivers\LBeepKE.sys
2011/07/27 14:47:28.0562 4396 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2011/07/27 14:47:28.0656 4396 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2011/07/27 14:47:28.0937 4396 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/27 14:47:29.0062 4396 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/27 14:47:29.0171 4396 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/27 14:47:29.0250 4396 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/27 14:47:29.0562 4396 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/27 14:47:29.0687 4396 MQAC (70c14f5cca5cf73f8a645c73a01d8726) C:\WINDOWS\system32\drivers\mqac.sys
2011/07/27 14:47:29.0968 4396 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/27 14:47:30.0031 4396 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/27 14:47:30.0093 4396 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/27 14:47:30.0171 4396 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/27 14:47:30.0296 4396 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/27 14:47:30.0343 4396 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/27 14:47:30.0390 4396 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/27 14:47:30.0453 4396 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/27 14:47:30.0515 4396 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/27 14:47:30.0640 4396 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/27 14:47:30.0687 4396 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/27 14:47:30.0718 4396 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/27 14:47:30.0765 4396 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/27 14:47:30.0828 4396 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/27 14:47:30.0953 4396 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/27 14:47:31.0046 4396 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
2011/07/27 14:47:31.0265 4396 NETw4x32 (12b0d99865434387f784268b70e23360) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
2011/07/27 14:47:31.0515 4396 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/07/27 14:47:31.0562 4396 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/27 14:47:31.0609 4396 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/27 14:47:31.0796 4396 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/27 14:47:31.0828 4396 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/27 14:47:31.0843 4396 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/27 14:47:31.0890 4396 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/07/27 14:47:31.0984 4396 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/07/27 14:47:32.0031 4396 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/27 14:47:32.0218 4396 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/27 14:47:32.0265 4396 PCI (9c8f3cc31f7e2a3373af70d0da6cb58a) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/27 14:47:32.0328 4396 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/27 14:47:32.0359 4396 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/07/27 14:47:32.0531 4396 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/27 14:47:32.0546 4396 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/27 14:47:32.0578 4396 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/27 14:47:32.0734 4396 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/27 14:47:32.0875 4396 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/27 14:47:32.0906 4396 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/27 14:47:32.0984 4396 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/27 14:47:33.0000 4396 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/27 14:47:33.0046 4396 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/27 14:47:33.0078 4396 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/27 14:47:33.0234 4396 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/27 14:47:33.0281 4396 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/27 14:47:33.0296 4396 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/27 14:47:33.0375 4396 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys
2011/07/27 14:47:33.0453 4396 RSI-PKTX-A (9d1aff516d727612363c03abdc203380) C:\WINDOWS\System32\drivers\RSI-PKTX-A.SYS
2011/07/27 14:47:33.0500 4396 RsiKtControl (2af65117091a47732f0997330e3daae6) C:\WINDOWS\system32\RSIKT.SYS
2011/07/27 14:47:33.0656 4396 RSLINXNGKtControl (9e866a7c540c6a4b21bd5255a2a2bd0d) C:\WINDOWS\System32\drivers\RSIKTNG.SYS
2011/07/27 14:47:33.0687 4396 RSSERIAL (b089419975668e2a701178032d652a24) C:\WINDOWS\SYSTEM32\RSSERIAL.SYS
2011/07/27 14:47:33.0734 4396 RS_SS_NT (e4fab1cdfaed6ef7542606aa055b104a) C:\WINDOWS\SYSTEM32\RS_SS_NT.SYS
2011/07/27 14:47:33.0781 4396 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/07/27 14:47:33.0828 4396 s24trans (e2c6abcbefb1d44f6aaeb1cd5d6062d4) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/07/27 14:47:33.0984 4396 S5AS511 (0dc8be05f9d9b0bf6e5a0c40bfdcd38f) C:\WINDOWS\system32\drivers\S5AS511.sys
2011/07/27 14:47:34.0093 4396 S5MCD (4044af405d5de24321b58d7f6af408a0) C:\WINDOWS\system32\drivers\S5MCD.sys
2011/07/27 14:47:34.0171 4396 s7odpx2x (fea94d6320c1c813ab79b74db83f468f) C:\WINDOWS\System32\Drivers\S7odpx2x.sys
2011/07/27 14:47:34.0234 4396 s7oefs_x (f4e4348f0ecc78a61a190e447eb2467d) C:\WINDOWS\System32\drivers\s7oefs_x.sys
2011/07/27 14:47:34.0265 4396 s7opcmcx (3e89156b70c39a8fe0b1962440f83c15) C:\WINDOWS\System32\Drivers\s7opcmcx.sys
2011/07/27 14:47:34.0437 4396 S7opcsrtx (a8114fc3bb7de5feeae32e854574ef57) C:\WINDOWS\system32\DRIVERS\s7opcsrtx.sys
2011/07/27 14:47:34.0484 4396 S7oppilx (dc00bcd3176780b488cd74a17af0eae9) C:\WINDOWS\system32\Drivers\S7oppilx.sys
2011/07/27 14:47:34.0593 4396 s7oppinx (95aebab91051fb2d071375700571f339) C:\WINDOWS\System32\Drivers\s7oppinx.sys
2011/07/27 14:47:34.0625 4396 s7osmcax (588feeaafbda18c00a8f697f19c2bde7) C:\WINDOWS\System32\Drivers\s7osmcax.sys
2011/07/27 14:47:34.0671 4396 s7otranx (d60b08e3251cd16c60dc03e36764a081) C:\WINDOWS\System32\Drivers\s7otranx.sys
2011/07/27 14:47:34.0828 4396 S7OUSBPX (3c0b3f2ee858520ebb1627a4cfc6765f) C:\WINDOWS\system32\drivers\S7OUSBPX.sys
2011/07/27 14:47:34.0890 4396 s7snsrtx (1b2666464be6719e1122c53eba487dd6) C:\WINDOWS\system32\DRIVERS\s7snsrtx.sys
2011/07/27 14:47:35.0000 4396 sbaphd (65a36563c0207824c8240662043c5304) C:\WINDOWS\system32\drivers\sbaphd.sys
2011/07/27 14:47:35.0031 4396 sbapifs (3d6ba67c758735918e323d4d6f64449a) C:\WINDOWS\system32\drivers\sbapifs.sys
2011/07/27 14:47:35.0078 4396 SBRE (0505da5d357f18a5d42fc5dede6bc9a0) C:\WINDOWS\system32\drivers\SBREdrv.sys
2011/07/27 14:47:35.0125 4396 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/07/27 14:47:35.0281 4396 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/27 14:47:35.0343 4396 Sentinel (aebba7428a6c40cce3c5abde45190b24) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
2011/07/27 14:47:35.0390 4396 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/27 14:47:35.0406 4396 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/27 14:47:35.0453 4396 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/07/27 14:47:35.0671 4396 SNTIE (d953a20a0ad1052e44e5dfce6d352bba) C:\WINDOWS\system32\DRIVERS\sntie.sys
2011/07/27 14:47:35.0859 4396 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/27 14:47:35.0906 4396 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/27 14:47:36.0015 4396 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/27 14:47:36.0187 4396 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/07/27 14:47:36.0250 4396 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/27 14:47:36.0296 4396 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/27 14:47:36.0406 4396 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/27 14:47:36.0468 4396 TBiosDrv (1f26d86828039c0b594399f7f2ffef09) C:\WINDOWS\system32\Drivers\Tbiosdrv.sys
2011/07/27 14:47:36.0625 4396 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/27 14:47:36.0671 4396 TcUsb (fc6fe02f400308606a911640e72326b5) C:\WINDOWS\system32\Drivers\tcusb.sys
2011/07/27 14:47:36.0718 4396 tdcmdpst (2f8bfbdb5824c71f672779b4b8cf8b01) C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys
2011/07/27 14:47:36.0750 4396 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/27 14:47:36.0906 4396 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/27 14:47:36.0937 4396 tdudf (f56a9327c58ff985616c5e197472932c) C:\WINDOWS\system32\DRIVERS\tdudf.sys
2011/07/27 14:47:37.0062 4396 TEchoCan (65855534483d0c1330703100b31cac00) C:\WINDOWS\system32\DRIVERS\TEchoCan.sys
2011/07/27 14:47:37.0250 4396 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/27 14:47:37.0312 4396 Thpdrv (557cfdb7869499d357da1877ed93043f) C:\WINDOWS\system32\DRIVERS\thpdrv.sys
2011/07/27 14:47:37.0375 4396 Thpevm (beeca51c9ef368a1038e455278e4715e) C:\WINDOWS\system32\DRIVERS\Thpevm.SYS
2011/07/27 14:47:37.0406 4396 tifm21 (e4c85c291ddb3dc5e4a2f227ca465ba6) C:\WINDOWS\system32\drivers\tifm21.sys
2011/07/27 14:47:37.0578 4396 TMEI3E (684bfb1e9abb05d3f48c53f3cd16a3e6) C:\WINDOWS\system32\Drivers\TMEI3E.SYS
2011/07/27 14:47:37.0671 4396 tosrfec (5c4103544612e5011ef46301b93d1aa6) C:\WINDOWS\system32\DRIVERS\tosrfec.sys
2011/07/27 14:47:37.0703 4396 trudf (3f9ba8878aa26d0831116733f9bc53ff) C:\WINDOWS\system32\DRIVERS\trudf.sys
2011/07/27 14:47:37.0734 4396 TVALZ (73d3312955f805054e32fabdca5230b1) C:\WINDOWS\system32\DRIVERS\TVALZ.SYS
2011/07/27 14:47:37.0781 4396 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/27 14:47:37.0843 4396 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/27 14:47:38.0015 4396 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/27 14:47:38.0093 4396 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/27 14:47:38.0156 4396 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/27 14:47:38.0203 4396 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/27 14:47:38.0250 4396 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/27 14:47:38.0281 4396 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/27 14:47:38.0437 4396 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/27 14:47:38.0484 4396 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
2011/07/27 14:47:38.0531 4396 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/27 14:47:38.0593 4396 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/27 14:47:38.0640 4396 vsnl2ada (7ed275a019948cf77b91313addd1f459) C:\WINDOWS\System32\Drivers\vsnl2ada.sys
2011/07/27 14:47:38.0796 4396 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/27 14:47:38.0859 4396 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/07/27 14:47:39.0031 4396 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/27 14:47:39.0156 4396 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/07/27 14:47:39.0234 4396 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/27 14:47:39.0265 4396 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/27 14:47:39.0312 4396 MBR (0x1B8) (09ce7397af23d4c0b331b89d0297cc7e) \Device\Harddisk0\DR0
2011/07/27 14:47:39.0484 4396 Boot (0x1200) (e4764e29a897927d88e63851e22d3f41) \Device\Harddisk0\DR0\Partition0
2011/07/27 14:47:39.0484 4396 ================================================================================
2011/07/27 14:47:39.0484 4396 Scan finished
2011/07/27 14:47:39.0484 4396 ================================================================================
2011/07/27 14:47:39.0500 4364 Detected object count: 0
2011/07/27 14:47:39.0500 4364 Actual detected object count: 0

psc23351 Edited by psc23351

Share this post


Link to post
Share on other sites
Are you sure that Internet Explorer was closed when you ran GMER since it show up there?

We try to use ComboFix to make a copy of the malicious file.

Copy all lines in the box:
[code]Killall&#58;&#58;
FCopy&#58;&#58;
C&#58;\Windows\System32\nwwksp.dll C&#58;\nwwksp.dll.bad
Quit&#58;&#58;[/code]
and paste into Notepad.
Save the file on the desktop with the name CFScript.

Prepare the computer according to the instructions for running ComboFix.
Drag CFScript with the mouse and drop it on top of the ComboFix icon on the Desktop, the program will start in a special way.
Paste the new ComboFix log into your answer.

See if you can upload C:\nwwksp.dll.bad to the virustotal web site.

Share this post


Link to post
Share on other sites
Hi CeciliaB

Thought everything including Internet Explorer was not running when I ran Gmer, do you want me to run again.

Ran the code you asked with Combofix but the file nwwksp.dll.bad did not create in the C folder.
Ran a search for it on all of C drive and it as well as the one located at C\Windows\System32 did not appear in the search.

psc23351

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this