WiredWX Hobby Weather ToolsLog in

 


acpi.sys infected with Packed.Protector.C

2 posters

descriptionacpi.sys infected with Packed.Protector.C Emptyacpi.sys infected with Packed.Protector.C

more_horiz
Hello
I would be so grateful for some assistance please. After allowing someone to use my computer over a weekend a while ago I seem to have become infected with the above picked up by VirSCAN.org. Originally it was infected with xp-defender-pro which took me a while to get rid of, I don't know whether this is a left over or something separate.

I have had to attach the txt files as every time I post the logs I get the "message too long error. I hope thats ok?

descriptionacpi.sys infected with Packed.Protector.C EmptyOTL extras

more_horiz
OTL extras text attached

descriptionacpi.sys infected with Packed.Protector.C EmptyRe: acpi.sys infected with Packed.Protector.C

more_horiz
Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see this topic.

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

descriptionacpi.sys infected with Packed.Protector.C EmptyRe: acpi.sys infected with Packed.Protector.C

more_horiz
DragonMaster Jay thankyou for your help Smile... here is the log:

ComboFix 10-05-10.02 - user 11/05/2010 5:39.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1551 [GMT 1:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\jestertb.dll
c:\windows\setup.exe
c:\windows\system32\fjhdyfhsn.bat

.
((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-10 08:39 . 2010-05-10 08:39 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1ef764c1-n\msvcp71.dll
2010-05-10 08:39 . 2010-05-10 08:39 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1ef764c1-n\jmc.dll
2010-05-10 08:39 . 2010-05-10 08:39 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1ef764c1-n\msvcr71.dll
2010-05-10 08:39 . 2010-05-10 08:39 61440 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7f43f1f6-n\decora-sse.dll
2010-05-10 08:39 . 2010-05-10 08:39 12800 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7f43f1f6-n\decora-d3d.dll
2010-05-10 08:39 . 2010-05-10 08:39 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-10 08:34 . 2010-05-10 08:37 -------- d-----w- c:\documents and settings\user\.SunDownloadManager
2010-05-07 15:42 . 2010-05-07 15:42 388096 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-07 15:42 . 2010-05-07 15:42 -------- d-----w- c:\program files\Trend Micro
2010-05-04 17:31 . 2010-05-04 17:31 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-04 14:54 . 2010-05-04 14:56 -------- d-----w- c:\program files\virtualStudio
2010-05-03 13:05 . 2010-05-03 13:05 106 ----a-w- c:\documents and settings\user\Application Data\netstat.bat
2010-05-02 20:48 . 2010-05-02 20:48 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Downloaded Installations
2010-05-02 13:02 . 2004-08-03 21:59 49536 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-05-02 13:02 . 2004-08-03 21:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-05-01 17:56 . 2010-05-01 17:56 9472 ----a-w- c:\windows\system32\drivers\SnopFree.sys
2010-05-01 17:56 . 2010-05-01 17:56 90112 ----a-w- c:\windows\system32\SnoopFreeSvc.exe
2010-05-01 17:56 . 2010-05-01 17:56 45056 ----a-w- c:\windows\SnoopFreeDll.dll
2010-05-01 17:56 . 2010-05-01 17:56 221184 ----a-w- c:\windows\SnoopFreeUI.exe
2010-05-01 17:39 . 2010-05-01 17:44 -------- d-----w- c:\program files\SpywareBlaster
2010-05-01 16:17 . 2010-05-01 16:17 -------- d-----w- c:\windows\XSxS
2010-05-01 16:17 . 2010-05-01 16:17 -------- d-----w- c:\program files\Xenocode
2010-04-29 13:02 . 2010-04-29 13:02 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-04-29 13:02 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:02 . 2010-05-02 06:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 13:02 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 13:02 . 2010-04-29 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-29 06:52 . 2010-04-29 06:52 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\avG
2010-04-29 06:43 . 2010-04-30 16:07 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\xmlie64
2010-04-29 06:43 . 2010-04-29 06:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\avG
2010-04-29 06:43 . 2010-04-29 06:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-29 06:32 . 2010-04-29 13:28 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\xmlie64
2010-04-29 05:59 . 2010-04-29 05:59 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-25 10:13 . 2010-01-04 05:29 69720 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-04-25 10:13 . 2010-01-04 05:29 13400 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-04-25 09:28 . 2010-04-25 09:28 -------- d-----w- c:\documents and settings\user\Application Data\Sunbelt
2010-04-25 09:28 . 2010-04-25 09:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-04-25 09:26 . 2010-03-11 14:49 204632 ----a-w- c:\windows\system32\drivers\sbtis.sys
2010-04-25 09:26 . 2010-04-25 09:26 -------- d-----w- c:\program files\Sunbelt Software
2010-04-22 09:21 . 2010-04-30 04:55 120 ----a-w- c:\windows\Jdegutejef.dat
2010-04-22 09:21 . 2010-04-30 04:55 0 ----a-w- c:\windows\Tliwuv.bin
2010-04-22 09:21 . 2010-04-22 09:21 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\{51519A94-F9BA-4D21-A463-04C29A23DD02}
2010-04-19 12:48 . 2010-04-19 12:48 27984 ----a-w- c:\windows\system32\sbbd.exe
2010-04-13 06:30 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 04:37 . 2007-05-22 06:49 -------- d-----w- c:\documents and settings\user\Application Data\WTablet
2010-05-10 18:47 . 2007-07-21 06:09 -------- d-----w- c:\program files\FlashGet
2010-05-10 08:41 . 2007-05-25 12:03 -------- d-----w- c:\program files\Java
2010-05-10 08:39 . 2007-05-25 12:02 -------- d-----w- c:\program files\Common Files\Java
2010-05-10 08:22 . 2008-06-07 15:33 -------- d-----w- c:\documents and settings\user\Application Data\MSGTAG
2010-05-04 10:09 . 2007-05-22 08:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-01 15:49 . 2008-08-21 10:06 -------- d-----w- c:\program files\3D Object Converter 4.204
2010-04-30 19:16 . 2010-03-03 07:41 -------- d-----w- c:\program files\HammerSnipe PowerTool
2010-04-30 18:59 . 2008-02-03 15:33 -------- d-----w- c:\program files\LeeGTs Games
2010-04-30 18:46 . 2007-08-01 07:00 -------- d-----w- c:\program files\Capture Professional v6
2010-04-30 18:46 . 2010-03-09 08:05 -------- d-----w- c:\program files\Duplicate File Cleaner
2010-04-30 18:27 . 2009-03-25 18:37 -------- d-----w- c:\program files\Games
2010-04-30 18:22 . 2010-02-24 06:51 -------- d-----w- c:\program files\Cicy Check it
2010-04-30 17:48 . 2009-12-10 20:52 -------- d-----w- c:\program files\Wise Registry Cleaner
2010-04-30 09:47 . 2007-11-18 05:59 -------- d-----w- c:\program files\IrfanView
2010-04-30 05:57 . 2009-10-07 14:24 -------- d-----w- c:\program files\NVIDIA Corporation
2010-04-29 06:03 . 2010-04-29 06:03 16 ----a-w- c:\documents and settings\LocalService\Application Data\kcmdte.dat
2010-04-28 12:19 . 2007-05-22 06:36 -------- d-----w- c:\program files\Common Files\DAZ
2010-04-25 10:12 . 2007-05-22 09:20 -------- d-----w- c:\documents and settings\user\Application Data\File-Ex
2010-04-23 08:46 . 2010-04-23 08:46 16 ----a-w- c:\documents and settings\user\Application Data\kcmdte.dat
2010-04-22 09:20 . 2006-02-28 12:00 243808 ----a-w- c:\windows\system32\drivers\acpi.sys
2010-04-22 09:19 . 2010-04-22 09:19 16 ----a-w- c:\documents and settings\NetworkService\Application Data\kcmdte.dat
2010-04-16 20:00 . 2007-07-21 08:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-16 10:28 . 2009-01-22 09:44 472 ----a-w- c:\windows\Vue 7 xStream.reg
2010-04-15 09:37 . 2007-07-30 12:54 -------- d-----w- c:\documents and settings\user\Application Data\Poser 7
2010-04-11 10:29 . 2007-05-21 20:40 250688 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-06 17:35 . 2008-04-12 06:18 -------- d-----w- c:\program files\QuickTime
2010-04-06 17:35 . 2010-04-04 15:35 -------- d-----w- c:\documents and settings\user\Application Data\SolSuite
2010-04-06 17:34 . 2007-05-22 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-04 16:03 . 2010-04-02 15:15 -------- d-----w- c:\program files\Big Fish Games
2010-04-04 15:38 . 2010-04-04 15:34 -------- d-----w- c:\program files\SolSuite
2010-04-04 15:35 . 2010-04-04 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\TreeCardGames
2010-04-04 14:54 . 2010-03-01 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2010-04-04 14:38 . 2010-04-04 14:38 -------- d-----w- c:\program files\Common Files\Topaz Labs
2010-04-04 14:38 . 2010-04-04 14:38 -------- d-----w- c:\program files\Topaz Labs
2010-04-03 22:55 . 2007-05-21 05:03 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-03 18:23 . 2010-04-03 18:23 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 18:23 . 2010-04-03 18:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 18:23 . 2010-04-03 18:23 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 18:23 . 2010-04-03 18:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 18:23 . 2010-04-03 18:23 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 18:22 . 2010-04-03 18:22 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-04-03 17:29 . 2007-08-04 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Digital Film Tools
2010-04-03 17:24 . 2010-04-03 17:24 -------- d---a-w- c:\program files\License
2010-04-03 09:59 . 2010-04-03 09:59 -------- d-----w- c:\documents and settings\user\Application Data\GameMill Entertainment
2010-04-02 15:54 . 2007-09-05 05:52 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-03-28 09:58 . 2007-07-17 09:48 -------- d-----w- c:\program files\onOne Software
2010-03-28 09:58 . 2007-05-21 04:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-28 07:47 . 2008-05-16 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\onOne Software
2010-03-28 07:28 . 2007-07-17 09:48 -------- d-----w- c:\documents and settings\user\Application Data\onOne Software
2010-03-25 20:41 . 2010-03-05 10:34 -------- d-----w- c:\documents and settings\user\Application Data\Skype
2010-03-25 18:04 . 2010-03-13 19:32 -------- d-----w- c:\program files\LimeWire
2010-03-25 16:41 . 2010-03-05 10:37 -------- d-----w- c:\documents and settings\user\Application Data\skypePM
2010-03-20 04:20 . 2010-03-20 04:20 -------- d-----w- c:\documents and settings\user\Application Data\Avant Profiles
2010-03-20 04:19 . 2010-03-20 04:19 -------- d-----w- c:\program files\Avant Browser
2010-03-19 19:08 . 2009-01-11 13:30 0 ----a-w- c:\windows\merchants2.bin
2010-03-19 19:08 . 2009-01-11 13:30 2084 ----a-w- c:\windows\ignore.bin
2010-03-13 19:47 . 2007-06-26 20:24 -------- d-----w- c:\documents and settings\user\Application Data\LimeWire
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 07:28 . 2009-08-02 16:47 38784 ----a-w- c:\documents and settings\user\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-06 07:28 . 2010-03-06 07:28 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-06 06:25 . 2010-02-27 08:33 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-03-06 06:25 . 2010-02-27 08:33 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-03-05 10:37 . 2010-03-05 10:37 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-04 09:36 . 2010-03-04 09:36 3584 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-02-28 19:07 . 2007-06-02 15:11 468 ----a-w- c:\windows\Vue 6 xStream.reg
2010-02-27 08:33 . 2010-02-27 08:33 88 --sh--r- c:\documents and settings\All Users\Application Data\98E753E70F.sys
2010-02-27 08:33 . 2010-02-27 08:33 88 --sh--r- c:\documents and settings\All Users\Application Data\98E753E70F.sys
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 12:31 . 2006-02-28 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 06:55 . 2010-02-24 06:52 268048 ----a-w- c:\windows\system32\DXTMETA2.dll
2010-02-16 13:17 . 2006-02-28 12:00 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2008-08-04 14:08 . 2008-08-04 14:08 0 ----a-w- c:\program files\temp01
2008-04-13 13:06 . 2008-04-13 13:06 500 ----a-w- c:\program files\Shortcut (2) to Apophysis 2.0.lnk
2008-12-22 16:55 . 2007-05-30 10:48 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-22 16:55 . 2007-05-30 10:48 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-22 16:55 . 2007-05-30 10:48 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-22 16:55 . 2007-05-30 10:48 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-22 16:55 . 2007-05-30 10:48 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-12-17 12:47 . 2008-11-14 10:23 168 --sh--r- c:\windows\system32\8838541601.sys
2009-11-16 13:47 . 2008-11-14 10:23 8138 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\CFi]
@="{2DBD5D71-CBB7-41D1-B170-511646B170BD}"
[HKEY_CLASSES_ROOT\CLSID\{2DBD5D71-CBB7-41D1-B170-511646B170BD}]
2007-01-28 14:50 55296 ----a-w- c:\progra~1\CFi\SHELLT~1\CFiShlJP.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2008-06-19 40960]
"MSGTAG"="c:\program files\MSGTAG Status\MSGTAGStatus.exe" [2007-07-10 1820160]
"FileEx"="c:\program files\File-Ex 3\FileEx.exe" [2002-11-15 208896]
"CFi ShellToys Utility Manager"="c:\program files\CFi\ShellToys\CFiShlMan.exe" [2007-03-07 43520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-04-19 1291600]
"SnoopFreeUI"="SnoopFreeUI.exe" [2010-05-01 221184]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\user\Start Menu\Programs\Startup\
Alarm Master Plus.lnk - c:\program files\BrigSoft\AlarmMasterPlus\AlarmMasterPlus.exe [2009-12-3 1064960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{067B597C-C099-4A08-A180-E5FEC5DCF2DF}"= "c:\progra~1\CFi\SHELLT~1\CFiShlEx.dll" [2007-01-28 43008]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Mask Pro 3.0.lnk]
backup=c:\windows\pss\Register Mask Pro 3.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RipBAR.LNK]
backup=c:\windows\pss\RipBAR.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^File-Ex.lnk]
backup=c:\windows\pss\File-Ex.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GreasyPalmUpdate
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiweeHook
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RogueMonitor

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 01:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 07:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2009-12-30 18:47 523408 ----a-w- c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2005-04-08 13:09 102400 ------w- c:\program files\epson\Creativity Suite\Event Manager\EEventManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
2007-06-29 11:44 1990704 ----a-w- c:\program files\FlashGet\flashget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
2007-05-22 07:27 190024 ----a-w- c:\program files\MessengerPlus! 3\MsgPlus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 11:00 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Standby]
2010-01-07 13:09 105632 ----a-w- c:\program files\Common Files\Corel\Standby\Standby.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XCOMM"=2 (0x2)
"VSSERV"=2 (0x2)
"bdss"=2 (0x2)
"gusvc"=3 (0x3)
"LIVESRV"=2 (0x2)
"wwSecSvc"=2 (0x2)
"wwEngineSvc"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"AdobeActiveFileMonitor5.0"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"WeOnlyDo wodAppUpdate Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Flashget"=c:\program files\FlashGet\flashget.exe /min
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Namo\\WebEditor 5\\bin\\WebEditor.exe"=
"c:\\Program Files\\MSGTAG\\MSGTAG.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\e-on software\\Vue 6 xStream\\Application\\Vue 6 xStream.eon"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"c:\\Program Files\\DzSoft\\PHP Editor\\DzPhpEd.exe"=
"c:\\WINDOWS\\system32\\mcoinstall.exe"=
"c:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=
"c:\\Program Files\\Tabrowser\\Tabrowser.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\e-on software\\Vue 7 xStream\\Application\\Vue 7 xStream.eon"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"c:\\Program Files\\Smith Micro\\Poser Pro\\PoserPro.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Sunbelt Software\\VIPRE\\SBAMSvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [13/04/2009 15:28 64288]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [25/04/2010 11:13 13400]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [13/10/2009 09:02 95024]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [25/04/2010 10:26 204632]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [29/04/2010 14:02 304464]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [25/04/2010 11:13 69720]
R2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [19/04/2010 13:47 181584]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [29/04/2010 14:02 20952]
S1 NetBurn;Paragon NetBurning Driver;c:\windows\system32\drivers\NetBurn.sys [22/05/2007 11:33 79104]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?]
S2 SBAMSvc;VIPRE Antivirus;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [19/04/2010 13:48 2726000]
S3 Altop0borns;Altop0borns;c:\windows\system32\drivers\raspppoe.sys [28/02/2006 13:00 41472]
S3 Dhcpuwaser;Dhcpuwaser; [x]
S4 Dontcicsswoda;Dontcicsswoda;c:\windows\system32\clipsrv.exe [28/02/2006 13:00 33280]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 12:17 1181328]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [15/10/2008 19:37 717296]
S4 WeOnlyDo wodAppUpdate Service;WeOnlyDo wodAppUpdate Service;c:\program files\Braid Art Labs\GroBoto\bin\wodUpdSv.exe [13/05/2008 01:39 28144]
S4 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [11/12/2009 08:48 598856]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-05-10 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 14:41]

2010-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en&source=iglk
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 159.145.15.101:80
uSearchAssistant = hxxp://www.google.com/ie
IE: &Download All with FlashGet - c:\progra~1\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\progra~1\FlashGet\jc_link.htm
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Html To Image - c:\program files\Html To Image\menu.htm
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} - hxxp://www.activeworlds.com/products/ActiveWorldsDownload.cab
DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} - hxxp://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://server002.compagnieshaven.nl:8000/activex/AMC.cab
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.piclens.com/shared/plinstll.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\g4lo5ioz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_19.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {51519A94-F9BA-4D21-A463-04C29A23DD02} - c:\documents and settings\user\Local Settings\Application Data\{51519A94-F9BA-4D21-A463-04C29A23DD02}
.
.
------- File Associations -------
.
txtfile="c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1"
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4516D1E3-BC1A-4B2F-83EC-F4D0302CD5AC} - (no file)
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKLM-Run-GreasyPalmUpdate - c:\windows\GreasyPalmUpdate.exe
Notify-COMdit - COMdit.dll
MSConfigStartUp-Ifojeneqehexop - c:\windows\adufuxuz.dll
MSConfigStartUp-setup - c:\windows\urrqpm.dll
AddRemove-WS_FTP Pro - c:\program files\WS_FTP Pro\uninst.isu



**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0A2C6EC6-E1BC-9BF5-B3F7D282645EFB0F}\{C08E0694-C5E1-48EE-3ACF6A24AC2BF796}\{A9549B8D-B7EF-15E1-4BD44DC35FFCD192}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{17739CC8-1062-40F7-1C3862585ABD2CDA}\{84278681-95F8-776A-6C175249145B2CFC}\{113E55B4-CE67-C34A-F065E12B6143C7DD}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,f7,b4,a8,
93,58,dc,2e,27,d1,8a,7c,16,61,eb,7d,b2,10,c6,0c,81,db,52,d6,17,38,77,7f,06,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{18E09523-0BB1-0E75-6B141AE958ABE9E7}\{8E8BA3D9-389B-9F43-3B5B6490B54F898E}\{0E0922CC-9ECE-C3AB-5B05A5FA1997F2CA}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,f7,b4,a8,
93,58,dc,2e,27,d1,8a,7c,16,61,eb,7d,b2,10,c6,0c,81,db,52,d6,17,38,77,7f,06,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2F312D46-407E-2DF3-DA31-840104244DDC}\InProcServer32*]
"jahmnifnllfionnblhpb"=hex:6a,61,6f,70,70,61,68,69,70,6f,69,63,68,61,6a,63,69,
6b,69,6c,00,00
"iahmhglgnmfcfnfpdl"=hex:6a,61,6f,70,63,61,63,67,70,63,63,6d,70,6e,6f,6f,70,70,
68,65,00,d3

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3024A848-7C77-6F90-8B14B36A94BB61F2}\{6CDD5654-07A8-13D8-C2EB636328E10F29}\{AF593ADC-BF32-7E11-B704756686EE805B}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4233ADD3-CD31-D295-804BA870321FDEF4}\{F4A8E5F3-7E68-2DD0-FA9D328203A7D1A7}\{07380252-9142-5EC5-94F639FC4AE64832}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{454884EE-A952-6288-D98E4C6628C57FD8}\{4E2828CC-5D4E-CAA4-0B0E2FF0C61DD876}\{D33FFB02-83E4-6D49-8432C9C83D6B1A26}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,f7,b4,a8,
93,58,dc,2e,27,d1,8a,7c,16,61,eb,7d,b2,10,c6,0c,81,db,52,d6,17,38,77,7f,06,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5B0B6C35-3AEA-9EAE-179EBB09B20EA2F1}\{75565C86-DCE5-4077-B0F3502E93E7104E}\{6B409343-0D15-4A1C-46DBD99A1375331F}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,f7,b4,a8,
93,58,dc,2e,27,d1,8a,7c,16,61,eb,7d,b2,10,c6,0c,81,db,52,d6,17,38,77,7f,06,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9D7D745F-2DA2-E26E-67E2A61C92B5C873}\{869A1319-CB5B-72EF-32E86935B8210920}\{0F637A1B-C125-DB37-203685E7DE12B741}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,f7,b4,a8,
93,58,dc,2e,27,d1,8a,7c,16,61,eb,7d,b2,10,c6,0c,81,db,52,d6,17,38,77,7f,06,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A356E26F-F64B-8F5D-7C18E49D604F2F76}\{6A54AA76-7D92-69B0-4B2831BB70973615}\{981C58D8-528B-1766-742A6B252CC7665F}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,f7,b4,a8,
93,58,dc,2e,27,d1,8a,7c,16,61,eb,7d,b2,10,c6,0c,81,db,52,d6,17,38,77,7f,06,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B9046776-195D-89EA-3E66F9BC5DAE5B9B}\{E7989E73-D3F8-C437-CB8470F59A56421D}\{FFD68A1F-1364-19C2-ECF1A15A7898EBE6}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C87D1BA9-1306-77F5-90F87A723F410748}\{690B68B5-18FE-E760-90ABE82D4BAC7FD3}\{66897D8D-2C31-7872-FEBDD8B850AFD9F2}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D2BB5886-979D-9102-6DE8CA90D9DFCF32}\{8C62C1A9-3EC5-6052-CACC7EB9BC8ACBFD}\{DD639986-4BF0-F7FE-AD8A79BFC0DA1D7B}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC60A522-920C-52E9-898A41C82F89CB84}\{735C0629-1D81-42E2-E1D6A541CCD3DFCD}\{29AB0373-A17F-9B90-31C1A0C3BE2157F2}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
Completion time: 2010-05-11 05:55:25
ComboFix-quarantined-files.txt 2010-05-11 04:55

Pre-Run: 99,576,643,584 bytes free
Post-Run: 100,019,802,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A14159E9F9A24DD1783E7BCA9FAC4396

descriptionacpi.sys infected with Packed.Protector.C EmptyRe: acpi.sys infected with Packed.Protector.C

more_horiz
GMER

Note about this tool:
  • This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
  • This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
  • No matter what is in the log, please post all the information/contents of the log.


Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

descriptionacpi.sys infected with Packed.Protector.C EmptyRe: acpi.sys infected with Packed.Protector.C

more_horiz
Hi DragonMaster Jay
I had some problems with running GMER scan. It would not go past a certain point on the scan, it didn't freeze, it just stopped. I waited for an hour and tried again and it stopped in the same place for over an hour. So I booted into safe mode and tried again and it stopped scanning in the same place so I have copied the text that was in the window.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-11 10:10:35
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\kftyrpod.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7667BFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x29 0x43 0x66 0x3A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x29 0x43 0x66 0x3A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x29 0x43 0x66 0x3A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{0A2C6EC6-E1BC-9BF5-B3F7D282645EFB0F}\{C08E0694-C5E1-48EE-3ACF6A24AC2BF796}\{A9549B8D-B7EF-15E1-4BD44DC35FFCD192}
Reg HKLM\SOFTWARE\Classes\CLSID\{0A2C6EC6-E1BC-9BF5-B3F7D282645EFB0F}\{C08E0694-C5E1-48EE-3ACF6A24AC2BF796}\{A9549B8D-B7EF-15E1-4BD44DC35FFCD192}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{17739CC8-1062-40F7-1C3862585ABD2CDA}\{84278681-95F8-776A-6C175249145B2CFC}\{113E55B4-CE67-C34A-F065E12B6143C7DD}
Reg HKLM\SOFTWARE\Classes\CLSID\{17739CC8-1062-40F7-1C3862585ABD2CDA}\{84278681-95F8-776A-6C175249145B2CFC}\{113E55B4-CE67-C34A-F065E12B6143C7DD}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{18E09523-0BB1-0E75-6B141AE958ABE9E7}\{8E8BA3D9-389B-9F43-3B5B6490B54F898E}\{0E0922CC-9ECE-C3AB-5B05A5FA1997F2CA}
Reg HKLM\SOFTWARE\Classes\CLSID\{18E09523-0BB1-0E75-6B141AE958ABE9E7}\{8E8BA3D9-389B-9F43-3B5B6490B54F898E}\{0E0922CC-9ECE-C3AB-5B05A5FA1997F2CA}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{2F312D46-407E-2DF3-DA31-840104244DDC}\InProcServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{2F312D46-407E-2DF3-DA31-840104244DDC}\InProcServer32@jahmnifnllfionnblhpb 0x6A 0x61 0x6F 0x70 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{2F312D46-407E-2DF3-DA31-840104244DDC}\InProcServer32@iahmhglgnmfcfnfpdl 0x6A 0x61 0x6F 0x70 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{3024A848-7C77-6F90-8B14B36A94BB61F2}\{6CDD5654-07A8-13D8-C2EB636328E10F29}\{AF593ADC-BF32-7E11-B704756686EE805B}
Reg HKLM\SOFTWARE\Classes\CLSID\{3024A848-7C77-6F90-8B14B36A94BB61F2}\{6CDD5654-07A8-13D8-C2EB636328E10F29}\{AF593ADC-BF32-7E11-B704756686EE805B}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{4233ADD3-CD31-D295-804BA870321FDEF4}\{F4A8E5F3-7E68-2DD0-FA9D328203A7D1A7}\{07380252-9142-5EC5-94F639FC4AE64832}
Reg HKLM\SOFTWARE\Classes\CLSID\{4233ADD3-CD31-D295-804BA870321FDEF4}\{F4A8E5F3-7E68-2DD0-FA9D328203A7D1A7}\{07380252-9142-5EC5-94F639FC4AE64832}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{454884EE-A952-6288-D98E4C6628C57FD8}\{4E2828CC-5D4E-CAA4-0B0E2FF0C61DD876}\{D33FFB02-83E4-6D49-8432C9C83D6B1A26}
Reg HKLM\SOFTWARE\Classes\CLSID\{454884EE-A952-6288-D98E4C6628C57FD8}\{4E2828CC-5D4E-CAA4-0B0E2FF0C61DD876}\{D33FFB02-83E4-6D49-8432C9C83D6B1A26}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{5B0B6C35-3AEA-9EAE-179EBB09B20EA2F1}\{75565C86-DCE5-4077-B0F3502E93E7104E}\{6B409343-0D15-4A1C-46DBD99A1375331F}
Reg HKLM\SOFTWARE\Classes\CLSID\{5B0B6C35-3AEA-9EAE-179EBB09B20EA2F1}\{75565C86-DCE5-4077-B0F3502E93E7104E}\{6B409343-0D15-4A1C-46DBD99A1375331F}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{9D7D745F-2DA2-E26E-67E2A61C92B5C873}\{869A1319-CB5B-72EF-32E86935B8210920}\{0F637A1B-C125-DB37-203685E7DE12B741}
Reg HKLM\SOFTWARE\Classes\CLSID\{9D7D745F-2DA2-E26E-67E2A61C92B5C873}\{869A1319-CB5B-72EF-32E86935B8210920}\{0F637A1B-C125-DB37-203685E7DE12B741}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{A356E26F-F64B-8F5D-7C18E49D604F2F76}\{6A54AA76-7D92-69B0-4B2831BB70973615}\{981C58D8-528B-1766-742A6B252CC7665F}
Reg HKLM\SOFTWARE\Classes\CLSID\{A356E26F-F64B-8F5D-7C18E49D604F2F76}\{6A54AA76-7D92-69B0-4B2831BB70973615}\{981C58D8-528B-1766-742A6B252CC7665F}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{B9046776-195D-89EA-3E66F9BC5DAE5B9B}\{E7989E73-D3F8-C437-CB8470F59A56421D}\{FFD68A1F-1364-19C2-ECF1A15A7898EBE6}
Reg HKLM\SOFTWARE\Classes\CLSID\{B9046776-195D-89EA-3E66F9BC5DAE5B9B}\{E7989E73-D3F8-C437-CB8470F59A56421D}\{FFD68A1F-1364-19C2-ECF1A15A7898EBE6}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{C87D1BA9-1306-77F5-90F87A723F410748}\{690B68B5-18FE-E760-90ABE82D4BAC7FD3}\{66897D8D-2C31-7872-FEBDD8B850AFD9F2}
Reg HKLM\SOFTWARE\Classes\CLSID\{C87D1BA9-1306-77F5-90F87A723F410748}\{690B68B5-18FE-E760-90ABE82D4BAC7FD3}\{66897D8D-2C31-7872-FEBDD8B850AFD9F2}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{D2BB5886-979D-9102-6DE8CA90D9DFCF32}\{8C62C1A9-3EC5-6052-CACC7EB9BC8ACBFD}\{DD639986-4BF0-F7FE-AD8A79BFC0DA1D7B}
Reg HKLM\SOFTWARE\Classes\CLSID\{D2BB5886-979D-9102-6DE8CA90D9DFCF32}\{8C62C1A9-3EC5-6052-CACC7EB9BC8ACBFD}\{DD639986-4BF0-F7FE-AD8A79BFC0DA1D7B}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EC60A522-920C-52E9-898A41C82F89CB84}\{735C0629-1D81-42E2-E1D6A541CCD3DFCD}\{29AB0373-A17F-9B90-31C1A0C3BE2157F2}
Reg HKLM\SOFTWARE\Classes\CLSID\{EC60A522-920C-52E9-898A41C82F89CB84}\{735C0629-1D81-42E2-E1D6A541CCD3DFCD}\{29AB0373-A17F-9B90-31C1A0C3BE2157F2}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2F312D46-407E-2DF3-DA31-840104244DDC}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2F312D46-407E-2DF3-DA31-840104244DDC}@iajmcnplkbjjahlecb 0x6A 0x61 0x6F 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2F312D46-407E-2DF3-DA31-840104244DDC}@halmmofglfccifhi 0x6A 0x61 0x6F 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2F312D46-407E-2DF3-DA31-840104244DDC}@haebimnchoeaenad 0x64 0x63 0x61 0x61 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3CF14527-F454-C333-B8EF-7625BB5F57B5}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3CF14527-F454-C333-B8EF-7625BB5F57B5}@kaaampfiggfpfhmfpofnbe 0x67 0x61 0x6F 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3CF14527-F454-C333-B8EF-7625BB5F57B5}@kaaampfiggfpfhmfpofnod 0x66 0x61 0x6F 0x6D ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CC596B82-6AFF-4C55-C600-9C42EF21FDCF}

---- EOF - GMER 1.0.15 ----

descriptionacpi.sys infected with Packed.Protector.C EmptyRe: acpi.sys infected with Packed.Protector.C

more_horiz
Please download RootRepeal from GooglePages.com.

  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe.
  • Click Settings > Options. Drag the slider to High Level. Then, click the Red X.
  • Go to the Report tab and click on the Scan button.
    acpi.sys infected with Packed.Protector.C Nclahc

  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
    acpi.sys infected with Packed.Protector.C 2j5lb6
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).

descriptionacpi.sys infected with Packed.Protector.C EmptyRe: acpi.sys infected with Packed.Protector.C

more_horiz
Thankyou again DragonMaster Jay, here is the report:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/05/11 19:06
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA58C7000 Size: 786432 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA3350000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\hlktmp
Status: Allocation size mismatch (API: 33570816, Raw: 0)

Path: c:\documents and settings\all users\application data\malwarebytes\malwarebytes' anti-malware\logs\protection-log-2010-05-11.txt
Status: Size mismatch (API: 418696, Raw: 418622)

Path: C:\Documents and Settings\user\Local Settings\Apps\2.0\TZZ0YPZ0.OAM\3T1QVJ9Q.QC6\manifests\Ticketer.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user\Local Settings\Apps\2.0\TZZ0YPZ0.OAM\3T1QVJ9Q.QC6\manifests\Ticketer.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user\Local Settings\Apps\2.0\TZZ0YPZ0.OAM\3T1QVJ9Q.QC6\manifests\Ticketer.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user\Local Settings\Apps\2.0\TZZ0YPZ0.OAM\3T1QVJ9Q.QC6\manifests\Ticketer.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "" at address 0xad82a796

#: 053 Function Name: NtCreateThread
Status: Hooked by "" at address 0xad82a78c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "" at address 0xad82a79b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "" at address 0xad82a7a5

#: 098 Function Name: NtLoadKey
Status: Hooked by "" at address 0xad82a7aa

#: 122 Function Name: NtOpenProcess
Status: Hooked by "" at address 0xad82a778

#: 128 Function Name: NtOpenThread
Status: Hooked by "" at address 0xad82a77d

#: 193 Function Name: NtReplaceKey
Status: Hooked by "" at address 0xad82a7b4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "" at address 0xad82a7af

#: 247 Function Name: NtSetValueKey
Status: Hooked by "" at address 0xad82a7a0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "" at address 0xad82a787

Stealth Objects
-------------------
Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 2928) Address: 0x01000000 Size: 20480

==EOF==

descriptionacpi.sys infected with Packed.Protector.C EmptyRe: acpi.sys infected with Packed.Protector.C

more_horiz
  • Please go to VirSCAN.org FREE on-line scan service
  • Browse for the following file path into the "Suspicious files to scan" box on the top of the page:

    • c:\windows\system32\drivers\acpi.sys

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.



Do the same for this file:

c:\windows\system32\svchost.exe

descriptionacpi.sys infected with Packed.Protector.C EmptyRe: acpi.sys infected with Packed.Protector.C

more_horiz
VirSCAN.org Scanned Report :
Scanned time : 1970/01/01 01:00:00 (BST)
Scanner results: Scanners did not find malware!
File Name :
File Size : byte
File Type :
MD5 :
SHA1 :
Online report : http://virscan.org/report/.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result

descriptionacpi.sys infected with Packed.Protector.C EmptyRe: acpi.sys infected with Packed.Protector.C

more_horiz
That did not go well. Please try again for both files.

descriptionacpi.sys infected with Packed.Protector.C EmptyRe: acpi.sys infected with Packed.Protector.C

more_horiz
acpi.sys

VirSCAN.org Scanned Report :
Scanned time : 1970/01/01 01:00:00 (BST)
Scanner results: Scanners did not find malware!
File Name :
File Size : byte
File Type :
MD5 :
SHA1 :
Online report : http://virscan.org/report/.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result


svchost.exe

VirSCAN.org Scanned Report :
Scanned time : 1970/01/01 01:00:00 (BST)
Scanner results: Scanners did not find malware!
File Name :
File Size : byte
File Type :
MD5 :
SHA1 :
Online report : http://virscan.org/report/.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result

I pressed the rescan button and thought it would have given a list like last time. Is it ok or shall I do it again?

descriptionacpi.sys infected with Packed.Protector.C EmptyRe: acpi.sys infected with Packed.Protector.C

more_horiz
It did not process them correctly.

Please try http://www.virustotal.com

and do the similar process.

descriptionacpi.sys infected with Packed.Protector.C EmptyRe: acpi.sys infected with Packed.Protector.C

more_horiz
The web site seems to be down at the moment I will keep trying

descriptionacpi.sys infected with Packed.Protector.C EmptyRe: acpi.sys infected with Packed.Protector.C

more_horiz
Indeed. What about http://www.jotti.org

descriptionacpi.sys infected with Packed.Protector.C EmptyRe: acpi.sys infected with Packed.Protector.C

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum