Solve : Kaspersky TDSS Killer detects file safeboot.sys?

Answer»

Alright, well I would like to have it completely uninstalled if that is possible.

log:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: Combo-Fix.sys
Service Name: ---
Module Base: F7577000
Module End: F7586000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: EB467000
Module End: EB537000
Hidden: Yes

Module Name: \??\C:\ComboFix\catchme.sys
Service Name: catchme
Module Base: F094E000
Module End: F0956000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: F79B1000
Module End: F79B3000
Hidden: Yes

Module Name: \??\D:\Profiles\Mark\LOCALS~1\Temp\aswMBR.sys
Service Name: aswMBR
Module Base: 8D058000
Module End: 8D064000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAdjustPrivilegesToken
Address: EB814FBA
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwClose
Address: EB8158B4
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwConnectPort
Address: EB82EAEE
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateEvent
Address: EB815E26
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateMutant
Address: EB815D14
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreatePort
Address: EB82EE06
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateProcess
Address: EB816056
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateProcessEx
Address: EB81621E
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateSection
Address: EB814D76
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateSemaphore
Address: EB815F3E
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateThread
Address: EB8155E6
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateWaitablePort
Address: EB82EECE
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDebugActiveProcess
Address: EB81653C
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDeleteKey
Address: EB829084
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDeleteValueKey
Address: EB82A88E
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDeviceIoControlFile
Address: EB8158F6
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDuplicateObject
Address: EB81753C
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwEnumerateKey
Address: EB82A088
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwEnumerateValueKey
Address: EB82AA38
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwLoadDriver
Address: EB81662E
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwLoadKey
Address: EB829BC0
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwLoadKey2
Address: EB829E1C
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwMapViewOfSection
Address: EB816B9A
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwNotifyChangeKey
Address: EB82D30A
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenEvent
Address: EB815EB8
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenMutant
Address: EB815DA0
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenProcess
Address: EB8151F4
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenSection
Address: EB81697E
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenSemaphore
Address: EB815FD0
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenThread
Address: EB8150E8
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueryKey
Address: EB828EB8
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueryMultipleValueKey
Address: EB82A698
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueryObject
Address: EB82D500
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQuerySection
Address: EB816EC0
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueryValueKey
Address: EB82A488
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueueApcThread
Address: EB8167CE
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwRenameKey
Address: EB829198
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwReplaceKey
Address: EB82980C
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwReplyPort
Address: EB82F048
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwReplyWaitReceivePort
Address: EB82EF96
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwRequestWaitReplyPort
Address: EB82F0B4
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwRestoreKey
Address: EB829A14
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwResumeThread
Address: EB8173DE
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSaveKey
Address: EB82933E
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSaveKeyEx
Address: EB8294D4
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSaveMergedKeys
Address: EB829670
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSecureConnectPort
Address: EB82EC76
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetContextThread
Address: EB815756
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetInformationToken
Address: EB8163E8
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetSystemInformation
Address: EB817010
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetValueKey
Address: EB82A248
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSuspendProcess
Address: EB817104
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSuspendThread
Address: EB81723E
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSystemDebugControl
Address: EB81645E
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwTerminateProcess
Address: EB815392
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwTerminateThread
Address: EB8152EA
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwUnmapViewOfSection
Address: EB816D78
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwWriteVirtualMemory
Address: EB81547C
Driver Base: EB7E5000
Driver End: EB878000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwTraceEvent
At Address: 80535156
Jump To: ED0C4C00
Module Name: _unknown_

Hooked Function: ZwRequestPort
At Address: 805A2A4A
Jump To: ED0C4CA0
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
No hidden files/folders found
Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

SecCenter::
967D7868-33AA-43E7-AC51-89F2A6FB873C
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
No need to post the log. Just check the log at the top to see if it's removed.

You should turn on your Windows Firewall.
************************************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
I know you said I dont need to post my combofix log, but here it is because it looks like i still have the iss proventia installed:

ComboFix 12-02-29.01 - Mark 03/01/2012 15:19:38.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3067.2043 [GMT -5:00]
Running from: d:\profiles\Mark\Desktop\ComboFix.exe
Command switches used :: d:\profiles\Mark\Desktop\CFScript.txt
AV: ISS Proventia 9.0.226.2212 *Enabled/Outdated* {137EA0D9-9C16-4D8D-AF04-E70936C88A36}
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: ISS Proventia 9.0.226.2084 *Disabled* {967D7868-33AA-43E7-AC51-89F2A6FB873C}
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.
.
((((((((((((((((((((((((( Files Created from 2012-02-02 to 2012-03-02 )))))))))))))))))))))))))))))))
.
.
2074-05-07 23:38 . 2006-11-22 01:48203576------w-c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2012-02-22 07:07 . 2012-02-22 07:0798992----a-w-c:\windows\system32\drivers\95999153.sys
2012-02-18 02:56 . 2012-02-18 03:10--------d-----w-c:\program files\FastCopy
2012-02-17 02:54 . 2012-02-17 02:54--------d-----w-d:\profiles\All Users\Application Data\Malwarebytes
2012-02-17 02:54 . 2012-02-17 02:54--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-02-17 02:54 . 2011-12-10 20:2420464----a-w-c:\windows\system32\drivers\mbam.sys
2012-02-17 02:44 . 2012-02-17 02:44--------d-----w-d:\profiles\Mark\Application Data\SUPERAntiSpyware.com
2012-02-17 02:42 . 2012-02-17 02:46--------d-----w-c:\program files\SUPERAntiSpyware
2012-02-17 02:42 . 2012-02-17 02:42--------d-----w-d:\profiles\All Users\Application Data\SUPERAntiSpyware.com
2012-02-16 22:02 . 2012-02-16 22:0298992----a-w-c:\windows\system32\drivers\95463149.sys
2012-02-16 22:02 . 2012-02-16 22:02--------d-----w-C:\TDSSKiller_Quarantine
2012-02-15 17:30 . 2012-02-15 17:30--------d-----w-d:\profiles\Mark\Application Data\Hardcore
2012-02-05 21:31 . 2011-12-11 04:58973632----a-w-c:\windows\system32\nvdispco3220155.dll
2012-02-04 06:01 . 2012-02-04 06:01--------d-----w-c:\program files\SyncToy 2.1
2012-02-01 22:42 . 2012-02-01 22:42--------d-----w-d:\profiles\NetworkService.NT AUTHORITY.000\Application Data\Subversion
2012-02-01 21:02 . 2012-02-01 21:02--------d-----w-d:\profiles\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Sun
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-23 20:38 . 2011-02-18 00:15140496----a-w-c:\windows\system32\drivers\PnkBstrK.sys
2012-02-23 20:38 . 2011-02-19 14:20280736----a-w-c:\windows\system32\PnkBstrB.xtr
2012-02-23 20:38 . 2011-02-18 00:15280736----a-w-c:\windows\system32\PnkBstrB.exe
2012-02-19 14:20 . 2011-02-18 00:1575136----a-w-c:\windows\system32\PnkBstrA.exe
2012-02-19 14:19 . 2011-02-18 00:15280736----a-w-c:\windows\system32\PnkBstrB.ex0
2012-02-19 07:16 . 2011-02-18 00:15138056----a-w-d:\profiles\Mark\Application Data\PnkBstrK.sys
2012-02-19 07:15 . 2011-02-18 00:152434856----a-w-c:\windows\system32\pbsvc_bc2.exe
2011-12-29 18:00 . 2010-08-05 05:1579360----a-w-c:\windows\system32\ff_vfw.dll
2011-12-21 18:14 . 2010-08-05 05:15151552----a-w-c:\windows\system32\ac3acm.acm
2011-12-17 14:26 . 2011-10-20 19:14141312----a-w-c:\windows\system32\javacpl.cpl
2011-12-17 14:23 . 2011-06-06 16:01414368----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-11 04:58 . 2011-10-15 02:38877376----a-w-c:\windows\system32\nvgenco3220103.dll
2011-12-11 04:58 . 2011-03-14 20:4761440----a-w-c:\windows\system32\OpenCL.dll
2011-12-11 04:58 . 2011-03-14 20:475332992----a-w-c:\windows\system32\nvcuda.dll
2011-12-11 04:58 . 2011-03-14 20:472811200----a-w-c:\windows\system32\nvcuvid.dll
2011-12-11 04:58 . 2011-03-14 20:472084672----a-w-c:\windows\system32\nvcuvenc.dll
2011-12-11 04:58 . 2011-03-14 20:4713004800----a-w-c:\windows\system32\nvcompiler.dll
2011-12-11 04:58 . 2008-06-25 11:224205056----a-w-c:\windows\system32\nv4_disp.dll
2011-12-11 04:58 . 2008-06-25 11:222335232----a-w-c:\windows\system32\nvapi.dll
2011-12-11 04:58 . 2008-06-25 11:2216076800----a-w-c:\windows\system32\nvoglnt.dll
2011-12-11 04:58 . 2008-06-25 11:2212836544----a-w-c:\windows\system32\drivers\nv4_mini.sys
2011-12-11 03:46 . 2011-10-15 02:40249856----a-w-c:\windows\system32\nvrseng.dll
2011-12-11 03:46 . 2011-10-15 02:40253952----a-w-c:\windows\system32\nvrsth.dll
2011-12-11 03:46 . 2011-10-15 02:40282624----a-w-c:\windows\system32\nvrsel.dll
2011-12-11 03:46 . 2011-10-15 02:40274432----a-w-c:\windows\system32\nvrsesm.dll
2011-12-11 03:46 . 2011-10-15 02:40126976----a-w-c:\windows\system32\nvrszht.dll
2011-12-11 03:46 . 2011-10-15 02:40331776----a-w-c:\windows\system32\nvrshe.dll
2011-12-11 03:46 . 2011-10-15 02:40253952----a-w-c:\windows\system32\nvrsda.dll
2011-12-11 03:46 . 2011-10-15 02:40249856----a-w-c:\windows\system32\nvrsfi.dll
2011-12-11 03:45 . 2011-10-15 02:40274432----a-w-c:\windows\system32\nvrsnl.dll
2011-12-11 03:45 . 2011-10-15 02:40286720----a-w-c:\windows\system32\nvrsfr.dll
2011-12-11 03:45 . 2011-10-15 02:40270336----a-w-c:\windows\system32\nvrsru.dll
2011-12-11 03:45 . 2011-10-15 02:40262144----a-w-c:\windows\system32\nvrshu.dll
2011-12-11 03:45 . 2011-10-15 02:40229376----a-w-c:\windows\system32\nvrszhc.dll
2011-12-11 03:45 . 2011-10-15 02:40258048----a-w-c:\windows\system32\nvrssl.dll
2011-12-11 03:45 . 2011-10-15 02:40258048----a-w-c:\windows\system32\nvrstr.dll
2011-12-11 03:45 . 2011-10-15 02:40282624----a-w-c:\windows\system32\nvrses.dll
2011-12-11 03:45 . 2011-10-15 02:40278528----a-w-c:\windows\system32\nvrsde.dll
2011-12-11 03:45 . 2011-10-15 02:40266240----a-w-c:\windows\system32\nvrsko.dll
2011-12-11 03:45 . 2011-10-15 02:40253952----a-w-c:\windows\system32\nvrssv.dll
2011-12-11 03:45 . 2011-10-15 02:40249856----a-w-c:\windows\system32\nvrscs.dll
2011-12-11 03:45 . 2011-10-15 02:40335872----a-w-c:\windows\system32\nvrsar.dll
2011-12-11 03:45 . 2011-10-15 02:40258048----a-w-c:\windows\system32\nvrssk.dll
2011-12-11 03:45 . 2011-10-15 02:40270336----a-w-c:\windows\system32\nvrsptb.dll
2011-12-11 03:45 . 2011-10-15 02:40253952----a-w-c:\windows\system32\nvrsno.dll
2011-12-11 03:45 . 2011-10-15 02:40274432----a-w-c:\windows\system32\nvrspt.dll
2011-12-11 03:45 . 2011-10-15 02:40282624----a-w-c:\windows\system32\nvrsit.dll
2011-12-11 03:45 . 2011-10-15 02:40258048----a-w-c:\windows\system32\nvrspl.dll
2011-12-11 03:45 . 2011-10-15 02:40270336----a-w-c:\windows\system32\nvrsja.dll
2011-12-11 03:38 . 2011-10-15 02:40112960----a-w-c:\windows\system32\nvmctray.dll
2011-12-11 03:38 . 2011-10-15 02:4013900096----a-w-c:\windows\system32\nvcpl.dll
2011-12-11 03:38 . 2011-10-15 02:40156480----a-w-c:\windows\system32\nvsvc32.exe
2011-12-11 03:38 . 2011-10-15 02:40146752----a-w-c:\windows\system32\nvcolor.exe
2011-12-11 03:38 . 2011-10-15 02:4054272----a-w-c:\windows\system32\nvwddi.dll
2011-12-11 03:38 . 2011-10-15 02:40545088----a-w-c:\windows\system32\easyupdatusapiu.dll
2011-12-21 07:24 . 2011-12-17 14:22121816----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-10-17 404200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.Exe" [2008-06-18 82224]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-04 1791272]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-01-04 40376]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP QUICK Launch Buttons\QlbCtrl.exe" [2010-02-25 287800]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2009-08-07 354360]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2009-07-28 24848]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-17 49152]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe" [2011-04-25 202296]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-15 358936]
"SoundMAXPnP"="c:\program files\Analog DEVICES\Core\smax4pnp.exe" [2008-12-11 1044480]
"QuickTime Task"="c:\program files\QUICKTIME\QTTASK.EXE" [2011-10-24 421888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-12-11 13900096]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-12-11 112960]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-09-07 1634112]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-02-02 3900776]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54551296----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2009-06-03 20:14113152----a-w-c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2009-06-03 20:13299520----a-w-c:\program files\ActivIdentity\ActivClient\acunlock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2009-07-28 06:59192784----a-w-c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-287218729-725345543-1041786\Scripts\Logon\0\0]
"Script"=patch-2008-10.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-287218729-725345543-1041786\Scripts\Logon\1\0]
"Script"=w2kenroll.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-287218729-725345543-707520\Scripts\Logon\0\0]
"Script"=patch-2008-10.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-287218729-725345543-707520\Scripts\Logon\1\0]
"Script"=w2kenroll.cmd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\D:^Profiles^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=d:\profiles\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup
.
[HKLM\~\startupfolder\D:^Profiles^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=d:\profiles\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\D:^Profiles^All Users^Start Menu^Programs^Startup^LapNetWizard.exe]
path=d:\profiles\All Users\Start Menu\Programs\Startup\LapNetWizard.exe
backup=c:\windows\pss\LapNetWizard.exeCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CSCAdvantage]
2005-06-09 19:41111403----a-w-c:\program files\Help Desk\CSCADV.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CSCLogonInfo]
2006-12-12 21:28127079----a-w-c:\windows\UsrLogon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:421695232----a-w-c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2010-02-25 19:19287800------w-c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28421888----a-w-c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\SERVICES]
"ThreatFire"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"IviRegMgr"=2 (0x2)
"gusvc"=2 (0x2)
"gupdate1c9aca7f83fdf82"=2 (0x2)
"GoogleDesktopManager-110408-113106"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"d:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Updater.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 DSFKSVCS;Kernel Services for DSF;c:\windows\system32\drivers\dsfksvcs.sys [2/8/2010 8:52 PM 479992]
R0 dsfroot;root enumerated bus driver;c:\windows\system32\drivers\dsfroot.sys [2/8/2010 8:52 PM 31608]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [7/29/2009 2:30 PM 109216]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [7/29/2009 2:30 PM 51408]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [7/29/2009 2:30 PM 12960]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/28/2008 11:14 AM 24064]
R1 DhaHelper;DhaHelper;c:\windows\system32\drivers\dhahelper.sys [8/21/2010 11:38 AM 7168]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [3/4/2011 12:23 PM 11352]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [7/29/2009 2:30 PM 12528]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [6/3/2009 3:16 PM 207400]
R2 Apache2.2;Apache2.2;d:\xampp\apache\bin\httpd.exe [10/17/2010 7:32 PM 20549]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Bioscrypt [11/12/2008 8:09 PM 14336]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [4/27/2011 7:41 PM 57344]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [7/29/2009 11:43 AM 1201400]
R2 frameworkPostgreSQL;frameworkPostgreSQL;D:/PROGRA~1/Rapid7/FRAMEW~1/POSTGR~1/bin/pg_ctl.exe runservice -N "frameworkPostgreSQL" -D "D:/PROGRA~1/Rapid7/FRAMEW~1/POSTGR~1/data" --> D:/PROGRA~1/Rapid7/FRAMEW~1/POSTGR~1/bin/pg_ctl.exe runservice -N frameworkPostgreSQL [?]
R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [8/7/2009 3:59 PM 45056]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [7/29/2009 2:28 PM 256544]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 12:07 PM 35088]
R2 OpenSSHd;OpenSSH Server;d:\program files\OpenSSH\bin\cygrunsrv.exe [4/18/2004 6:11 AM 36864]
R2 OxygenAudioDevMon;Oxygen Audio Device Monitor;c:\program files\M-Audio\Oxygen\AudioDevMon.exe [3/4/2010 7:35 AM 1632776]
R2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [12/14/2011 6:59 AM 3027840]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [10/20/2011 1:43 PM 2058776]
R2 VMCI;VMware vmci;c:\windows\system32\drivers\vmci.sys [9/21/2010 2:59 AM 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [9/21/2010 1:42 AM 539184]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [6/12/2008 3:40 PM 482176]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2/20/2009 2:20 PM 227896]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [11/12/2008 8:10 PM 239760]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [11/12/2008 6:48 PM 44800]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [3/10/2011 5:34 PM 34608]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 7:27 PM 19472]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2/20/2009 2:12 PM 47616]
R3 smrtdrv;SMART Technologies Inc. Mirror Driver;c:\windows\system32\drivers\smrtdrv.sys [4/22/2004 12:38 PM 2432]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [11/12/2008 8:09 PM 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate1c9aca7f83fdf82;Google Update Service (gupdate1c9aca7f83fdf82);c:\program files\Google\Update\GoogleUpdate.exe [3/24/2009 12:24 PM 133104]
S2 XAMPP;XAMPP Service;d:\xampp\service.exe [12/20/2007 9:01 PM 60928]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [11/21/2008 12:07 AM 113152]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2/18/2008 6:14 PM 106624]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2/8/2008 2:00 PM 59648]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/24/2009 12:24 PM 133104]
S3 HackerDefenderDrv084;HackerDefenderDrv084;\??\d:\profiles\vxtk68\My Documents\Downloads\hxdef084\hxdefdrv.sys --> d:\profiles\vxtk68\My Documents\Downloads\hxdef084\hxdefdrv.sys [?]
S3 HRMACPI;DSF ACPI Redirection Module;c:\windows\system32\DRIVERS\HRMACPI.SYS --> c:\windows\system32\DRIVERS\HRMACPI.SYS [?]
S3 HRMCFGSPC;DSF General Configuration Space Redirection Module;c:\windows\system32\drivers\hrmcfgspc.sys [2/8/2010 8:52 PM 92664]
S3 HRMINTS;DSF Interrupt Redirection Module;c:\windows\system32\drivers\hrmints.sys [2/8/2010 8:52 PM 89976]
S3 HRMPORTS;DSF IO Port Redirection Module;c:\windows\system32\drivers\hrmports.sys [2/8/2010 8:53 PM 103160]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [8/21/2010 11:38 AM 28160]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [7/22/2009 6:59 PM 42112]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [9/16/2010 8:29 PM 30576]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [6/10/2011 10:20 AM 18432]
S3 OXYGEN;Service for M-Audio Oxygen;c:\windows\system32\drivers\MAudioOxygen.sys [1/12/2011 1:40 PM 112136]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 PL-40R;CASIO USB MIDI;c:\windows\system32\drivers\pl40rwdm.sys [1/6/2005 5:10 AM 18048]
S3 PortTalk;PortTalk;c:\windows\system32\Drivers\PortTalk.sys --> c:\windows\system32\Drivers\PortTalk.sys [?]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/8/2008 8:12 AM 1112560]
S3 SOFTHIDUSBK;USB HID Layer;c:\windows\system32\DRIVERS\SOFTHIDUSBK.SYS --> c:\windows\system32\DRIVERS\SOFTHIDUSBK.SYS [?]
S3 SOFTUSBK;Generic USB device;c:\windows\system32\DRIVERS\SOFTUSBK.SYS --> c:\windows\system32\DRIVERS\SOFTUSBK.SYS [?]
S3 SOFTUSBTESTHUB;Generic USB Test Hub;c:\windows\system32\DRIVERS\SOFTUSBTESTHUB.SYS --> c:\windows\system32\DRIVERS\SOFTUSBTESTHUB.SYS [?]
S3 SOFTWADP;Wireless adapter devices;c:\windows\system32\DRIVERS\SOFTWADP.SYS --> c:\windows\system32\DRIVERS\SOFTWADP.SYS [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [1/8/2011 4:17 PM 25088]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/12/2008 8:09 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 WSOFTUSBK;Generic wireless USB device;c:\windows\system32\DRIVERS\WSOFTUSBK.SYS --> c:\windows\system32\DRIVERS\WSOFTUSBK.SYS [?]
S4 AcuWVSSchedulerv6;Acunetix WVS Scheduler v6;c:\program files\Acunetix\Web Vulnerability Scanner 6\WVSScheduler.exe [3/3/2010 10:22 AM 671368]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmtREG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelperREG_MULTI_SZ getPlusHelper
CognizanceREG_MULTI_SZ ASBroker
BioscryptREG_MULTI_SZ ASChannel
HPServiceREG_MULTI_SZ HPSLPSVC
WINRMREG_MULTI_SZ WINRM
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0EEB34F6-991D-4a1b-8EEB-772DA0EADB22}]
2006-10-07 03:28121541----a-w-c:\program files\Microsoft Office Communicator\MotIM-default.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 16:14451872----a-w-c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BAFC1927-A731-4c34-829B-47EE05ADD199}]
2008-04-14 10:42146432------w-c:\windows\regedit.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C10BF3A1-3FEC-4a94-AAAF-9D6A4B522F63}]
2005-08-12 17:18121799----a-w-c:\program files\WinZip\wzusr90.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-01 c:\windows\Tasks\AdobeAAMUpdater-1.0-CA999-VXTK68-01-Mark.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-02-17 08:44]
.
2012-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-03-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-26 03:21]
.
2012-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-24 17:24]
.
2012-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-24 17:24]
.
2012-03-01 c:\windows\Tasks\msfupdate.job
- d:\program files\Rapid7\framework\msfupdate.bat [2011-05-25 21:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = 192.168.2.106:8080
uInternet Settings,ProxyOverride = *.mot.com;*.gi.com;HELP-MOTOROLA.AMER.CSC.COM;SHSH-NXS01.AMER.CSC.COM;*.local;
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: Zend Studio - Debug current page - d:\program files\Zend\Zend Studio - 8.0.0\toolbars\ZendIEToolbar.dll/DebugCurrent.html
IE: Zend Studio - Debug next page - d:\program files\Zend\Zend Studio - 8.0.0\toolbars\ZendIEToolbar.dll/DebugNext.html
LSP: bmnet.dll
LSP: d:\program files\VMware\vsocklib.dll
TCP: DhcpNameServer = 207.69.188.187 207.69.188.186
TCP: Interfaces\{DBA2BD3B-DD27-48D0-B1A8-D01EFD66A9B9}: NameServer = 207.69.188.187,207.69.188.186
FF - ProfilePath - d:\profiles\Mark\Application Data\Mozilla\Firefox\Profiles\prtpgzvs.default\
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-01 20:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST925042 rev.HP14 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0xF713C864
IoDeviceObjectType -> ParseProcedure -> 0xed312160
\Device\Harddisk0\DR0 -> ParseProcedure -> 0xed312160
user & kernel MBR OK
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\frameworkPostgreSQL]
"ImagePath"="D:/PROGRA~1/Rapid7/FRAMEW~1/POSTGR~1/bin/pg_ctl.exe runservice -N \"frameworkPostgreSQL\" -D \"D:/PROGRA~1/Rapid7/FRAMEW~1/POSTGR~1/data\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\DSFKSVCS\MofImagePath]
.
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\frameworkPostgreSQL]
"ImagePath"="D:/PROGRA~1/Rapid7/FRAMEW~1/POSTGR~1/bin/pg_ctl.exe runservice -N \"frameworkPostgreSQL\" -D \"D:/PROGRA~1/Rapid7/FRAMEW~1/POSTGR~1/data\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WINIO]
"ImagePath"="pý\12"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2757104239-1278071424-1195812985-1009\Software\SecuROM\License information*]
"datasecu"=hex:f1,9b,19,c7,4b,80,1a,89,34,46,79,92,96,d5,d1,3d,ed,80,b6,b7,42,
e9,95,cb,73,19,c7,2b,30,51,1c,35,d5,62,04,fa,fd,92,b8,1e,4e,e3,44,10,c1,eb,\
"rkeysecu"=hex:a9,83,1a,d3,5a,1a,8b,17,08,e8,e0,21,0e,a4,7d,15
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1544)
c:\program files\Hewlett-Packard\IAM\bin\ocgina.dll
c:\program files\Hewlett-Packard\IAM\bin\itmsg.dll
c:\program files\Hewlett-Packard\IAM\bin\brand.dll
c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHostServices.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTStrings.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Interop.PTHstServsLib.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Interop.HPQWMIEXLib.dll
c:\windows\system32\msi.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHstServs.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\BIOSDomain.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Interop.PTPluginLib.dll
c:\program files\Hewlett-Packard\IAM\bin\ItTal.dll
c:\program files\Hewlett-Packard\IAM\bin\ItReports.DLL
c:\program files\Hewlett-Packard\IAM\Bin\AsChnl.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
c:\program files\ActivIdentity\ActivClient\aclog.dll
c:\program files\ActivIdentity\ActivClient\accrypto.dll
c:\program files\ActivIdentity\ActivClient\ACLIBEAY.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItDac.DLL
c:\program files\Hewlett-Packard\IAM\Bin\BioAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItClient.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItVCClient.dll
c:\program files\Hewlett-Packard\IAM\Bin\ittalsnap.dll
c:\windows\system32\bmnet.dll
c:\program files\Hewlett-Packard\IAM\Bin\AuthWiz.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItVCard.dll
c:\windows\system32\xenroll.dll
c:\program files\Hewlett-Packard\IAM\Bin\TpmAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\TokenAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\NetAdmin.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\program files\ActivIdentity\ActivClient\aipingui.dll
c:\program files\ActivIdentity\ActivClient\acevtsub.dll
c:\program files\ActivIdentity\ActivClient\asphat32.dll
c:\program files\ActivIdentity\ActivClient\acerrmes.dll
c:\program files\ActivIdentity\ActivClient\aiwinext.dll
c:\program files\ActivIdentity\ActivClient\aspcom.dll
c:\program files\ActivIdentity\ActivClient\aicext.dll
c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIlrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItAPS.dll
c:\program files\Hewlett-Packard\IAM\Bin\APSHook.dll
.
- - - - - - - > 'Explorer.exe'(1512)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\Unlocker\UnlockerHook.dll
c:\program files\Hewlett-Packard\IAM\Bin\APSHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\BigFix Enterprise\BES Client\BESClient.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
d:\progra~1\Rapid7\FRAMEW~1\POSTGR~1\bin\pg_ctl.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
d:\xampp\mysql\bin\mysqld.exe
d:\progra~1\Rapid7\FRAMEW~1\POSTGR~1\bin\postgres.exe
c:\windows\system32\nvsvc32.exe
d:\progra~1\Rapid7\FRAMEW~1\POSTGR~1\bin\postgres.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
d:\progra~1\Rapid7\FRAMEW~1\POSTGR~1\bin\postgres.exe
d:\progra~1\Rapid7\FRAMEW~1\POSTGR~1\bin\postgres.exe
d:\progra~1\Rapid7\FRAMEW~1\POSTGR~1\bin\postgres.exe
d:\progra~1\Rapid7\FRAMEW~1\POSTGR~1\bin\postgres.exe
d:\program files\OpenSSH\usr\sbin\sshd.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\CCM\CcmExec.exe
d:\program files\VMware\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
d:\program files\Rapid7\framework\ruby\bin\ruby.exe
d:\program files\Rapid7\framework\svn\bin\svn.exe
c:\program files\TeamViewer\Version7\TeamViewer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\IAM\Bin\AsGHost.exe
c:\program files\TeamViewer\Version7\tv_w32.exe
c:\program files\BigFix Enterprise\BES Client\BESClientUI.exe
c:\windows\system32\RUNDLL32.EXE
c:\progra~1\MICROS~3\rapimgr.exe
.
**************************************************************************
.
Completion time: 2012-03-01 20:46:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-02 01:46
ComboFix2.txt 2012-02-29 20:55
ComboFix3.txt 2012-02-29 01:01
ComboFix4.txt 2012-02-22 07:43
.
Pre-Run: 6,468,026,368 bytes free
Post-Run: 6,431,006,720 bytes free
.
- - End Of File - - E41C573B56547F861E965E16BE2A380B

Eset is currently scanning the computer. ill post once it finishesI can't see it anywhere else in all the scans we've done. I made a mistake on that first script
Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

SecCenter::
{137EA0D9-9C16-4D8D-AF04-E70936C88A36}
{967D7868-33AA-43E7-AC51-89F2A6FB873C}
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please look through the log and see if it's gone.

Combofix successfully uninstalled the iss proventia. Thank you.

eset log:
[emailprotected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=d8a2975d263b424eb12d1a2cd483363b
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-03-02 12:34:32
# local_time=2012-03-02 07:34:32 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=1280 16777191 100 0 14808385 14808385 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=839622
# found=2
# cleaned=2
# scan_time=30974
C:\System Volume Information\_restore{15210BD2-C7F8-4EEB-8097-8D74A4DBE2E2}\RP3\A0000617.exea variant of Win32/Packed.PrivateEXEProtector.C application (cleaned by deleting - quarantined)00000000000000000000000000000000C
C:\System Volume Information\_restore{15210BD2-C7F8-4EEB-8097-8D74A4DBE2E2}\RP3\A0000618.exea variant of Win32/Packed.Enigma.AAB trojan (cleaned by deleting - quarantined)00000000000000000000000000000000CThat looks good. If there are no other issues, we can do some cleanup.

Download this program and run it Uninstall ComboFix .It will remove ComboFix for you.

************************************************
To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.
*********************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
************************************************
Looking over your log it seems you no longer have a firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
***************************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Solve : Kaspersky TDSS Killer detects file safeboot.sys?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment