System Check Virus: Can't get rid of it

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages
1
2
3
→

You cannot start a new topic
This topic is locked

System Check Virus: Can't get rid of it Rootkill did not get rid of, can't DL Anti-Mal

#1 icknaybob

Member

Group: Members
Posts: 20
Joined: 17-January 12

Posted 18 January 2012 - 02:39 AM

Got the System Check Virus. Followed directions and was able to get icons back. Can't run Malwarebytes even after following all directions. Plz help. Danke.

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Owner at 19:27:07 on 2012-01-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2736 [GMT -8:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [winupd] c:\docume~1\owner\locals~1\Temp:winupd.exe
uRun: [dplaysvr] c:\documents and settings\owner\application data\dplaysvr.exe
uRun: [nah_Shell] c:\documents and settings\owner\nah_gywh.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [dplaysvr] c:\documents and settings\owner\application data\dplaysvr.exe
mRun: [hDNYrohYYsM.exe] c:\documents and settings\all users\application data\hDNYrohYYsM.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBGAFIARQBFAC0AVgA2AFoASgBBAC0AQgBOADIAWQBRAC0ARgAzAFYAUwBSAC0AVgBXAFMAUgA0AC0AVgBZADcATQBaAA"&"inst=NwA3AC0ANQAyADcAOQAwADgANAA1ADAALQBGAEwAKwA5AC0AWABPADMANgArADEALQBYAE8AOQArADEALQBGADkATQAyACsAMQAtAEQARABUACsAMQA4ADIANwAxAC0AUwBUADkAMABGAEEAUABQACsAMQAtAEQARAA5ADAARgArADEALQBGADkAMABNADEAMgBBAFQAKwAxAC0ARgA5ADAATQAxADIAQQArADEALQBGADkAMABNADEAMgBBAEIAKwAxAC0AVQA5ADUAKwAxAC0ARgA5ADAATQAxADIAQQBUAEIAKwAxAC0ARgBVAEkAKwAyAA"&"prod=90"&"ver=9.0.894
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AheadData] rundll32.exe "c:\documents and settings\owner\local settings\application data\ahead\aheaddata\Aheaddata.dll",DllRegisterServer
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\dxdiag.exe
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: MaxRecentDocs = 18 (0x12)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{B2AB943C-C378-4406-B5D9-FBD76DBB0978} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: NecUsb3Sevice - USB3Nw32.dll
Notify: USB3Nw32 - USB3Nw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 94.63.240.131 www.google.com
Hosts: 94.63.240.132 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\n9xp6pol.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: XUL Cache: {916f7aeb-13a7-4446-bd8c-4c2310a79dff} - %profile%\extensions\{916f7aeb-13a7-4446-bd8c-4c2310a79dff}
.
============= SERVICES / DRIVERS ===============
.
S2 NecUsb;USB Service;c:\windows\system32\svchost.exe -k NecUsbSevice [2008-4-14 14336]
S3 HwIOctl;HwIOctl;\??\c:\program files\setup files\ms-7176 v3.70\hwioctl.sys --> c:\program files\setup files\ms-7176 v3.70\HwIOctl.sys [?]
.
=============== File Associations ===============
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2012-01-17 10:39:29 380928 ----a-w- c:\documents and settings\owner\local settings\application data\vvqrpiao.exe
2012-01-17 10:11:33 362268 ----a-w- c:\documents and settings\all users\application data\cKyGWjgU1wmA9b.exe
2012-01-17 10:07:20 451356 ----a-w- c:\documents and settings\all users\application data\hDNYrohYYsM.exe
2012-01-17 10:04:17 128488 --sh--w- c:\documents and settings\owner\application data\dplayx.dll
2012-01-17 10:04:17 114664 --sh--w- c:\documents and settings\owner\application data\dplaysvr.exe
2012-01-17 01:40:40 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-01-16 19:56:30 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-01-16 19:50:04 -------- d-----w- c:\windows\system32\NtmsData
2011-12-26 20:36:19 37888 ----a-w- c:\windows\system32\USB3Nw32.dll
.
==================== Find3M ====================
.
2011-12-10 01:36:47 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-12-10 01:36:38 218808 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-12-10 01:36:38 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-10-25 08:48:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 19:27:22.59 ===============

Attached File(s)

attach.txt (6.56K)
Number of downloads: 2

This post has been edited by hamluis: 18 January 2012 - 08:29 AM
Reason for edit: Moved from XP to Malware Removal Logs.

#2 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,568
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 21 January 2012 - 09:37 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.
Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#3 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,568
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 23 January 2012 - 11:25 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

do you still need help with this?
do you need more time?
are you having problems following my instructions?
if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

<-- Don't worry every little bit helps.

#4 icknaybob

Member

Group: Members
Posts: 20
Joined: 17-January 12

Posted 26 January 2012 - 02:25 AM

Running Combofix now. Will post log in a few moments.

#5 icknaybob

Member

Group: Members
Posts: 20
Joined: 17-January 12

Posted 26 January 2012 - 02:45 AM

ComboFix 12-01-23.02 - Owner 01/25/2012 23:33:07.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2755 [GMT -8:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\~cKyGWjgU1wmA9b
c:\documents and settings\All Users\Application Data\~cKyGWjgU1wmA9br
c:\documents and settings\All Users\Application Data\cKyGWjgU1wmA9b
c:\documents and settings\Owner\Application Data\Local
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n9xp6pol.default\extensions\{916f7aeb-13a7-4446-bd8c-4c2310a79dff}
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n9xp6pol.default\extensions\{916f7aeb-13a7-4446-bd8c-4c2310a79dff}\chrome.manifest
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n9xp6pol.default\extensions\{916f7aeb-13a7-4446-bd8c-4c2310a79dff}\chrome\xulcache.jar
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n9xp6pol.default\extensions\{916f7aeb-13a7-4446-bd8c-4c2310a79dff}\defaults\preferences\xulcache.js
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n9xp6pol.default\extensions\{916f7aeb-13a7-4446-bd8c-4c2310a79dff}\install.rdf
c:\documents and settings\Owner\Start Menu\Programs\System Check
c:\documents and settings\Owner\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\Owner\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\windows\$NtUninstallKB34121$\2997523928
c:\windows\alcrmv.exe
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\ShellExt\CmdOpen.dll
c:\windows\system32\USB3Nw32.dll
c:\windows\$NtUninstallKB34121$ . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_.netbt
-------\Service_.serial
-------\Service_6to4
.
.
((((((((((((((((((((((((( Files Created from 2011-12-26 to 2012-01-26 )))))))))))))))))))))))))))))))
.
.
2012-01-26 07:41 . 2012-01-26 07:41 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-26 07:40 . 2012-01-26 07:40 -------- d-----w- c:\windows\system32\xircom
2012-01-26 07:40 . 2012-01-26 07:40 -------- d-----w- c:\windows\system32\wbem\snmp
2012-01-26 07:40 . 2012-01-26 07:40 -------- d-----w- c:\windows\system32\oobe
2012-01-26 07:40 . 2012-01-26 07:40 -------- d-----w- c:\program files\microsoft frontpage
2012-01-18 10:30 . 2012-01-18 10:30 -------- d-----w- c:\program files\Common Files\Java
2012-01-18 10:30 . 2012-01-18 10:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-18 10:30 . 2012-01-18 10:30 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-01-18 10:30 . 2012-01-18 10:30 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-18 10:26 . 2012-01-18 10:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Secunia PSI
2012-01-18 10:26 . 2012-01-18 10:26 -------- d-----w- c:\program files\Secunia
2012-01-17 01:40 . 2008-04-14 06:45 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-01-16 19:56 . 2008-05-02 18:49 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-01-16 19:50 . 2012-01-16 19:50 -------- d-----w- c:\windows\system32\NtmsData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-18 10:32 . 2011-10-25 08:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 23:24 . 2010-12-21 08:30 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-10 01:36 . 2010-09-03 00:04 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-12-10 01:36 . 2010-09-03 00:20 218808 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-12-10 01:36 . 2010-09-03 00:04 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-04-20 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
.
.
.
c:\windows\System32\spoolsv.exe ... is missing !!
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-10 94208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-25 981680]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBGAFIARQBFAC0AVgA2AFoASgBBAC0AQgBOADIAWQBRAC0ARgAzAFYAUwBSAC0AVgBXAFMAUgA0AC0AVgBZADcATQBaAA&inst=NwA3AC0ANQAyADcAOQAwADgANAA1ADAALQBGAEwAKwA5AC0AWABPADMANgArADEALQBYAE8AOQArADEALQBGADkATQAyACsAMQAtAEQARABUACsAMQA4ADIANwAxAC0AUwBUADkAMABGAEEAUABQACsAMQAtAEQARAA5ADAARgArADEALQBGADkAMABNADEAMgBBAFQAKwAxAC0ARgA5ADAATQAxADIAQQArADEALQBGADkAMABNADEAMgBBAEIAKwAxAC0AVQA5ADUAKwAxAC0ARgA5ADAATQAxADIAQQBUAEIAKwAxAC0ARgBVAEkAKwAyAA&prod=90&ver=9.0.894" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-04-20 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-13 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivX Download Manager]
2010-12-08 21:15 63360 ----a-w- c:\program files\DivX\DivX Plus Web Player\DDMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-12-09 19:28 1226608 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-22 20:46 136176 ----atw- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2009-01-08 00:57 1468296 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2009-01-08 01:45 1496968 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-02-16 01:50 417792 ----a-w- c:\program files\QuickTime Alternative\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-08-19 00:04 17360520 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Updater.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\Unreal3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\War Inc Battlezone\\WarInc.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58930:TCP"= 58930:TCP:Pando Media Booster
"58930:UDP"= 58930:UDP:Pando Media Booster
.
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/13/2011 10:01 PM 994360]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 12:30 AM 15544]
S2 NecUsb;USB Service;c:\windows\System32\svchost.exe -k NecUsbSevice [4/14/2008 4:00 AM 14336]
S2 Secunia Update Agent;Secunia Update Agent;"c:\program files\Secunia\PSI\sua.exe" --start-service --> c:\program files\Secunia\PSI\sua.exe [?]
S3 HwIOctl;HwIOctl;\??\c:\program files\Setup Files\MS-7176 v3.70\HwIOctl.sys --> c:\program files\Setup Files\MS-7176 v3.70\HwIOctl.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsbSevice REG_MULTI_SZ NecUsb
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2012-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1482476501-1547161642-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 20:46]
.
2012-01-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1482476501-1547161642-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 20:46]
.
2010-03-24 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-01-08 00:57]
.
2010-03-24 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-01-08 01:45]
.
2012-01-26 c:\windows\Tasks\User_Feed_Synchronization-{9AB90988-376A-48DA-A5A9-5D06355BD6CF}.job
- c:\windows\system32\msfeedssync.exe [2009-04-20 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: clonewarsadventures.com
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n9xp6pol.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
------- File Associations -------
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKU-Default-Run-AheadData - c:\documents and settings\Owner\Local Settings\Application Data\Ahead\AheadData\Aheaddata.dll
Notify-NecUsb3Sevice - USB3Nw32.dll
Notify-USB3Nw32 - USB3Nw32.dll
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-nwiz - nwiz.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-25 23:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1482476501-1547161642-1003\Software\SecuROM\License information*]
"datasecu"=hex:36,b5,5b,a5,6d,bc,95,65,96,0c,a6,56,48,bf,a5,83,e5,42,9d,3a,cd,
c8,f1,74,3f,bd,5b,10,ae,6e,9e,15,30,9d,fc,ea,79,4e,60,26,36,c5,d2,d4,32,89,\
"rkeysecu"=hex:39,4d,3a,2a,a0,1c,ff,80,f2,70,67,59,72,0d,78,b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3720)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Completion time: 2012-01-25 23:43:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-26 07:43
.
Pre-Run: 81,711,190,016 bytes free
Post-Run: 81,830,653,952 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 8197D2ABF98D48B169E073210300F8E1

#6 icknaybob

Member

Group: Members
Posts: 20
Joined: 17-January 12

Posted 26 January 2012 - 02:49 AM

So far everything seems back to normal. :thumbsup:

Before I got your reply, I had installed the unhide.exe and noticed my original Malwarebytes Anti-Malware was still on my desktop so I ran it. Once I did that I was able to run all the recommended stuff on the Bleeping Computer page about the System Check Virus. Everything seemed normal except I kept getting re-routed to random search engines. I knew the virus was still present. Then today I wasn't able to run Google. After I can Combofix...I was able to access Google and I checked the sites I went to previously and did not get re-routed. So as of right now...everything seems back to normal. Thank you very much. You guys are talented in what you do. Try to find those programmers who make these virus. We need to flog them in public with wet noodles to teach the other hackers a lesson. Thank you once again!

Sean

#7 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,568
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 26 January 2012 - 09:04 AM

I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

<-- Don't worry every little bit helps.

#8 icknaybob

Member

Group: Members
Posts: 20
Joined: 17-January 12

Posted 26 January 2012 - 08:26 PM

ComboFix 12-01-26.03 - Owner 01/26/2012 17:19:29.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2750 [GMT -8:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
.
.
2012-01-26 07:40 . 2012-01-26 07:40 -------- d-----w- c:\windows\system32\xircom
2012-01-26 07:40 . 2012-01-26 07:40 -------- d-----w- c:\windows\system32\wbem\snmp
2012-01-26 07:40 . 2012-01-26 07:40 -------- d-----w- c:\windows\system32\oobe
2012-01-26 07:40 . 2012-01-26 07:40 -------- d-----w- c:\program files\microsoft frontpage
2012-01-18 10:30 . 2012-01-18 10:30 -------- d-----w- c:\program files\Common Files\Java
2012-01-18 10:30 . 2012-01-18 10:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-18 10:30 . 2012-01-18 10:30 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-01-18 10:30 . 2012-01-18 10:30 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-18 10:26 . 2012-01-18 10:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Secunia PSI
2012-01-18 10:26 . 2012-01-18 10:26 -------- d-----w- c:\program files\Secunia
2012-01-17 01:40 . 2008-04-14 06:45 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-01-16 19:56 . 2008-05-02 18:49 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-01-16 19:50 . 2012-01-16 19:50 -------- d-----w- c:\windows\system32\NtmsData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-18 10:32 . 2011-10-25 08:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 23:24 . 2010-12-21 08:30 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-10 01:36 . 2010-09-03 00:04 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-12-10 01:36 . 2010-09-03 00:20 218808 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-12-10 01:36 . 2010-09-03 00:04 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-04-20 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2012-01-26_07.41.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-27 01:18 . 2012-01-27 01:18 16384 c:\windows\Temp\Perflib_Perfdata_77c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-10 94208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-25 981680]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBGAFIARQBFAC0AVgA2AFoASgBBAC0AQgBOADIAWQBRAC0ARgAzAFYAUwBSAC0AVgBXAFMAUgA0AC0AVgBZADcATQBaAA&inst=NwA3AC0ANQAyADcAOQAwADgANAA1ADAALQBGAEwAKwA5AC0AWABPADMANgArADEALQBYAE8AOQArADEALQBGADkATQAyACsAMQAtAEQARABUACsAMQA4ADIANwAxAC0AUwBUADkAMABGAEEAUABQACsAMQAtAEQARAA5ADAARgArADEALQBGADkAMABNADEAMgBBAFQAKwAxAC0ARgA5ADAATQAxADIAQQArADEALQBGADkAMABNADEAMgBBAEIAKwAxAC0AVQA5ADUAKwAxAC0ARgA5ADAATQAxADIAQQBUAEIAKwAxAC0ARgBVAEkAKwAyAA&prod=90&ver=9.0.894" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-04-20 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-13 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivX Download Manager]
2010-12-08 21:15 63360 ----a-w- c:\program files\DivX\DivX Plus Web Player\DDMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-12-09 19:28 1226608 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-22 20:46 136176 ----atw- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2009-01-08 00:57 1468296 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2009-01-08 01:45 1496968 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-02-16 01:50 417792 ----a-w- c:\program files\QuickTime Alternative\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-08-19 00:04 17360520 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Updater.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\Unreal3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\War Inc Battlezone\\WarInc.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58930:TCP"= 58930:TCP:Pando Media Booster
"58930:UDP"= 58930:UDP:Pando Media Booster
.
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/13/2011 10:01 PM 994360]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 12:30 AM 15544]
S2 NecUsb;USB Service;c:\windows\System32\svchost.exe -k NecUsbSevice [4/14/2008 4:00 AM 14336]
S2 Secunia Update Agent;Secunia Update Agent;"c:\program files\Secunia\PSI\sua.exe" --start-service --> c:\program files\Secunia\PSI\sua.exe [?]
S3 HwIOctl;HwIOctl;\??\c:\program files\Setup Files\MS-7176 v3.70\HwIOctl.sys --> c:\program files\Setup Files\MS-7176 v3.70\HwIOctl.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsbSevice REG_MULTI_SZ NecUsb
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2012-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1482476501-1547161642-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 20:46]
.
2012-01-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1482476501-1547161642-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 20:46]
.
2010-03-24 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-01-08 00:57]
.
2010-03-24 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-01-08 01:45]
.
2012-01-27 c:\windows\Tasks\User_Feed_Synchronization-{9AB90988-376A-48DA-A5A9-5D06355BD6CF}.job
- c:\windows\system32\msfeedssync.exe [2009-04-20 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: clonewarsadventures.com
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n9xp6pol.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-26 17:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-1482476501-1547161642-1003\Software\SecuROM\License information*]
"datasecu"=hex:36,b5,5b,a5,6d,bc,95,65,96,0c,a6,56,48,bf,a5,83,e5,42,9d,3a,cd,
c8,f1,74,3f,bd,5b,10,ae,6e,9e,15,30,9d,fc,ea,79,4e,60,26,36,c5,d2,d4,32,89,\
"rkeysecu"=hex:39,4d,3a,2a,a0,1c,ff,80,f2,70,67,59,72,0d,78,b5
.
Completion time: 2012-01-26 17:25:24
ComboFix-quarantined-files.txt 2012-01-27 01:25
ComboFix2.txt 2012-01-26 07:43
.
Pre-Run: 93,055,459,328 bytes free
Post-Run: 93,097,299,968 bytes free
.
- - End Of File - - A553EC189CD7C0D10D40CB12D4F19FBA

#9 icknaybob

Member

Group: Members
Posts: 20
Joined: 17-January 12

Posted 26 January 2012 - 08:28 PM

According to the Combofix...the rootkill was still present. I noticed that when I ran tdsskiller, it showed "Virus.Win32.ZAccess.k" "Service: NetBT" and it cannot cure this no matter how many times I run tdsskiller.

#10 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,568
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 26 January 2012 - 09:04 PM

let me see the report from tdsskiller

gringo

<-- Don't worry every little bit helps.

#11 icknaybob

Member

Group: Members
Posts: 20
Joined: 17-January 12

Posted 26 January 2012 - 09:08 PM

18:08:30.0171 0380 TDSS rootkit removing tool 2.7.7.0 Jan 24 2012 16:44:27
18:08:30.0593 0380 ============================================================
18:08:30.0593 0380 Current date / time: 2012/01/26 18:08:30.0593
18:08:30.0593 0380 SystemInfo:
18:08:30.0593 0380
18:08:30.0593 0380 OS Version: 5.1.2600 ServicePack: 3.0
18:08:30.0593 0380 Product type: Workstation
18:08:30.0593 0380 ComputerName: ANONYMOUS
18:08:30.0593 0380 UserName: Owner
18:08:30.0593 0380 Windows directory: C:\WINDOWS
18:08:30.0593 0380 System windows directory: C:\WINDOWS
18:08:30.0593 0380 Processor architecture: Intel x86
18:08:30.0593 0380 Number of processors: 2
18:08:30.0593 0380 Page size: 0x1000
18:08:30.0593 0380 Boot type: Normal boot
18:08:30.0593 0380 ============================================================
18:08:32.0125 0380 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
18:08:32.0140 0380 Initialize success
18:08:33.0250 1684 ============================================================
18:08:33.0250 1684 Scan started
18:08:33.0250 1684 Mode: Manual;
18:08:33.0250 1684 ============================================================
18:08:34.0062 1684 Abiosdsk - ok
18:08:34.0093 1684 abp480n5 - ok
18:08:34.0140 1684 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:08:34.0140 1684 ACPI - ok
18:08:34.0171 1684 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:08:34.0171 1684 ACPIEC - ok
18:08:34.0171 1684 adpu160m - ok
18:08:34.0203 1684 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:08:34.0203 1684 aec - ok
18:08:34.0234 1684 AFD (38d7b715504da4741df35e3594fe2099) C:\WINDOWS\System32\drivers\afd.sys
18:08:34.0234 1684 AFD - ok
18:08:34.0234 1684 Aha154x - ok
18:08:34.0250 1684 aic78u2 - ok
18:08:34.0265 1684 aic78xx - ok
18:08:34.0375 1684 ALCXWDM (f3e15607ba53249c765e36388b332c2f) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
18:08:34.0406 1684 ALCXWDM - ok
18:08:34.0421 1684 AliIde - ok
18:08:34.0437 1684 amsint - ok
18:08:34.0453 1684 asc - ok
18:08:34.0453 1684 asc3350p - ok
18:08:34.0468 1684 asc3550 - ok
18:08:34.0500 1684 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:08:34.0500 1684 AsyncMac - ok
18:08:34.0531 1684 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:08:34.0531 1684 atapi - ok
18:08:34.0546 1684 Atdisk - ok
18:08:34.0578 1684 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:08:34.0578 1684 Atmarpc - ok
18:08:34.0609 1684 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:08:34.0609 1684 audstub - ok
18:08:34.0640 1684 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:08:34.0640 1684 Beep - ok
18:08:34.0703 1684 catchme - ok
18:08:34.0734 1684 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:08:34.0734 1684 cbidf2k - ok
18:08:34.0750 1684 cd20xrnt - ok
18:08:34.0750 1684 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:08:34.0765 1684 Cdaudio - ok
18:08:34.0781 1684 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:08:34.0781 1684 Cdfs - ok
18:08:34.0875 1684 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:08:34.0875 1684 Cdrom - ok
18:08:34.0906 1684 Changer - ok
18:08:34.0921 1684 CmdIde - ok
18:08:34.0937 1684 Cpqarray - ok
18:08:34.0953 1684 dac2w2k - ok
18:08:34.0968 1684 dac960nt - ok
18:08:35.0015 1684 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
18:08:35.0015 1684 Disk - ok
18:08:35.0062 1684 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:08:35.0062 1684 dmboot - ok
18:08:35.0078 1684 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:08:35.0078 1684 dmio - ok
18:08:35.0109 1684 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:08:35.0109 1684 dmload - ok
18:08:35.0156 1684 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:08:35.0156 1684 DMusic - ok
18:08:35.0171 1684 dpti2o - ok
18:08:35.0187 1684 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:08:35.0187 1684 drmkaud - ok
18:08:35.0234 1684 exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys
18:08:35.0234 1684 exFat - ok
18:08:35.0250 1684 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:08:35.0250 1684 Fastfat - ok
18:08:35.0265 1684 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
18:08:35.0265 1684 Fdc - ok
18:08:35.0281 1684 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:08:35.0281 1684 Fips - ok
18:08:35.0281 1684 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
18:08:35.0296 1684 Flpydisk - ok
18:08:35.0312 1684 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
18:08:35.0312 1684 FltMgr - ok
18:08:35.0343 1684 Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:08:35.0343 1684 Fs_Rec - ok
18:08:35.0359 1684 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:08:35.0359 1684 Ftdisk - ok
18:08:35.0390 1684 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:08:35.0390 1684 Gpc - ok
18:08:35.0437 1684 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:08:35.0437 1684 hidusb - ok
18:08:35.0515 1684 hpn - ok
18:08:35.0578 1684 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
18:08:35.0578 1684 HTTP - ok
18:08:35.0640 1684 HwIOctl - ok
18:08:35.0734 1684 i2omgmt - ok
18:08:35.0750 1684 i2omp - ok
18:08:35.0843 1684 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:08:35.0843 1684 i8042prt - ok
18:08:35.0859 1684 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:08:35.0859 1684 Imapi - ok
18:08:35.0875 1684 InCDFs - ok
18:08:35.0875 1684 InCDPass - ok
18:08:35.0890 1684 InCDRm - ok
18:08:35.0906 1684 ini910u - ok
18:08:35.0921 1684 IntelIde - ok
18:08:35.0937 1684 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:08:35.0937 1684 intelppm - ok
18:08:35.0953 1684 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
18:08:35.0953 1684 Ip6Fw - ok
18:08:35.0968 1684 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:08:35.0968 1684 IpFilterDriver - ok
18:08:35.0984 1684 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:08:35.0984 1684 IpInIp - ok
18:08:36.0000 1684 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:08:36.0015 1684 IpNat - ok
18:08:36.0015 1684 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:08:36.0015 1684 IPSec - ok
18:08:36.0046 1684 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:08:36.0046 1684 IRENUM - ok
18:08:36.0078 1684 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:08:36.0078 1684 isapnp - ok
18:08:36.0125 1684 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:08:36.0125 1684 Kbdclass - ok
18:08:36.0203 1684 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
18:08:36.0203 1684 kbdhid - ok
18:08:36.0250 1684 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:08:36.0250 1684 kmixer - ok
18:08:36.0281 1684 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
18:08:36.0281 1684 KSecDD - ok
18:08:36.0296 1684 lbrtfdc - ok
18:08:36.0375 1684 Memctl - ok
18:08:36.0406 1684 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:08:36.0406 1684 Modem - ok
18:08:36.0437 1684 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:08:36.0437 1684 Mouclass - ok
18:08:36.0453 1684 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:08:36.0453 1684 mouhid - ok
18:08:36.0468 1684 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:08:36.0468 1684 MountMgr - ok
18:08:36.0484 1684 mraid35x - ok
18:08:36.0500 1684 MRxDAV (65e818c473e220b6ab762e1966296fd1) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:08:36.0500 1684 MRxDAV - ok
18:08:36.0546 1684 MRxSmb (602549d1e8a622e5746991f6c56b21ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:08:36.0546 1684 MRxSmb - ok
18:08:36.0703 1684 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:08:36.0703 1684 Msfs - ok
18:08:36.0859 1684 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:08:36.0875 1684 MSKSSRV - ok
18:08:36.0921 1684 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:08:36.0921 1684 MSPCLOCK - ok
18:08:36.0937 1684 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:08:36.0937 1684 MSPQM - ok
18:08:37.0015 1684 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:08:37.0015 1684 mssmbios - ok
18:08:37.0046 1684 Mup (6546fe6639499fa4bef180bdf08266a1) C:\WINDOWS\system32\drivers\Mup.sys
18:08:37.0046 1684 Mup - ok
18:08:37.0078 1684 NDIS (b5b1080d35974c0e718d64280761bcd5) C:\WINDOWS\system32\drivers\NDIS.sys
18:08:37.0078 1684 NDIS - ok
18:08:37.0093 1684 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:08:37.0093 1684 NdisTapi - ok
18:08:37.0093 1684 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:08:37.0093 1684 Ndisuio - ok
18:08:37.0109 1684 NdisWan (b053a8411045fd0664b389a090cb2bbc) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:08:37.0109 1684 NdisWan - ok
18:08:37.0125 1684 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
18:08:37.0125 1684 NDProxy - ok
18:08:37.0140 1684 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:08:37.0140 1684 NetBIOS - ok
18:08:37.0156 1684 NetBT (41abba0dae1d6c6e9d9b4a0cace6d326) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:08:37.0156 1684 NetBT ( Virus.Win32.ZAccess.k ) - infected
18:08:37.0156 1684 NetBT - detected Virus.Win32.ZAccess.k (0)
18:08:37.0218 1684 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:08:37.0218 1684 Npfs - ok
18:08:37.0250 1684 Ntfs (ae8cad8f28db13b515a68510a539b0b8) C:\WINDOWS\system32\drivers\Ntfs.sys
18:08:37.0250 1684 Ntfs - ok
18:08:37.0296 1684 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
18:08:37.0296 1684 NuidFltr - ok
18:08:37.0328 1684 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:08:37.0328 1684 Null - ok
18:08:37.0593 1684 nv (cb0ce8de9f66a297cd86eb98921b8e58) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
18:08:37.0656 1684 nv - ok
18:08:37.0671 1684 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:08:37.0671 1684 NwlnkFlt - ok
18:08:37.0703 1684 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:08:37.0703 1684 NwlnkFwd - ok
18:08:37.0718 1684 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:08:37.0718 1684 Parport - ok
18:08:37.0734 1684 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:08:37.0734 1684 PartMgr - ok
18:08:37.0750 1684 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:08:37.0750 1684 ParVdm - ok
18:08:37.0781 1684 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:08:37.0781 1684 PCI - ok
18:08:37.0812 1684 PCIDump - ok
18:08:37.0828 1684 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:08:37.0828 1684 PCIIde - ok
18:08:37.0859 1684 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:08:37.0859 1684 Pcmcia - ok
18:08:37.0859 1684 PDCOMP - ok
18:08:37.0875 1684 PDFRAME - ok
18:08:37.0875 1684 PDRELI - ok
18:08:37.0890 1684 PDRFRAME - ok
18:08:37.0906 1684 perc2 - ok
18:08:37.0906 1684 perc2hib - ok
18:08:37.0968 1684 PnkBstrK (e3445033ca9e385081e6bb603195b6ed) C:\WINDOWS\system32\drivers\PnkBstrK.sys
18:08:37.0968 1684 PnkBstrK - ok
18:08:38.0078 1684 Point32 (e552d6598670b1e7655cb73d562e0cd9) C:\WINDOWS\system32\DRIVERS\point32.sys
18:08:38.0078 1684 Point32 - ok
18:08:38.0109 1684 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:08:38.0109 1684 PptpMiniport - ok
18:08:38.0125 1684 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:08:38.0140 1684 PSched - ok
18:08:38.0156 1684 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
18:08:38.0156 1684 PSI - ok
18:08:38.0187 1684 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:08:38.0187 1684 Ptilink - ok
18:08:38.0218 1684 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
18:08:38.0218 1684 PxHelp20 - ok
18:08:38.0218 1684 ql1080 - ok
18:08:38.0234 1684 Ql10wnt - ok
18:08:38.0250 1684 ql12160 - ok
18:08:38.0250 1684 ql1240 - ok
18:08:38.0265 1684 ql1280 - ok
18:08:38.0281 1684 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:08:38.0281 1684 RasAcd - ok
18:08:38.0312 1684 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:08:38.0312 1684 Rasl2tp - ok
18:08:38.0359 1684 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:08:38.0359 1684 RasPppoe - ok
18:08:38.0390 1684 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:08:38.0390 1684 Raspti - ok
18:08:38.0406 1684 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:08:38.0406 1684 Rdbss - ok
18:08:38.0421 1684 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:08:38.0421 1684 RDPCDD - ok
18:08:38.0468 1684 rdpdr (c694a927eb7c354f7ae97955043a9641) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:08:38.0468 1684 rdpdr - ok
18:08:38.0500 1684 RDPWD (e8e3107243b16a549b88d145ec051b06) C:\WINDOWS\system32\drivers\RDPWD.sys
18:08:38.0500 1684 RDPWD - ok
18:08:38.0531 1684 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:08:38.0531 1684 redbook - ok
18:08:38.0593 1684 rspndr (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys
18:08:38.0593 1684 rspndr - ok
18:08:38.0640 1684 RTL8023xp (69ee1e8dc0c750a5d03739e6e9429959) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
18:08:38.0640 1684 RTL8023xp - ok
18:08:38.0750 1684 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:08:38.0750 1684 Secdrv - ok
18:08:38.0796 1684 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:08:38.0796 1684 serenum - ok
18:08:38.0843 1684 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:08:38.0843 1684 Serial - ok
18:08:38.0875 1684 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:08:38.0875 1684 Sfloppy - ok
18:08:38.0890 1684 Simbad - ok
18:08:38.0906 1684 Sparrow - ok
18:08:38.0921 1684 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:08:38.0921 1684 splitter - ok
18:08:38.0968 1684 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:08:38.0968 1684 sr - ok
18:08:39.0015 1684 Srv (30efed0c77d59ae0cacb0b5c756767ed) C:\WINDOWS\system32\DRIVERS\srv.sys
18:08:39.0015 1684 Srv - ok
18:08:39.0046 1684 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:08:39.0046 1684 swenum - ok
18:08:39.0078 1684 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:08:39.0078 1684 swmidi - ok
18:08:39.0093 1684 symc810 - ok
18:08:39.0093 1684 symc8xx - ok
18:08:39.0109 1684 sym_hi - ok
18:08:39.0125 1684 sym_u3 - ok
18:08:39.0140 1684 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:08:39.0140 1684 sysaudio - ok
18:08:39.0187 1684 Tcpip (ba8c046d98345129723e6bcaa1e8ab99) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:08:39.0187 1684 Tcpip - ok
18:08:39.0187 1684 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:08:39.0187 1684 TDPIPE - ok
18:08:39.0203 1684 TDTCP (c0578456f29e5f26285f81b7b71fe57d) C:\WINDOWS\system32\drivers\TDTCP.sys
18:08:39.0203 1684 TDTCP - ok
18:08:39.0234 1684 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:08:39.0234 1684 TermDD - ok
18:08:39.0265 1684 TosIde - ok
18:08:39.0296 1684 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:08:39.0296 1684 Udfs - ok
18:08:39.0296 1684 ultra - ok
18:08:39.0343 1684 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:08:39.0343 1684 Update - ok
18:08:39.0437 1684 usbccgp (c18d6c74953621346df6b0a11f80c1cc) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:08:39.0437 1684 usbccgp - ok
18:08:39.0468 1684 usbehci (4bac8df07f1d8434fc640e677a62204e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:08:39.0468 1684 usbehci - ok
18:08:39.0484 1684 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:08:39.0484 1684 usbhub - ok
18:08:39.0515 1684 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:08:39.0515 1684 usbscan - ok
18:08:39.0562 1684 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:08:39.0562 1684 USBSTOR - ok
18:08:39.0593 1684 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:08:39.0593 1684 usbuhci - ok
18:08:39.0640 1684 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:08:39.0640 1684 VgaSave - ok
18:08:39.0640 1684 ViaIde - ok
18:08:39.0656 1684 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:08:39.0656 1684 VolSnap - ok
18:08:39.0687 1684 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:08:39.0703 1684 Wanarp - ok
18:08:39.0734 1684 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
18:08:39.0734 1684 Wdf01000 - ok
18:08:39.0750 1684 WDICA - ok
18:08:39.0796 1684 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:08:39.0796 1684 wdmaud - ok
18:08:39.0890 1684 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
18:08:39.0890 1684 WS2IFSL - ok
18:08:39.0937 1684 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:08:39.0937 1684 WudfPf - ok
18:08:39.0937 1684 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:08:39.0937 1684 WudfRd - ok
18:08:39.0984 1684 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
18:08:40.0109 1684 \Device\Harddisk0\DR0 - ok
18:08:40.0125 1684 Boot (0x1200) (914e8bad6337901222659f5f9ab8da53) \Device\Harddisk0\DR0\Partition0
18:08:40.0125 1684 \Device\Harddisk0\DR0\Partition0 - ok
18:08:40.0125 1684 ============================================================
18:08:40.0125 1684 Scan finished
18:08:40.0125 1684 ============================================================
18:08:40.0140 0612 Detected object count: 1
18:08:40.0140 0612 Actual detected object count: 1
18:08:42.0062 0612 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\netbt.sys) error 1813
18:08:42.0281 0612 Backup copy not found, trying to cure infected file..
18:08:42.0281 0612 C:\WINDOWS\system32\DRIVERS\netbt.sys - Cure failed (FFFFFFFF)
18:08:42.0281 0612 C:\WINDOWS\system32\DRIVERS\netbt.sys - processing error
18:08:44.0250 0612 NetBT ( Virus.Win32.ZAccess.k ) - User select action: Cure

#12 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,568
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 26 January 2012 - 09:15 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

:filefind
netbt.sys

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

<-- Don't worry every little bit helps.

#13 icknaybob

Member

Group: Members
Posts: 20
Joined: 17-January 12

Posted 26 January 2012 - 09:18 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 18:17 on 26/01/2012 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "netbt.sys"
C:\WINDOWS\system32\drivers\netbt.sys --a---- 162816 bytes [12:00 14/04/2008] [12:00 14/04/2008] 41ABBA0DAE1D6C6E9D9B4A0CACE6D326

-= EOF =-

#14 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,568
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 26 January 2012 - 09:24 PM

Hello

do you have access to another windows XP computer - looks like we are going to have to copy a file from it

gringo

<-- Don't worry every little bit helps.

#15 icknaybob

Member

Group: Members
Posts: 20
Joined: 17-January 12

Posted 26 January 2012 - 09:27 PM

Not at the moment. All the other PCs are running Windows 7. I can check the computers at work tomorrow. I don't think they are running Windows XP either.