Sign in to follow this  
psc23351

Trojan.Win32.Kryptik.iaq(V)

Recommended Posts

Did ComboFix create a log file? Check in C:\

Let Ad-Aware scan the computer.

Share this post


Link to post
Share on other sites
Yes it did posted below.
Running Ad-Adware now.

ComboFix 11-07-28.04 - 1704420 Ontario Inc 07/28/2011 12:56:59.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.301 [GMT -4:00]
Running from: c:\documents and settings\1704420 Ontario Inc\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\1704420 Ontario Inc\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\iun6002.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-28 )))))))))))))))))))))))))))))))
.
.
2011-07-27 02:04 . 2011-07-27 02:04 -------- d-----w- c:\program files\ESET
2011-07-25 15:01 . 2011-07-25 15:01 -------- d-----w- c:\program files\HD Tune
2011-07-25 04:06 . 2011-07-25 04:06 -------- d-----w- c:\documents and settings\1704420 Ontario Inc\Application Data\ElevatedDiagnostics
2011-07-18 17:44 . 2011-07-18 17:43 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-07-18 17:44 . 2011-07-18 17:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-05 21:56 . 2011-07-05 21:56 -------- d-----w- c:\program files\Common Files\Merge Modules
2011-07-05 20:41 . 2011-07-05 20:41 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-05 04:06 . 2011-07-05 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-07-01 04:56 . 2011-06-29 13:25 21592 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-06-30 19:42 . 2011-06-30 19:42 -------- d-----w- c:\program files\Atlas Copco Tools AB
2011-06-29 13:27 . 2011-06-29 13:25 74968 ----a-w- c:\windows\system32\drivers\sbapifs.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-18 18:24 . 2011-06-20 01:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-18 17:42 . 2007-04-22 21:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-29 13:26 . 2009-11-10 14:12 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-02 14:02 . 2007-04-22 19:44 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2007-04-22 20:15 692736 ------w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2007-04-22 19:43 151552 ----a-w- c:\windows\system32\schannel.dll
1998-04-28 00:15 . 2007-12-03 02:49 570128 ------w- c:\program files\Common Files\dao350.dll
.
.
((((((((((((((((((((((((((((( [email protected]_00.58.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-28 17:11 . 2011-07-28 17:11 16384 c:\windows\Temp\Perflib_Perfdata_464.dat
+ 2011-07-28 17:11 . 2011-07-28 17:11 16384 c:\windows\Temp\Perflib_Perfdata_43c.dat
+ 2011-07-28 17:11 . 2011-07-28 17:11 16384 c:\windows\Temp\Perflib_Perfdata_428.dat
+ 2011-07-28 17:11 . 2011-07-28 17:11 16384 c:\windows\Temp\Perflib_Perfdata_290.dat
- 2007-04-22 20:19 . 2011-07-19 21:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-04-22 20:19 . 2011-07-28 16:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-07-16 12:29 . 2011-07-19 21:56 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-07-28 16:11 . 2011-07-28 16:40 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-07-05 19:39 . 2011-07-28 17:15 235337 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPSMain"="TPSMain.exe" [2006-07-26 315392]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-26 90112]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2011-06-28 1191216]
"TFncKy"="TFncKy.exe" [BU]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSODDCtl"="TPSODDCtl.exe" [2007-02-02 110592]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]
"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
"CognexOpc"="c:\program files\Cognex\In-Sight\In-Sight OPC Server 3.3.0\OpcInSight.exe" [2006-07-18 90112]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-20 124512]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.exe" [2005-06-29 126976]
"S7UB Start"="c:\program files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2008-07-15 102453]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920]
"UsbCipHelper"="c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2006-09-28 434176]
"00THotkey"="c:\windows\system320THotkey.exe" [2006-07-05 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-12 16125440]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"TFNF5"="TFNF5.exe" [2006-04-10 622592]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"WinCC flexible Smart Start"="c:\program files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiSmartStart.exe" [2010-04-20 118784]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
IEHOME.LNK - c:\documents and settings\Default User\Local Settings\Temp\iehome.bat [2007-11-30 298]
.
c:\documents and settings\1704420 Ontario Inc\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-1 813584]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
IEHOME.LNK - c:\documents and settings\Default User\Local Settings\Temp\iehome.bat [2007-11-30 298]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\Siemens\\SQLANY\\dbsrv9.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\Miniweb.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\SmartServer.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\HmiLoad.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/3/2009 9:54 PM 64288]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [3/22/2007 4:07 PM 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 6:23 PM 6528]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [7/1/2011 12:56 AM 21592]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [11/10/2009 10:12 AM 101720]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [11/30/2007 2:38 PM 5888]
R2 almservice;Automation License Manager Service;c:\program files\Common Files\Siemens\SWS\almsrv\almsrvx.exe [3/29/2010 9:13 AM 1594368]
R2 dpmconv;dpmconv;c:\windows\system32\drivers\dpmconv.sys [6/25/2007 4:46 PM 266240]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [6/25/2007 4:47 PM 28363]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/6/2009 10:26 AM 10384]
R2 LogReceiver;LogReceiver;c:\program files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe [7/9/2007 10:47 AM 94208]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [5/9/2006 8:31 AM 203552]
R2 MSSQL$WINCC;SQL Server (WINCC);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/9/2006 8:32 AM 28938072]
R2 MSSQL$WINCCFLEXEXPRESS;SQL Server (WINCCFLEXEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2/10/2007 9:29 AM 29178224]
R2 MSSQL$WINCCFLEXIBLE;MSSQL$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe [5/4/2005 12:04 AM 9150464]
R2 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;c:\program files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe [9/18/2007 9:35 PM 77824]
R2 Rockwell HMI Framework;Rockwell HMI Framework;c:\program files\Rockwell Software\RSView Enterprise\ServerFramework.exe [9/18/2007 8:21 PM 491520]
R2 s7asysvx;S7 Global Services;c:\program files\Siemens\Step7\S7BIN\s7asysvx.exe [7/14/2008 8:02 PM 69685]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [3/2/2010 8:37 AM 77312]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [3/2/2010 8:47 AM 1576072]
R2 s7opcmcx;s7opcmcx;c:\windows\system32\drivers\s7opcmcx.sys [3/2/2010 8:38 AM 209920]
R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [3/1/2010 4:51 PM 31232]
R2 s7osmcax;s7osmcax;c:\windows\system32\drivers\s7osmcax.sys [3/2/2010 8:40 AM 173568]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [2/24/2009 5:39 PM 73088]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [3/2/2010 8:47 AM 240776]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [6/29/2011 9:27 AM 74968]
R2 SSCService;SIMATIC Security Control Service;c:\program files\Common Files\Siemens\SimaticSecurityControl\ssc_service_x.exe [7/17/2007 11:36 AM 339968]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 3:22 PM 105856]
R2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\TMESRV31.exe [11/30/2007 2:38 PM 126976]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 3:15 PM 134016]
R2 vsnl2ada;SIMATIC MPI/PROFIBUS FDL Transport Driver;c:\windows\system32\drivers\vsnl2ada.sys [11/5/2007 12:31 PM 115654]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [5/14/2009 10:54 AM 26137]
R3 EventServer;Rockwell Event Server;c:\program files\Common Files\Rockwell\EventServer.exe [9/17/2007 11:36 PM 217088]
R3 fwkbdrtm;fwkbdrtm;c:\windows\system32\drivers\fwkbdrtm.sys [4/8/2010 11:15 AM 12112]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/22/2007 4:20 PM 35968]
R3 NmspHost;Rockwell Namespace Services;c:\program files\Common Files\Rockwell\NmspHost.exe [9/18/2007 12:57 AM 212992]
R3 RdcyHost;Rockwell Redundancy Services;c:\program files\Common Files\Rockwell\RdcyHost.exe [9/18/2007 12:57 AM 212992]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [11/30/2007 2:41 PM 435072]
S1 abpicw2k;AB PIC/AIC+ Driver;c:\windows\system32\drivers\abpicw2k.sys [10/29/2001 1:53 PM 113600]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?]
S2 CCAgent;CCAgent;c:\program files\Common Files\Siemens\ACE\bin\CCAgent.exe --> c:\program files\Common Files\Siemens\ACE\bin\CCAgent.exe [?]
S2 CCEClient;CCEClient;c:\program files\Common Files\Siemens\ACE\bin\CCEClient.exe --> c:\program files\Common Files\Siemens\ACE\bin\CCEClient.exe [?]
S2 CCEServer;CCEServer;c:\program files\Common Files\Siemens\ACE\bin\CCEServer.exe --> c:\program files\Common Files\Siemens\ACE\bin\CCEServer.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 RedundancyControl;RedundancyControl;c:\program files\Common Files\Siemens\ACE\bin\RedundancyControl.exe --> c:\program files\Common Files\Siemens\ACE\bin\RedundancyControl.exe [?]
S2 RedundancyState;RedundancyState;c:\program files\Common Files\Siemens\ACE\bin\RedundancyState.exe --> c:\program files\Common Files\Siemens\ACE\bin\RedundancyState.exe [?]
S2 SCSMonitor;SCSMonitor;c:\program files\Common Files\Siemens\ACE\bin\SCSMX.exe --> c:\program files\Common Files\Siemens\ACE\bin\SCSMX.exe [?]
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [5/31/2000 7:13 PM 71448]
S3 c5511w2k;c5511w2k;c:\windows\system32\drivers\c5511w2k.sys [4/5/2000 2:22 PM 8192]
S3 cgnxcdc;cgnxcdc;c:\windows\system32\drivers\cgnxcdc.sys [5/5/2010 4:42 PM 49152]
S3 CogISSvc;Cognex In-Sight Port Service;c:\program files\Cognex\In-Sight\In-Sight Explorer 3.3.0\Utilities\cogissvc.exe [7/18/2006 8:20 AM 172632]
S3 Cognex.InSight.OpcServer;Cognex OPC Server;c:\program files\Cognex\In-Sight\In-Sight OPC Server 3.3.0\OpcInSightService.exe [7/18/2006 8:46 AM 24576]
S3 dpmcslv;dpmcslv;c:\windows\system32\drivers\dpmcslv.sys [7/4/2005 4:04 PM 68280]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Textron VPN Client\Extranet_serv.exe [5/14/2009 10:54 AM 835584]
S3 FTAE_Archiver;Rockwell Alarm History Archiver;c:\program files\Common Files\Rockwell\FTAEArchiver.exe [9/17/2007 11:29 PM 61440]
S3 FTAE_HistServ;Rockwell Alarm Historian;c:\program files\Common Files\Rockwell\FTAE_HistServ.exe [9/17/2007 11:29 PM 143360]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [5/14/2009 10:54 AM 155152]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 2151640]
S3 pcidnt;A-B 1784-PCIDS;c:\windows\system32\Drivers\pcidnt.sys --> c:\windows\system32\Drivers\pcidnt.sys [?]
S3 RnaAeServer;Rockwell Alarm Server;c:\program files\Common Files\Rockwell\RnaAeServer.exe [9/17/2007 11:32 PM 270336]
S3 RnaAlarmMux;Rockwell Alarm Multiplexer;c:\program files\Common Files\Rockwell\RnaAlarmMux.exe [9/21/2007 2:27 PM 753664]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [11/10/1999 8:27 AM 142592]
S3 RSI-PKTX-A;RSI-PKTX-A;c:\windows\system32\drivers\RSI-PKTX-A.sys [11/13/2002 2:38 PM 16447]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [1/18/2006 10:33 AM 39067]
S3 RSLINXNGKtControl;RSLINXNGKtControl;c:\windows\system32\drivers\rsiktNG.sys [4/23/2002 7:02 PM 38999]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [5/11/1999 1:48 PM 155440]
S3 S5AS511;S5AS511;c:\windows\system32\drivers\S5AS511.SYS [12/5/2007 11:25 AM 15360]
S3 S5MCD;S5MCD;c:\windows\system32\drivers\S5MCD.SYS [12/5/2007 11:25 AM 188416]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [10/18/2002 2:34 AM 30512]
S3 s7oppinx;s7oppinx;c:\windows\system32\drivers\s7oppinx.sys [3/2/2010 8:39 AM 124928]
S3 S7OUSBPX;S7OUSBPX;c:\windows\system32\drivers\S7OUSBPX.sys [11/26/2008 9:34 AM 27212]
S3 Sim9Sync;SIMATIC NET Synchronization Service;c:\windows\system32\sim9sync.exe [4/28/2008 11:24 PM 94208]
S3 SQLAgent$WINCC;SQL Server Agent (WINCC);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [4/14/2006 10:06 AM 319776]
S3 SQLAgent$WINCCFLEXIBLE;SQLAgent$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlagent.EXE [5/3/2005 9:42 PM 323584]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/22/2007 3:44 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S4 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-28 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-28 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-28 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-28 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3879435519-312499763-1611728940-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3879435519-312499763-1611728940-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\1704420 Ontario Inc\Application Data\Mozilla\Firefox\Profiles\[email protected]\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-07-28 13:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3879435519-312499763-1611728940-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1808)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(5736)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\TOSHIBA\TME3\TMEEJMD.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msdtc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Executive Software\DiskeeperWorkstation\DKService.exe
c:\program files\Rockwell Software\RSLINX\dnwhodisp.exe
c:\program files\COMMON FILES\SIEMENS\ALMPANELPLUGIN\ALMPANELPLUGIN.EXE
c:\program files\Rockwell Software\RSCommon\RSOBSERV.EXE
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
c:\program files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
c:\program files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
c:\program files\Rockwell Software\RSView Enterprise\TagSrv.exe
c:\progra~1\ROCKWE~2\RSLinx\RSLINX.EXE
c:\program files\Common Files\Rockwell\RsvcHost.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\TODDSrv.exe
c:\windows\system32\mqsvc.exe
c:\program files\Common Files\Rockwell\EventClientMultiplexer.exe
c:\program files\Common Files\Rockwell\RNADirMultiplexor.exe
c:\program files\Common Files\Rockwell\RnaDirServer.exe
c:\windows\system32\TPSBattM.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\TOSHIBA\TME3\TMEEJME.EXE
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\TFNF5.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Siemens\Sqlany\dbsrv9.exe
c:\windows\system32\igfxext.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Microsoft Office\Office\1033\msoffice.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2011-07-28 13:22:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-28 17:22
ComboFix2.txt 2011-07-28 13:23
ComboFix3.txt 2011-07-26 02:21
ComboFix4.txt 2011-07-16 12:22
.
Pre-Run: 23,433,617,408 bytes free
Post-Run: 23,407,386,624 bytes free
.
Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - A11001318423EB676A90D62485B0C7CE

Share this post


Link to post
Share on other sites
Sorry, I missed one character. Try with this CFScript instead:
[code]Killall::
FCopy::
C:\Windows\System32\nwwksp.dll | C:\nwwksp.dll.bad
Quit::[/code]

Share this post


Link to post
Share on other sites
Hi CeciliaB

Ad-Adware finaly finished took 9hrs.
nwwksp.dll still coming up and will not remove after re-boot.
will run combofix with new script.

Share this post


Link to post
Share on other sites
Hi Cecilia

Ran Combfix again with new script.
File did not create in C:\ as was expected.
Again ran a Windows search and neither file shows up even though the one in C:\Windows\System32 is still there.

Share this post


Link to post
Share on other sites
Hi psc23351,

Did you get the normal ComboFix log or a short one (should be this if ComboFix recognized the content of CFScript)?

Please, let aswMBR scan the computer, see [url="http://public.avast.com/~gmerek/aswMBR.htm"]http://public.avast.com/~gmerek/aswMBR.htm[/url]
Follow only the first section, "How to scan", and don't try to fix anything. Post its log.

Share this post


Link to post
Share on other sites
Hi CeciliaB


It looks like a normal Combofix log not a short one it was 24K size same as all the rest.


Avast identified the malware file here is the log.

aswMBR version 0.9.8.977 Copyright© 2011 AVAST Software
Run date: 2011-07-29 08:23:34
-----------------------------
08:23:34.562 OS Version: Windows 5.1.2600 Service Pack 3
08:23:34.562 Number of processors: 2 586 0xF0D
08:23:34.562 ComputerName: 1704420_1 UserName:
08:23:36.187 Initialize success
08:33:55.468 AVAST engine defs: 11072900
08:34:10.593 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
08:34:10.593 Disk 0 Vendor: Hitachi_ SBDO Size: 114473MB BusType: 3
08:34:10.609 Disk 0 MBR read successfully
08:34:10.609 Disk 0 MBR scan
08:34:10.640 Disk 0 Windows XP default MBR code
08:34:10.640 Disk 0 scanning sectors +234436545
08:34:10.703 Disk 0 scanning C:\WINDOWS\system32\drivers
08:34:24.171 Service scanning
08:34:26.156 Modules scanning
08:34:34.828 Disk 0 trace - called modules:
08:34:34.843 ntkrnlpa.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll iaStor.sys
08:34:34.843 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87346030]
08:34:34.843 3 CLASSPNP.SYS[f75dcfd7] -> nt!IofCallDriver -> \Device\THPDRV[0x87363030]
08:34:34.843 5 thpdrv.sys[f781e7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x87385030]
08:34:35.578 AVAST engine scan C:\WINDOWS
08:35:02.703 AVAST engine scan C:\WINDOWS\system32
08:36:16.140 File: C:\WINDOWS\system32\nwwksp.dll **INFECTED** Win32:MalOb-EI [Cryp]
08:37:16.718 AVAST engine scan C:\WINDOWS\system32\drivers
08:37:33.296 AVAST engine scan C:\Documents and Settings\1704420 Ontario Inc
08:39:25.921 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\1704420 Ontario Inc\Desktop\MBR.dat"
08:39:25.921 The log file has been saved successfully to "C:\Documents and Settings\1704420 Ontario Inc\Desktop\aswMBR.txt"



Avast allowed me to copy the file.
I ran it on VirusTotal here is the link to the report.

[url="http://www.virustotal.com/file-scan/report.html?id=2aeaf3f9c75c07dd78b2cb35ba2ed12cf6e3df98e5983e8333f944118618f7bf-1311943115"]http://www.virustotal.com/file-scan/report...f7bf-1311943115[/url] Edited by psc23351

Share this post


Link to post
Share on other sites
Hi psc23351,

Nice that aswMBR found it and allowed you to copy it.

Copy all lines in the box:
[code]Killall::
File::
C:\WINDOWS\system32\nwwksp.dll[/code]
and paste into Notepad. Check that it looks the same with 3 lines.
Save the file on the desktop with the name CFScript.

Prepare the computer according to the instructions for running ComboFix.
Drag CFScript with the mouse and drop it on top of the ComboFix icon on the Desktop, the program will start in a special way.
Paste the new ComboFix log into your answer.

Share this post


Link to post
Share on other sites
Hi CeciliaB

Looks like this took care of it, no longer in the c:\Windows\System32 folder.
Here is the log file from the Combofix run.

ComboFix 11-07-29.01 - 1704420 Ontario Inc 07/29/2011 11:20:12.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.333 [GMT -4:00]
Running from: c:\documents and settings\1704420 Ontario Inc\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\1704420 Ontario Inc\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
FILE ::
"c:\windows\system32\nwwksp.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\nwwksp.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-29 )))))))))))))))))))))))))))))))
.
.
2011-07-27 02:04 . 2011-07-27 02:04 -------- d-----w- c:\program files\ESET
2011-07-25 15:01 . 2011-07-25 15:01 -------- d-----w- c:\program files\HD Tune
2011-07-25 04:06 . 2011-07-25 04:06 -------- d-----w- c:\documents and settings\1704420 Ontario Inc\Application Data\ElevatedDiagnostics
2011-07-18 17:44 . 2011-07-18 17:43 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-07-18 17:44 . 2011-07-18 17:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-05 21:56 . 2011-07-05 21:56 -------- d-----w- c:\program files\Common Files\Merge Modules
2011-07-05 20:41 . 2011-07-05 20:41 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-05 04:06 . 2011-07-05 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-07-01 04:56 . 2011-06-29 13:25 21592 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-06-30 19:42 . 2011-06-30 19:42 -------- d-----w- c:\program files\Atlas Copco Tools AB
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-18 18:24 . 2011-06-20 01:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-18 17:42 . 2007-04-22 21:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-29 13:26 . 2009-11-10 14:12 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-29 13:25 . 2011-06-29 13:27 74968 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-06-02 14:02 . 2007-04-22 19:44 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2007-04-22 20:15 692736 ------w- c:\windows\system32\inetcomm.dll
1998-04-28 00:15 . 2007-12-03 02:49 570128 ------w- c:\program files\Common Files\dao350.dll
.
.
((((((((((((((((((((((((((((( [email protected]_00.58.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-29 15:37 . 2011-07-29 15:37 16384 c:\windows\Temp\Perflib_Perfdata_4b0.dat
+ 2011-07-29 15:37 . 2011-07-29 15:37 16384 c:\windows\Temp\Perflib_Perfdata_47c.dat
+ 2011-07-29 15:37 . 2011-07-29 15:37 16384 c:\windows\Temp\Perflib_Perfdata_468.dat
+ 2011-07-29 15:37 . 2011-07-29 15:37 16384 c:\windows\Temp\Perflib_Perfdata_2fc.dat
- 2007-04-22 20:19 . 2011-07-19 21:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-04-22 20:19 . 2011-07-29 15:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-07-16 12:29 . 2011-07-19 21:56 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-07-29 12:58 . 2011-07-29 15:46 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-07-05 19:39 . 2011-07-29 15:44 235342 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPSMain"="TPSMain.exe" [2006-07-26 315392]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-26 90112]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2011-06-28 1191216]
"TFncKy"="TFncKy.exe" [BU]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSODDCtl"="TPSODDCtl.exe" [2007-02-02 110592]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]
"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
"CognexOpc"="c:\program files\Cognex\In-Sight\In-Sight OPC Server 3.3.0\OpcInSight.exe" [2006-07-18 90112]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-20 124512]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.exe" [2005-06-29 126976]
"S7UB Start"="c:\program files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2008-07-15 102453]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920]
"UsbCipHelper"="c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2006-09-28 434176]
"00THotkey"="c:\windows\system320THotkey.exe" [2006-07-05 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-12 16125440]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"TFNF5"="TFNF5.exe" [2006-04-10 622592]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"WinCC flexible Smart Start"="c:\program files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiSmartStart.exe" [2010-04-20 118784]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
IEHOME.LNK - c:\documents and settings\Default User\Local Settings\Temp\iehome.bat [2007-11-30 298]
.
c:\documents and settings\1704420 Ontario Inc\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-1 813584]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
IEHOME.LNK - c:\documents and settings\Default User\Local Settings\Temp\iehome.bat [2007-11-30 298]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\Siemens\\SQLANY\\dbsrv9.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\Miniweb.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\SmartServer.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\HmiLoad.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/3/2009 9:54 PM 64288]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [3/22/2007 4:07 PM 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 6:23 PM 6528]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [7/1/2011 12:56 AM 21592]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [11/10/2009 10:12 AM 101720]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [11/30/2007 2:38 PM 5888]
R2 almservice;Automation License Manager Service;c:\program files\Common Files\Siemens\SWS\almsrv\almsrvx.exe [3/29/2010 9:13 AM 1594368]
R2 dpmconv;dpmconv;c:\windows\system32\drivers\dpmconv.sys [6/25/2007 4:46 PM 266240]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [6/25/2007 4:47 PM 28363]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 2151640]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/6/2009 10:26 AM 10384]
R2 LogReceiver;LogReceiver;c:\program files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe [7/9/2007 10:47 AM 94208]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [5/9/2006 8:31 AM 203552]
R2 MSSQL$WINCC;SQL Server (WINCC);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/9/2006 8:32 AM 28938072]
R2 MSSQL$WINCCFLEXEXPRESS;SQL Server (WINCCFLEXEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2/10/2007 9:29 AM 29178224]
R2 MSSQL$WINCCFLEXIBLE;MSSQL$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe [5/4/2005 12:04 AM 9150464]
R2 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;c:\program files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe [9/18/2007 9:35 PM 77824]
R2 Rockwell HMI Framework;Rockwell HMI Framework;c:\program files\Rockwell Software\RSView Enterprise\ServerFramework.exe [9/18/2007 8:21 PM 491520]
R2 s7asysvx;S7 Global Services;c:\program files\Siemens\Step7\S7BIN\s7asysvx.exe [7/14/2008 8:02 PM 69685]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [3/2/2010 8:37 AM 77312]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [3/2/2010 8:47 AM 1576072]
R2 s7opcmcx;s7opcmcx;c:\windows\system32\drivers\s7opcmcx.sys [3/2/2010 8:38 AM 209920]
R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [3/1/2010 4:51 PM 31232]
R2 s7osmcax;s7osmcax;c:\windows\system32\drivers\s7osmcax.sys [3/2/2010 8:40 AM 173568]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [2/24/2009 5:39 PM 73088]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [3/2/2010 8:47 AM 240776]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [6/29/2011 9:27 AM 74968]
R2 SSCService;SIMATIC Security Control Service;c:\program files\Common Files\Siemens\SimaticSecurityControl\ssc_service_x.exe [7/17/2007 11:36 AM 339968]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 3:22 PM 105856]
R2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\TMESRV31.exe [11/30/2007 2:38 PM 126976]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 3:15 PM 134016]
R2 vsnl2ada;SIMATIC MPI/PROFIBUS FDL Transport Driver;c:\windows\system32\drivers\vsnl2ada.sys [11/5/2007 12:31 PM 115654]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [5/14/2009 10:54 AM 26137]
R3 EventServer;Rockwell Event Server;c:\program files\Common Files\Rockwell\EventServer.exe [9/17/2007 11:36 PM 217088]
R3 fwkbdrtm;fwkbdrtm;c:\windows\system32\drivers\fwkbdrtm.sys [4/8/2010 11:15 AM 12112]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/22/2007 4:20 PM 35968]
R3 NmspHost;Rockwell Namespace Services;c:\program files\Common Files\Rockwell\NmspHost.exe [9/18/2007 12:57 AM 212992]
R3 RdcyHost;Rockwell Redundancy Services;c:\program files\Common Files\Rockwell\RdcyHost.exe [9/18/2007 12:57 AM 212992]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [11/30/2007 2:41 PM 435072]
S1 abpicw2k;AB PIC/AIC+ Driver;c:\windows\system32\drivers\abpicw2k.sys [10/29/2001 1:53 PM 113600]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?]
S2 CCAgent;CCAgent;c:\program files\Common Files\Siemens\ACE\bin\CCAgent.exe --> c:\program files\Common Files\Siemens\ACE\bin\CCAgent.exe [?]
S2 CCEClient;CCEClient;c:\program files\Common Files\Siemens\ACE\bin\CCEClient.exe --> c:\program files\Common Files\Siemens\ACE\bin\CCEClient.exe [?]
S2 CCEServer;CCEServer;c:\program files\Common Files\Siemens\ACE\bin\CCEServer.exe --> c:\program files\Common Files\Siemens\ACE\bin\CCEServer.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 RedundancyControl;RedundancyControl;c:\program files\Common Files\Siemens\ACE\bin\RedundancyControl.exe --> c:\program files\Common Files\Siemens\ACE\bin\RedundancyControl.exe [?]
S2 RedundancyState;RedundancyState;c:\program files\Common Files\Siemens\ACE\bin\RedundancyState.exe --> c:\program files\Common Files\Siemens\ACE\bin\RedundancyState.exe [?]
S2 SCSMonitor;SCSMonitor;c:\program files\Common Files\Siemens\ACE\bin\SCSMX.exe --> c:\program files\Common Files\Siemens\ACE\bin\SCSMX.exe [?]
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [5/31/2000 7:13 PM 71448]
S3 c5511w2k;c5511w2k;c:\windows\system32\drivers\c5511w2k.sys [4/5/2000 2:22 PM 8192]
S3 cgnxcdc;cgnxcdc;c:\windows\system32\drivers\cgnxcdc.sys [5/5/2010 4:42 PM 49152]
S3 CogISSvc;Cognex In-Sight Port Service;c:\program files\Cognex\In-Sight\In-Sight Explorer 3.3.0\Utilities\cogissvc.exe [7/18/2006 8:20 AM 172632]
S3 Cognex.InSight.OpcServer;Cognex OPC Server;c:\program files\Cognex\In-Sight\In-Sight OPC Server 3.3.0\OpcInSightService.exe [7/18/2006 8:46 AM 24576]
S3 dpmcslv;dpmcslv;c:\windows\system32\drivers\dpmcslv.sys [7/4/2005 4:04 PM 68280]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Textron VPN Client\Extranet_serv.exe [5/14/2009 10:54 AM 835584]
S3 FTAE_Archiver;Rockwell Alarm History Archiver;c:\program files\Common Files\Rockwell\FTAEArchiver.exe [9/17/2007 11:29 PM 61440]
S3 FTAE_HistServ;Rockwell Alarm Historian;c:\program files\Common Files\Rockwell\FTAE_HistServ.exe [9/17/2007 11:29 PM 143360]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [5/14/2009 10:54 AM 155152]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [9/24/2010 3:45 PM 15232]
S3 pcidnt;A-B 1784-PCIDS;c:\windows\system32\Drivers\pcidnt.sys --> c:\windows\system32\Drivers\pcidnt.sys [?]
S3 RnaAeServer;Rockwell Alarm Server;c:\program files\Common Files\Rockwell\RnaAeServer.exe [9/17/2007 11:32 PM 270336]
S3 RnaAlarmMux;Rockwell Alarm Multiplexer;c:\program files\Common Files\Rockwell\RnaAlarmMux.exe [9/21/2007 2:27 PM 753664]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [11/10/1999 8:27 AM 142592]
S3 RSI-PKTX-A;RSI-PKTX-A;c:\windows\system32\drivers\RSI-PKTX-A.sys [11/13/2002 2:38 PM 16447]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [1/18/2006 10:33 AM 39067]
S3 RSLINXNGKtControl;RSLINXNGKtControl;c:\windows\system32\drivers\rsiktNG.sys [4/23/2002 7:02 PM 38999]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [5/11/1999 1:48 PM 155440]
S3 S5AS511;S5AS511;c:\windows\system32\drivers\S5AS511.SYS [12/5/2007 11:25 AM 15360]
S3 S5MCD;S5MCD;c:\windows\system32\drivers\S5MCD.SYS [12/5/2007 11:25 AM 188416]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [10/18/2002 2:34 AM 30512]
S3 s7oppinx;s7oppinx;c:\windows\system32\drivers\s7oppinx.sys [3/2/2010 8:39 AM 124928]
S3 S7OUSBPX;S7OUSBPX;c:\windows\system32\drivers\S7OUSBPX.sys [11/26/2008 9:34 AM 27212]
S3 Sim9Sync;SIMATIC NET Synchronization Service;c:\windows\system32\sim9sync.exe [4/28/2008 11:24 PM 94208]
S3 SQLAgent$WINCC;SQL Server Agent (WINCC);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [4/14/2006 10:06 AM 319776]
S3 SQLAgent$WINCCFLEXIBLE;SQLAgent$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlagent.EXE [5/3/2005 9:42 PM 323584]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/22/2007 3:44 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S4 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-29 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-29 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-29 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-29 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:19]
.
2011-07-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3879435519-312499763-1611728940-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3879435519-312499763-1611728940-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\1704420 Ontario Inc\Application Data\Mozilla\Firefox\Profiles\[email protected]\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-07-29 11:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3879435519-312499763-1611728940-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1808)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(5020)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\TOSHIBA\TME3\TMEEJMD.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msdtc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Executive Software\DiskeeperWorkstation\DKService.exe
c:\program files\Rockwell Software\RSLINX\dnwhodisp.exe
c:\program files\Rockwell Software\RSCommon\RSOBSERV.EXE
c:\program files\COMMON FILES\SIEMENS\ALMPANELPLUGIN\ALMPANELPLUGIN.EXE
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
c:\program files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
c:\program files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
c:\program files\Rockwell Software\RSView Enterprise\TagSrv.exe
c:\progra~1\ROCKWE~2\RSLinx\RSLINX.EXE
c:\program files\Common Files\Rockwell\RsvcHost.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\TODDSrv.exe
c:\windows\system32\mqsvc.exe
c:\program files\Common Files\Rockwell\EventClientMultiplexer.exe
c:\program files\Common Files\Rockwell\RNADirMultiplexor.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\TPSBattM.exe
c:\program files\TOSHIBA\TME3\TMEEJME.EXE
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
c:\program files\Common Files\Rockwell\RnaDirServer.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\TFNF5.exe
c:\windows\system32\igfxext.exe
c:\program files\Common Files\Siemens\Sqlany\dbsrv9.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Microsoft Office\Office\1033\msoffice.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2011-07-29 11:56:49 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-29 15:56
ComboFix2.txt 2011-07-29 03:09
ComboFix3.txt 2011-07-28 17:22
ComboFix4.txt 2011-07-28 13:23
ComboFix5.txt 2011-07-29 15:16
.
Pre-Run: 23,352,578,048 bytes free
Post-Run: 23,366,496,256 bytes free
.
Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - F130F944CC5C47DCE50FE8B697AEDE7A


Is there anything I should do to verify or cleanup.
Thankyou for all your time and effort.
Not sure where you find all the time for this.


psc23351

Share this post


Link to post
Share on other sites
Hi psc23351,

You are welcome :mellow:
I'm glad it appears to be solved!

2011-07-05 04:06 . 2011-07-05 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
Did you have McAfee antivirusprogram installed?
If yes, to remove left-overs see [url="http://service.mcafee.com/FAQDocument.aspx?id=TS100507"]http://service.mcafee.com/FAQDocument.aspx?id=TS100507[/url]

Post new DDS logs for a last check.

Share this post


Link to post
Share on other sites
Hi CeciliaB


Here is the new dds.log.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by 1704420 Ontario Inc at 22:22:35 on 2011-07-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.138 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe
C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Rockwell\NmspHost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Rockwell\RdcyHost.exe
C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
C:\Program Files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe
C:\PROGRA~1\ROCKWE~2\RSLinx\RSLINX.EXE
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe
C:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe
C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Siemens\SimaticSecurityControl\ssc_service_x.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Cognex\In-Sight\In-Sight OPC Server 3.3.0\OpcInSight.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe
C:\WINDOWS\system320THotkey.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiSmartStart.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Common Files\Siemens\Sqlany\dbsrv9.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
svchost.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [TFncKy] TFncKy.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TAudEffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [CognexOpc] c:\program files\cognex\in-sight\in-sight opc server 3.3.0\OpcInSight.exe -I
mRun: [TOSDCR] TOSDCR.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.exe
mRun: [S7UB Start] "c:\program files\common files\siemens\s7ubtoox\s7ubtstx.exe" -StartDB
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [UsbCipHelper] c:\program files\rockwell automation\rockwell automation usb cip driver package\usbciphelper\UsbCipHelper.exe
mRun: [00THotkey] c:\windows\system320THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TFNF5] TFNF5.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [WinCC flexible Smart Start] "c:\program files\siemens\simatic wincc flexible\wincc flexible 2008\HmiSmartStart.exe" /startup
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\170442~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
uPolicies-explorer: DisablePersonalDirChange = 1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{8E112997-EA3C-4EE4-8704-6BFE07518B62} : DhcpNameServer = 192.168.0.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\1704420 ontario inc\application data\mozilla\firefox\profiles\[email protected]\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-3 64288]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-3-22 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-9 6528]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-7-1 21592]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-11-10 101720]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2007-11-30 5888]
R2 almservice;Automation License Manager Service;c:\program files\common files\siemens\sws\almsrv\almsrvx.exe [2010-3-29 1594368]
R2 dpmconv;dpmconv;c:\windows\system32\drivers\dpmconv.sys [2007-6-25 266240]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [2007-6-25 28363]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 2151640]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-1-6 10384]
R2 LogReceiver;LogReceiver;c:\program files\rockwell software\rslinx enterprise\LogReceiver.exe [2007-7-9 94208]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2006-5-9 203552]
R2 MSSQL$WINCC;SQL Server (WINCC);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-5-9 28938072]
R2 MSSQL$WINCCFLEXEXPRESS;SQL Server (WINCCFLEXEXPRESS);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R2 MSSQL$WINCCFLEXIBLE;MSSQL$WINCCFLEXIBLE;c:\program files\microsoft sql server\mssql$winccflexible\binn\sqlservr.exe [2005-5-4 9150464]
R2 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;c:\program files\rockwell software\rsview enterprise\RsAlarmLogServ.exe [2007-9-18 77824]
R2 Rockwell HMI Framework;Rockwell HMI Framework;c:\program files\rockwell software\rsview enterprise\ServerFramework.exe [2007-9-18 491520]
R2 s7asysvx;S7 Global Services;c:\program files\siemens\step7\s7bin\s7asysvx.exe [2008-7-14 69685]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [2010-3-2 77312]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\common files\siemens\s7iepg\s7oiehsx.exe [2010-3-2 1576072]
R2 s7opcmcx;s7opcmcx;c:\windows\system32\drivers\s7opcmcx.sys [2010-3-2 209920]
R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [2010-3-1 31232]
R2 s7osmcax;s7osmcax;c:\windows\system32\drivers\s7osmcax.sys [2010-3-2 173568]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [2009-2-24 73088]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\common files\siemens\automation\traceengine\bin\S7TraceServiceX.exe [2010-3-2 240776]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-6-29 74968]
R2 SSCService;SIMATIC Security Control Service;c:\program files\common files\siemens\simaticsecuritycontrol\ssc_service_x.exe [2007-7-17 339968]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2007-11-30 126976]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R2 vsnl2ada;SIMATIC MPI/PROFIBUS FDL Transport Driver;c:\windows\system32\drivers\vsnl2ada.sys [2007-11-5 115654]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2009-5-14 26137]
R3 EventServer;Rockwell Event Server;c:\program files\common files\rockwell\EventServer.exe [2007-9-17 217088]
R3 fwkbdrtm;fwkbdrtm;c:\windows\system32\drivers\fwkbdrtm.sys [2010-4-8 12112]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-4-22 35968]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-24 15232]
R3 NmspHost;Rockwell Namespace Services;c:\program files\common files\rockwell\NmspHost.exe [2007-9-18 212992]
R3 RdcyHost;Rockwell Redundancy Services;c:\program files\common files\rockwell\RdcyHost.exe [2007-9-18 212992]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2007-11-30 435072]
S1 abpicw2k;AB PIC/AIC+ Driver;c:\windows\system32\drivers\abpicw2k.sys [2001-10-29 113600]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\drivers\virtualbackplane.sys --> c:\windows\system32\drivers\VirtualBackplane.sys [?]
S2 CCAgent;CCAgent;c:\program files\common files\siemens\ace\bin\ccagent.exe --> c:\program files\common files\siemens\ace\bin\CCAgent.exe [?]
S2 CCEClient;CCEClient;c:\program files\common files\siemens\ace\bin\cceclient.exe --> c:\program files\common files\siemens\ace\bin\CCEClient.exe [?]
S2 CCEServer;CCEServer;c:\program files\common files\siemens\ace\bin\cceserver.exe --> c:\program files\common files\siemens\ace\bin\CCEServer.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 RedundancyControl;RedundancyControl;c:\program files\common files\siemens\ace\bin\redundancycontrol.exe --> c:\program files\common files\siemens\ace\bin\RedundancyControl.exe [?]
S2 RedundancyState;RedundancyState;c:\program files\common files\siemens\ace\bin\redundancystate.exe --> c:\program files\common files\siemens\ace\bin\RedundancyState.exe [?]
S2 SCSMonitor;SCSMonitor;c:\program files\common files\siemens\ace\bin\scsmx.exe --> c:\program files\common files\siemens\ace\bin\SCSMX.exe [?]
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [2000-5-31 71448]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;\??\c:\windows\system32\drivers\awrtpd.sys --> c:\windows\system32\drivers\AWRTPD.sys [?]
S3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;\??\c:\windows\system32\drivers\awrtrd.sys --> c:\windows\system32\drivers\AWRTRD.sys [?]
S3 c5511w2k;c5511w2k;c:\windows\system32\drivers\c5511w2k.sys [2000-4-5 8192]
S3 cgnxcdc;cgnxcdc;c:\windows\system32\drivers\cgnxcdc.sys [2010-5-5 49152]
S3 CogISSvc;Cognex In-Sight Port Service;c:\program files\cognex\in-sight\in-sight explorer 3.3.0\utilities\cogissvc.exe [2006-7-18 172632]
S3 Cognex.InSight.OpcServer;Cognex OPC Server;c:\program files\cognex\in-sight\in-sight opc server 3.3.0\OpcInSightService.exe [2006-7-18 24576]
S3 dpmcslv;dpmcslv;c:\windows\system32\drivers\dpmcslv.sys [2005-7-4 68280]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\textron vpn client\Extranet_serv.exe [2009-5-14 835584]
S3 FTAE_Archiver;Rockwell Alarm History Archiver;c:\program files\common files\rockwell\FTAEArchiver.exe [2007-9-17 61440]
S3 FTAE_HistServ;Rockwell Alarm Historian;c:\program files\common files\rockwell\FTAE_HistServ.exe [2007-9-17 143360]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2009-5-14 155152]
S3 pcidnt;A-B 1784-PCIDS;c:\windows\system32\drivers\pcidnt.sys --> c:\windows\system32\drivers\pcidnt.sys [?]
S3 RnaAeServer;Rockwell Alarm Server;c:\program files\common files\rockwell\RnaAeServer.exe [2007-9-17 270336]
S3 RnaAlarmMux;Rockwell Alarm Multiplexer;c:\program files\common files\rockwell\RnaAlarmMux.exe [2007-9-21 753664]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [1999-11-10 142592]
S3 RSI-PKTX-A;RSI-PKTX-A;c:\windows\system32\drivers\RSI-PKTX-A.sys [2002-11-13 16447]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [2006-1-18 39067]
S3 RSLINXNGKtControl;RSLINXNGKtControl;c:\windows\system32\drivers\rsiktNG.sys [2002-4-23 38999]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [1999-5-11 155440]
S3 S5AS511;S5AS511;c:\windows\system32\drivers\S5AS511.SYS [2007-12-5 15360]
S3 S5MCD;S5MCD;c:\windows\system32\drivers\S5MCD.SYS [2007-12-5 188416]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [2002-10-18 30512]
S3 s7oppinx;s7oppinx;c:\windows\system32\drivers\s7oppinx.sys [2010-3-2 124928]
S3 S7OUSBPX;S7OUSBPX;c:\windows\system32\drivers\S7OUSBPX.sys [2008-11-26 27212]
S3 Sim9Sync;SIMATIC NET Synchronization Service;c:\windows\system32\sim9sync.exe [2008-4-28 94208]
S3 SQLAgent$WINCC;SQL Server Agent (WINCC);c:\program files\microsoft sql server\mssql.1\mssql\binn\SQLAGENT90.EXE [2006-4-14 319776]
S3 SQLAgent$WINCCFLEXIBLE;SQLAgent$WINCCFLEXIBLE;c:\program files\microsoft sql server\mssql$winccflexible\binn\sqlagent.EXE [2005-5-3 323584]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2007-4-22 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
.
=============== Created Last 30 ================
.
2011-07-27 02:04:30 -------- d-----w- c:\program files\ESET
2011-07-25 15:01:01 -------- d-----w- c:\program files\HD Tune
2011-07-25 04:06:36 -------- d-----w- c:\documents and settings\1704420 ontario inc\application data\ElevatedDiagnostics
2011-07-20 00:03:24 -------- d-sha-r- C:\cmdcons
2011-07-18 17:44:52 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-07-18 17:44:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-15 23:07:52 208896 ----a-w- c:\windows\MBR.exe
2011-07-15 23:07:50 256000 ----a-w- c:\windows\PEV.exe
2011-07-05 21:56:11 -------- d-----w- c:\program files\common files\Merge Modules
2011-07-05 20:41:32 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-05 20:41:32 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-01 04:56:06 21592 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-06-30 19:42:34 -------- d-----w- c:\program files\Atlas Copco Tools AB
.
==================== Find3M ====================
.
2011-07-18 18:24:13 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-18 17:42:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-29 13:26:27 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-29 13:25:40 74968 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-07 18:33:44 10532 --sh--r- C:\EVRSI.SYS
2011-05-02 15:31:52 692736 ------w- c:\windows\system32\inetcomm.dll
1998-04-28 00:15:06 570128 ------w- c:\program files\common files\dao350.dll
.
============= FINISH: 22:25:28.89 ===============

Share this post


Link to post
Share on other sites
Hi psc23351,

Time for final clean-up.

[u]1. Removal of all system restore points since they might be infected.[/u]
XP:
Create a new system restore point:
[b]Start - Programs - Accessories - System Tools - System Restore[/b]
Choose [b]Create a Restore Point[/b] and then click [b]Next[/b]. Give the R.P. a name, then click [b]Create[/b].

Remove all old restore points by running Disk Cleanup.
[b]Start - Run[/b] and type: [b]Cleanmgr[/b]
Click [b]Ok[/b]. Disk Cleanup will scan your files for several minutes, then open.
Select the [b]More Options [/b]tab, and then click the [b]Clean up[/b] button under System Restore.
Click [b]Ok [/b]and then [b]Yes [/b]twice.

Vista and WIndows 7:
Create a new system restore point by following [url="http://www.howtogeek.com/howto/windows-vista/create-a-restore-point-for-windows-vistas-system-restore/"]http://www.howtogeek.com/howto/windows-vis...system-restore/[/url]
Remove all old restore points by following [url="http://bertk.mvps.org/html/diskcleanupv.html"]http://bertk.mvps.org/html/diskcleanupv.html[/url] (Vista) or [url="http://www.sevenforums.com/tutorials/818-disk-cleanup-open-use.html"]http://www.sevenforums.com/tutorials/818-d...p-open-use.html[/url] (Windows 7).

[u]2. Removal of tools[/u]
[u]a. [/u]Press Windows-key + R
Copy and paste this line:
ComboFix /Uninstall

Note the space before /
Click on OK.

[u]b. [/u]Download the uninstall program called OTC: [url="http://oldtimer.geekstogo.com/OTC.exe"]http://oldtimer.geekstogo.com/OTC.exe[/url]
Close all programs.
Start OTC program.
Click the [b]CleanUp[/b]! button.
Select [b]Yes[/b] when asked "Begin cleanup process".
If you are asked to reboot, select [b]Yes[/b].
If any logs remain on the computer you can remove them.
Any tools left?

[u]3. Improve the security in the computer[/u]
It is very important to keep Windows and all programs updated. To help you with that you can use the program [url="http://secunia.com/products/"]Secunia Online Software Inspector (OSI)[/url].

Read what Blade81 writes in the post [url="http://www.lavasoftsupport.com/index.php?showtopic=30610&view=findpost&p=124337"]http://www.lavasoftsupport.com/index.php?s...st&p=124337[/url] from the header "Make your Internet Explorer more secure" and downwards.

Share this post


Link to post
Share on other sites
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :o

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

Everyone else please begin a New Topic.

Thank you !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this