Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple infections / problems


  • This topic is locked This topic is locked
27 replies to this topic

#1 Badassbiker

Badassbiker

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:06:06 PM

Posted 01 June 2010 - 02:38 AM

Hi Guys,

I was troubleshooting slow network performance on our LAN when I came across one of the workstations broadcasting a lot of NBTNS queries to random adresses. I ran a scan with Malware Bytes which found numerous infections and also with Kaspersky which also found a number of problems but neither was able to remove all the infections. The DDS scan ran successfully but GMER crashes when scanning \Device\HLVol and I was unable to get a GMER log. The DDS logs follows:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Henriette1 at 9:18:38.75 on Tue 06/01/2004
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.562 [GMT 2:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Panasonic\TrapMonitor\Trapmnnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panasonic\Panasonic-DMS\RPT Network Printer Port\Msgsrv.exe
C:\Program Files\Panasonic\Panasonic-DMS\Device Monitor\DMWakeup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\vyjob.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe
C:\Program Files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe
C:\Documents and Settings\Henriette\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.za/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RPT Msgsrv] "c:\program files\panasonic\panasonic-dms\rpt network printer port\Msgsrv.exe" /NRPT Network Printer /S
mRun: [Panasonic Device Monitor Wakeup] c:\program files\panasonic\panasonic-dms\device monitor\DMWakeup.exe
mRun: [ctfmon.exe] ctfmon.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [jobagi] c:\windows\system32\vyjob.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\applic~1\micros~1\shortc~1\jobsta~1.lnk - c:\program files\panasonic\panasonic-dms\lrecvtrap\LRecvTrap.exe
StartupFolder: c:\docume~1\alluse~1\applic~1\micros~1\shortc~1\panaso~1.lnk - c:\program files\panasonic\panasonic-dms\port controller\Mfpscdl.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Translate this web page with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm
IE: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {588DEB4A-5988-4468-B644-BAAE80FD0036} = 192.168.0.10
Notify: klogon - c:\windows\system32\klogon.dll
mASetup: {E2ABAEB9-DDCA-C89F-DAEB-5CE3D076FD06} - c:\windows\system32\incognito.exe

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-3-4 226832]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 208616]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S2 zii9wxiofdhoe5;Websense CPM Report Scheduler;c:\windows\system32\hounnehehoos.exe [2010-3-4 168960]

=============== Created Last 30 ================

2010-05-31 15:04:28 13646 ----a-w- c:\windows\system32\wpa.bak
2010-05-31 14:48:57 0 d-----w- C:\cmdcons
2010-05-31 14:47:06 98816 ----a-w- c:\windows\sed.exe
2010-05-31 14:47:06 77312 ----a-w- c:\windows\MBR.exe
2010-05-31 14:47:06 256512 ----a-w- c:\windows\PEV.exe
2010-05-31 14:47:06 161792 ----a-w- c:\windows\SWREG.exe
2010-05-31 14:37:34 0 d-----w- c:\program files\CCleaner
2010-05-14 13:41:07 0 d-----w- c:\windows\system32\LogFiles
2010-03-04 07:17:18 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-04 07:17:18 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-04 07:16:41 335904 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-03-04 07:16:41 2228 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-03-04 07:16:41 1831456 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-04 07:16:41 15388 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-03-04 07:16:41 0 d-----w- c:\program files\Kaspersky Lab
2010-03-04 07:16:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-03-04 07:11:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-03-04 07:11:33 168960 ----a-w- c:\windows\system32\hounnehehoos.exe
2010-03-04 07:11:18 168960 ----a-w- c:\windows\system32\vyjob.exe
2010-03-04 05:45:57 33 ----a-w- C:\drdh.exe
2010-03-04 05:40:02 0 d-sh--r- C:\CONFIG
2010-03-03 06:50:38 8498 ----a-w- C:\mycadddms.exe
2010-03-02 13:23:00 22 ----a-w- c:\windows\hotpussy.zip
2010-03-02 08:12:21 102432 ----a-w- c:\windows\system32\msvcrt2.dll
2010-02-18 07:23:25 0 d-----w- c:\program files\MSECache
2010-02-08 11:07:30 0 d-----w- C:\pastel
2010-02-08 09:12:32 57344 ----a-w- c:\windows\system32\Interop.zkemkeeper.dll
2010-02-08 09:12:32 16384 ----a-w- c:\windows\system32\A7Comms.exe
2010-02-08 09:08:52 0 d-----w- c:\windows\system32\XPSViewer
2010-02-08 09:08:11 14048 ------w- c:\windows\system32\spmsg2.dll
2010-02-08 09:07:14 0 d-----w- C:\Uniauto
2010-02-08 09:06:50 57344 ----a-w- c:\windows\system32\commpro.dll
2010-02-08 09:06:50 45056 ----a-w- c:\windows\system32\comms.dll
2010-02-08 09:06:50 335872 ----a-w- c:\windows\system32\zkemkeeper.dll
2010-02-08 09:06:50 126976 ----a-w- c:\windows\system32\rscomm.dll
2010-02-08 09:06:50 110592 ----a-w- c:\windows\system32\rscagent.dll
2010-02-08 09:06:50 100352 ----a-w- c:\windows\system32\plce.dll
2010-02-08 09:06:49 159744 ----a-w- c:\windows\system32\zkemsdk.dll
2010-02-08 09:06:49 0 d-----w- C:\Uniclox
2010-02-08 09:05:44 23856 ----a-w- c:\windows\system32\spupdsvc.exe
2010-02-08 09:05:39 0 d-----w- c:\program files\MSXML 6.0
2010-02-05 08:46:36 0 d--h--w- c:\windows\PIF
2010-02-05 08:43:22 0 d-----w- c:\docume~1\henrie~1\applic~1\Malwarebytes
2010-02-05 08:43:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-05 08:43:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-05 08:43:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-05 08:43:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-05 08:34:00 0 d-----w- c:\windows\pss
2010-01-26 09:50:42 0 d-----w- C:\New Folder
2009-10-20 13:31:11 0 d-----w- c:\program files\Babylon
2009-10-20 13:31:07 0 d-----w- c:\docume~1\henrie~1\applic~1\Babylon
2009-10-20 13:31:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Babylon
2009-10-20 09:25:08 32256 ----a-w- c:\windows\system32\MGCSPLM.DLL
2009-09-10 13:16:00 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-09-10 13:16:00 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-09-01 05:23:12 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-09-01 05:23:12 8192 ----a-w- c:\windows\system32\kbdkor.dll
2009-09-01 05:23:11 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-09-01 05:23:11 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2009-09-01 05:23:11 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-09-01 05:23:11 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2009-09-01 05:23:11 6144 ----a-w- c:\windows\system32\kbd106.dll
2009-09-01 05:23:11 6144 ----a-w- c:\windows\system32\kbd101c.dll
2009-09-01 05:23:11 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2009-09-01 05:23:11 5632 ----a-w- c:\windows\system32\kbd103.dll
2009-09-01 05:23:08 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-09-01 05:23:08 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-07-21 10:49:19 3245 ----a-w- c:\windows\system32\wbem\Outlook_01ca09f0e602b5be.mof
2009-03-12 07:47:13 0 d--h--w- c:\program files\Zenographics
2009-03-12 07:46:34 606 ----a-w- c:\windows\hpntwksetup.ini
2009-03-12 07:45:11 0 d-----w- C:\HP 2600n
2009-03-03 10:59:13 0 d-----w- C:\BPC_PDF
2009-03-03 10:57:53 0 d-----w- c:\docume~1\henrie~1\applic~1\ICAClient
2009-03-03 10:55:57 0 d-----w- c:\program files\Citrix
2009-03-03 10:49:48 7614464 ----a-w- C:\Ica32Web.msi
2009-01-29 09:41:20 20480 ----a-w- c:\windows\system32\DocMgrMon.dll
2009-01-29 09:41:02 0 d-----w- C:\Panasonic Document Manager
2009-01-28 10:29:44 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-01-28 09:13:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-01-22 05:49:05 0 d-----w- C:\Backups
2009-01-20 13:43:10 31 ----a-w- C:\dev.ini
2009-01-20 13:37:48 0 d-----w- c:\program files\common files\Panasonic
2009-01-20 13:36:50 275968 ----a-w- c:\windows\system32\inet4ap.dll
2009-01-20 13:36:49 47104 ----a-w- c:\windows\system32\mgcst5lm.dll
2009-01-20 13:35:48 42496 ----a-w- c:\windows\system32\RPTlpr.dll
2009-01-20 13:35:48 171008 ----a-w- c:\windows\system32\RPTlprUi.dll
2009-01-20 13:34:59 0 d-----w- C:\Panasonic
2009-01-20 13:30:49 159744 ----a-w- c:\windows\system32\instpcl.dll
2009-01-20 13:18:58 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-01-20 13:18:58 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-01-20 13:18:55 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-01-20 13:18:55 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-01-20 13:18:47 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-01-20 13:18:47 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-01-20 13:18:41 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-01-20 13:18:41 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-01-20 11:04:38 0 d-----w- c:\windows\system32\appmgmt
2009-01-20 09:35:40 503808 ----a-w- c:\windows\system32\MSVCP71.DLL
2009-01-20 09:35:40 348160 ----a-w- c:\windows\system32\MSVCR71.DLL
2009-01-20 09:35:40 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2009-01-20 09:34:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2009-01-20 09:25:40 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2009-01-20 09:25:39 476320 ------w- c:\windows\system32\ImagXpr7.dll
2009-01-20 09:25:39 471040 ------w- c:\windows\system32\ImagXRA7.dll
2009-01-20 09:25:39 38912 ------w- c:\windows\system32\picn20.dll
2009-01-20 09:25:39 364544 ------w- c:\windows\system32\TwnLib4.dll
2009-01-20 09:25:39 262144 ------w- c:\windows\system32\ImagXR7.dll
2009-01-20 09:25:39 1568768 ------w- c:\windows\system32\ImagX7.dll
2009-01-20 09:25:38 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2009-01-20 07:32:21 0 d-s---w- c:\documents and settings\henriette\UserData
2009-01-20 07:31:50 0 d-----w- c:\program files\OE-Mail Recovery
2009-01-20 07:10:07 376 ----a-w- c:\windows\ODBC.INI
2009-01-20 07:10:03 17920 ----a-w- c:\windows\system32\mdimon.dll
2009-01-20 07:09:01 0 d-----w- c:\windows\SHELLNEW
2009-01-20 07:07:28 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-01-20 07:06:14 223128 ----a-w- c:\windows\system32\drivers\dtscsi.sys
2009-01-20 06:47:46 96256 ----a-w- c:\windows\system32\drivers\sptd2573.sys
2009-01-20 06:47:46 664064 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-01-20 05:11:47 0 d-sh--w- c:\documents and settings\all users\DRM
2009-01-20 05:11:28 0 d--h--w- c:\program files\WindowsUpdate
2009-01-20 05:10:27 0 d-----w- c:\program files\common files\MSSoap
2009-01-20 05:09:09 0 d-----w- c:\program files\Online Services
2009-01-20 05:09:03 0 d-----w- c:\program files\Messenger
2009-01-20 05:08:59 0 d-----w- c:\program files\MSN Gaming Zone
2009-01-20 05:08:15 0 d-----w- c:\program files\Windows NT
2009-01-19 19:21:17 0 d-----w- c:\program files\common files\ODBC
2009-01-19 19:21:13 0 d-----w- c:\program files\common files\SpeechEngines
2009-01-19 19:20:44 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2010-03-04 08:07:48 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2010-03-01 12:48:39 14336 ----a-w- c:\windows\system32\svchost.exe
2009-03-16 08:43:28 237 ----a-w- c:\program files\PanaHDS.ini
2009-01-29 09:41:27 22 ----a-w- c:\program files\InstSuccess.ini
2009-01-22 07:21:46 665600 ----a-w- c:\windows\system32\drivers\hardlock.sys
2009-01-22 07:21:46 6656 ----a-w- c:\windows\system32\haspvdd.dll
2009-01-22 07:21:46 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys
2009-01-20 10:59:58 502272 ----a-w- c:\windows\system32\winlogon.exe
2009-01-20 05:09:25 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2008-11-11 18:00:04 218376 ----a-w- c:\windows\system32\klogon.dll
2008-11-11 17:58:54 25601 ----a-w- c:\windows\system32\drivers\klopp.dat
2008-07-21 15:34:36 121872 ----a-w- c:\windows\system32\drivers\kl1.sys
2008-04-30 15:06:48 24592 ----a-w- c:\windows\system32\drivers\klim5.sys
2008-03-13 16:02:46 26640 ----a-w- c:\windows\system32\drivers\klfltdev.sys
2007-10-23 23:47:38 84480 ----a-w- c:\windows\system32\mscories.dll
2007-10-23 23:47:38 282112 ----a-w- c:\windows\system32\mscoree.dll
2007-10-23 23:47:38 158720 ----a-w- c:\windows\system32\mscorier.dll
2007-10-23 23:47:28 96760 ----a-w- c:\windows\system32\dfshim.dll
2007-10-11 07:55:10 88576 ----a-w- c:\windows\system32\infocardapi.dll
2007-10-11 07:55:10 579584 ----a-w- c:\windows\system32\icardagt.exe
2007-10-11 07:55:10 11776 ----a-w- c:\windows\system32\icardres.dll
2007-10-09 11:03:14 1986072 ----a-w- c:\windows\system32\milcore.dll
2007-10-09 11:03:12 779800 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2007-10-09 11:03:12 493080 ----a-w- c:\windows\system32\evr.dll
2007-10-09 11:03:08 350744 ----a-w- c:\windows\system32\PresentationHost.exe
2007-10-09 11:03:08 161304 ----a-w- c:\windows\system32\UIAutomationCore.dll
2007-10-09 11:03:04 106520 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2007-10-09 11:03:02 33304 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2007-10-09 11:03:00 73752 ----a-w- c:\windows\system32\dxva2.dll
2007-10-09 10:58:20 16896 ----a-w- c:\windows\system32\tswpfwrp.exe
2007-05-15 13:43:10 1320800 ----a-w- c:\windows\system32\msxml6.dll
2007-05-08 15:08:12 86728 ----a-w- c:\windows\system32\msxml6r.dll
2007-03-23 04:07:56 1683280 ------w- c:\windows\system32\XpsSvcs.dll
2007-03-23 04:07:54 583504 ------w- c:\windows\system32\XPSSHHDR.dll
2007-03-22 18:25:02 124928 ------w- c:\windows\system32\prntvpt.dll
2007-02-09 13:33:58 30808 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2007-02-09 13:33:58 29779 ----a-w- c:\windows\fonts\GlobalSerif.CompositeFont
2007-02-09 13:33:58 26489 ----a-w- c:\windows\fonts\GlobalSansSerif.CompositeFont
2007-02-09 13:33:58 26040 ----a-w- c:\windows\fonts\GlobalMonospace.CompositeFont
2006-10-26 12:10:08 1190688 ----a-w- c:\windows\system32\FM20.DLL
2006-10-26 12:10:06 33088 ----a-w- c:\windows\system32\FM20ENU.DLL
2006-10-26 11:45:04 293376 ----a-w- c:\windows\system32\WISPTIS.EXE
2006-10-26 11:45:04 207360 ----a-w- c:\windows\system32\INKED.DLL
2006-10-24 10:30:20 412160 ------w- c:\windows\system32\photometadatahandler.dll
2006-10-24 10:30:06 716288 ------w- c:\windows\system32\WindowsCodecs.dll
2006-10-24 10:30:00 276992 ------w- c:\windows\system32\WMPhoto.dll
2006-10-24 10:29:50 352256 ------w- c:\windows\system32\WindowsCodecsExt.dll
2006-09-26 19:12:20 331916 ----a-w- c:\windows\fonts\CAMBRIAB.TTF
2006-09-26 19:12:18 1090456 ----a-w- c:\windows\fonts\CAMBRIA.TTC
2006-09-11 10:12:46 352736 ----a-w- c:\windows\fonts\CALIBRI.TTF
2006-09-11 10:12:44 367620 ----a-w- c:\windows\fonts\CALIBRIZ.TTF
2006-09-11 10:12:44 362524 ----a-w- c:\windows\fonts\CALIBRII.TTF
2006-09-11 10:12:44 351544 ----a-w- c:\windows\fonts\CALIBRIB.TTF
2006-08-24 14:15:06 150808 ----a-w- c:\windows\system32\rgb9rast_2.dll
2006-08-09 12:14:02 336812 ----a-w- c:\windows\fonts\CAMBRIAI.TTF
2006-07-24 08:50:40 47920 ----a-w- c:\windows\system32\VBAME.DLL
2006-07-24 08:50:40 39728 ----a-w- c:\windows\system32\SCP32.DLL
2006-07-14 09:01:32 179368 ----a-w- c:\windows\fonts\ARIALNI.TTF
2006-07-14 09:01:32 178864 ----a-w- c:\windows\fonts\ARIALNB.TTF
2006-07-14 09:01:32 178316 ----a-w- c:\windows\fonts\ARIALNBI.TTF
2006-07-14 09:01:30 173936 ----a-w- c:\windows\fonts\ARIALN.TTF
2006-06-28 12:24:28 509920 ----a-w- c:\windows\fonts\SEGOEUI.TTF
2006-06-28 12:24:28 490852 ----a-w- c:\windows\fonts\SEGOEUIB.TTF
2006-06-28 12:24:24 393068 ----a-w- c:\windows\fonts\SEGOEUIZ.TTF
2006-06-28 12:24:24 380456 ----a-w- c:\windows\fonts\SEGOEUII.TTF
2006-01-18 10:32:16 98520 ----a-w- c:\windows\fonts\CONSOLA.TTF
2006-01-18 10:32:16 110268 ----a-w- c:\windows\fonts\CONSOLAZ.TTF
2006-01-18 10:32:16 104144 ----a-w- c:\windows\fonts\CONSOLAI.TTF
2006-01-18 10:32:16 100436 ----a-w- c:\windows\fonts\CONSOLAB.TTF
2005-11-02 14:53:42 86084 ----a-w- c:\windows\system32\MGCSInst.dll
2005-09-23 05:28:56 32768 ----a-w- c:\windows\system32\netfxperf.dll
2005-05-26 18:49:32 40448 ----a-w- c:\windows\system32\InstProc.dll
2005-05-03 10:58:36 884736 ----a-w- c:\windows\system32\msimsg.dll
2005-05-03 10:58:36 78848 ----a-w- c:\windows\system32\msiexec.exe
2005-05-03 10:58:36 2890240 ----a-w- c:\windows\system32\msi.dll
2005-05-03 10:58:36 271360 ----a-w- c:\windows\system32\msihnd.dll
2005-05-03 10:58:36 15360 ----a-w- c:\windows\system32\msisip.dll
2004-11-02 09:52:38 106496 ----a-w- c:\windows\system32\instutil.dll
2004-08-04 00:56:48 74240 ----a-w- c:\windows\system32\usbui.dll
2004-08-04 00:56:46 74752 ----a-w- c:\windows\system32\storprop.dll
2004-08-03 23:07:44 44672 ----a-w- c:\windows\system32\drivers\UAGP35.SYS
2004-08-03 23:01:08 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2004-08-03 22:59:38 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2004-08-03 22:31:36 32768 ----a-w- c:\windows\system32\drivers\sisnic.sys
2004-08-03 21:15:54 64896 ----a-w- c:\windows\system32\drivers\serial.sys
2004-08-03 21:07:46 63744 ----a-w- c:\windows\system32\drivers\mf.sys
2004-08-03 21:01:16 196864 ----a-w- c:\windows\system32\drivers\rdpdr.sys
2004-08-03 20:59:08 15488 ----a-w- c:\windows\system32\drivers\serenum.sys
2004-04-02 10:06:58 198072 ----a-w- c:\windows\fonts\GARA.TTF
2004-04-02 10:05:30 189464 ----a-w- c:\windows\fonts\GARAIT.TTF
2004-04-02 10:05:28 199772 ----a-w- c:\windows\fonts\GARABD.TTF

============= FINISH: 9:19:12.31 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:06 PM

Posted 03 June 2010 - 05:51 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Badassbiker

Badassbiker
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:06:06 PM

Posted 04 June 2010 - 04:06 AM

Hi Elise,

Thanks in advance for your kind assistance. Here are the logs:

OTL.txt
---------
OTL logfile created on: 6/4/2010 8:10:55 AM - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\Henriette\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

959.00 Mb Total Physical Memory | 680.00 Mb Available Physical Memory | 71.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 65.79 Gb Free Space | 88.28% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 7.45 Gb Total Space | 7.43 Gb Free Space | 99.78% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ADMIN
Current User Name: Henriette1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/04 08:02:24 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Henriette\Desktop\OTL.exe
PRC - [2010/03/04 09:11:18 | 000,168,960 | ---- | M] () -- C:\WINDOWS\system32\vyjob.exe
PRC - [2007/04/11 17:28:00 | 000,057,344 | ---- | M] () -- C:\Program Files\Panasonic\Panasonic-DMS\RPT Network Printer Port\Msgsrv.exe
PRC - [2007/03/04 15:06:18 | 000,147,456 | ---- | M] (Panasonic Communications Co., Ltd.) -- C:\Program Files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe
PRC - [2006/11/02 14:54:28 | 000,303,104 | ---- | M] (Panasonic Communications Co., Ltd.) -- C:\Program Files\Panasonic\Panasonic-DMS\Device Monitor\DMWakeup.exe
PRC - [2006/05/09 20:49:08 | 000,176,128 | ---- | M] (Panasonic Communications Co., Ltd.) -- C:\Program Files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe
PRC - [2004/08/04 14:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/02/24 15:15:58 | 000,069,632 | ---- | M] (Panasonic) -- C:\Program Files\Panasonic\TrapMonitor\Trapmnnt.exe


========== Modules (SafeList) ==========

MOD - [2010/06/04 08:02:24 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Henriette\Desktop\OTL.exe
MOD - [2004/08/04 14:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/04 14:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/03/04 10:07:48 | 000,208,616 | ---- | M] (Kaspersky Lab) [Auto | Stopped] -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe -- (AVP)
SRV - [2010/03/04 09:11:18 | 000,168,960 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\hounnehehoos.exe -- (zii9wxiofdhoe5)
SRV - [2004/02/24 15:15:58 | 000,069,632 | ---- | M] (Panasonic) [Auto | Running] -- C:\Program Files\Panasonic\TrapMonitor\Trapmnnt.exe -- (Panasonic Trap Monitor Service)


========== Driver Services (SafeList) ==========

DRV - [2010/03/04 10:07:48 | 000,033,808 | ---- | M] (Kaspersky Lab) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\klbg.sys -- (klbg)
DRV - [2010/03/04 10:07:47 | 000,226,832 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2009/01/22 09:21:46 | 000,665,600 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (hardlock)
DRV - [2009/01/22 09:21:46 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Haspnt.sys -- (Haspnt)
DRV - [2009/01/20 09:06:14 | 000,223,128 | ---- | M] (DT Soft Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\dtscsi.sys -- (dtscsi)
DRV - [2009/01/20 08:47:46 | 000,664,064 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2008/07/21 17:34:36 | 000,121,872 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2008/04/30 17:06:48 | 000,024,592 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2008/03/13 18:02:46 | 000,026,640 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klfltdev.sys -- (KLFLTDEV)
DRV - [2004/08/04 14:00:00 | 000,104,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\dmusic.dll -- (DMusic)
DRV - [2004/08/04 00:31:36 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2004/08/03 23:07:46 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2001/06/18 11:44:20 | 000,006,592 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ds1410d.sys -- (DS1410D)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1390067357-602609370-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
IE - HKU\S-1-5-21-1390067357-602609370-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\THBExt [2010/03/04 09:16:59 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/05/31 17:04:38 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [jobagi] C:\WINDOWS\system32\vyjob.exe ()
O4 - HKLM..\Run: [Panasonic Device Monitor Wakeup] C:\Program Files\Panasonic\Panasonic-DMS\Device Monitor\DMWakeup.exe (Panasonic Communications Co., Ltd.)
O4 - HKLM..\Run: [RPT Msgsrv] C:\Program Files\Panasonic\Panasonic-DMS\RPT Network Printer Port\Msgsrv.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Job Status Utility.lnk = C:\Program Files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe (Panasonic Communications Co., Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Panasonic Communications Utility.lnk = C:\Program Files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe (Panasonic Communications Co., Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1390067357-602609370-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1390067357-602609370-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll (Kaspersky Lab)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll File not found
O9 - Extra 'Tools' menuitem : Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll File not found
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/20 07:12:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{3b2b088a-d591-11de-a211-00192116140f}\Shell\AutoRun\command - "" = E:\NADFOLDER\autorun.exe -- File not found
O33 - MountPoints2\{3b2b088a-d591-11de-a211-00192116140f}\Shell\open\command - "" = E:\NADFOLDER\autorun.exe -- File not found
O33 - MountPoints2\{d30b94a8-e6c0-11dd-bc78-00192116140f}\Shell - "" = AutoRun
O33 - MountPoints2\{d30b94a8-e6c0-11dd-bc78-00192116140f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d30b94a8-e6c0-11dd-bc78-00192116140f}\Shell\AutoRun\command - "" = E:\setuppro.EXE -- File not found
O33 - MountPoints2\{d30b94a8-e6c0-11dd-bc78-00192116140f}\Shell\configure\command - "" = E:\setuppro.EXE -- File not found
O33 - MountPoints2\{d30b94a8-e6c0-11dd-bc78-00192116140f}\Shell\install\command - "" = E:\setuppro.EXE -- File not found
O33 - MountPoints2\{fcbb5a50-50d0-11de-a190-00192116140f}\Shell\AutoRun\command - "" = NADFOLDER\autorun.exe
O33 - MountPoints2\{fcbb5a50-50d0-11de-a190-00192116140f}\Shell\open\command - "" = NADFOLDER\autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/04 08:10:34 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Henriette\Desktop\OTL.exe
[2010/05/31 17:44:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/05/31 17:09:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/05/31 16:48:57 | 000,000,000 | ---D | C] -- C:\cmdcons
[2010/05/31 16:47:06 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/31 16:47:06 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/31 16:47:06 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/31 16:47:06 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/31 16:46:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/31 16:44:45 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/31 16:40:31 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Henriette\Recent
[2010/05/31 16:37:34 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/05/31 15:30:44 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2010/05/14 15:41:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2010/02/08 11:12:32 | 000,057,344 | ---- | C] ( ) -- C:\WINDOWS\System32\Interop.zkemkeeper.dll
[5 C:\Documents and Settings\Henriette\Desktop\*.tmp files -> C:\Documents and Settings\Henriette\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/04 08:03:14 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Henriette\Desktop\sv2ejk50.exe
[2010/06/04 08:02:24 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Henriette\Desktop\OTL.exe
[2010/06/04 07:08:47 | 000,000,031 | ---- | M] () -- C:\dev.ini
[2010/06/04 07:05:10 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/04 07:05:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/03 15:32:36 | 001,831,456 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/06/03 15:32:36 | 000,335,904 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/06/03 15:32:36 | 000,015,388 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/06/03 15:32:36 | 000,002,228 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/06/03 15:32:14 | 005,767,168 | ---- | M] () -- C:\Documents and Settings\Henriette\ntuser.dat
[2010/06/03 15:32:14 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Henriette\ntuser.ini
[2010/06/03 07:25:40 | 000,009,256 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/02 13:28:23 | 000,055,808 | ---- | M] () -- C:\Documents and Settings\Henriette\Desktop\ABSENTS.xls
[2010/06/01 09:14:44 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Henriette\Desktop\gmer.zip
[2010/06/01 09:13:36 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Henriette\Desktop\dds.scr
[2010/06/01 09:13:14 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Henriette\Desktop\Defogger.exe
[2010/05/31 17:14:45 | 000,000,598 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/31 17:14:45 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/31 17:04:38 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/31 17:04:26 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2010/05/31 16:48:58 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/05/31 16:37:44 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\Henriette\Desktop\CCleaner.lnk
[2010/05/31 15:32:17 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/05/26 13:25:58 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Henriette\Desktop\Microsoft Office Word 2007.lnk
[2010/05/25 14:49:20 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\Henriette\Desktop\SELNOMMERS.xls
[2010/05/25 08:46:33 | 000,000,291 | ---- | M] () -- C:\Documents and Settings\Henriette\Desktop\data on 'server' (P).lnk
[2010/05/24 14:44:57 | 000,000,480 | ---- | M] () -- C:\Documents and Settings\Henriette\My Documents\spider.sav
[2010/05/19 11:39:34 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Henriette\Desktop\Microsoft Office Excel 2007.lnk
[2010/05/05 09:28:32 | 000,113,933 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2010/05/05 09:28:32 | 000,097,549 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[5 C:\Documents and Settings\Henriette\Desktop\*.tmp files -> C:\Documents and Settings\Henriette\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/04 08:10:37 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Henriette\Desktop\sv2ejk50.exe
[2010/05/31 17:04:28 | 000,013,646 | ---- | C] () -- C:\WINDOWS\System32\wpa.bak
[2010/05/31 16:49:04 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/05/31 16:49:01 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/31 16:47:16 | 005,767,168 | ---- | C] () -- C:\Documents and Settings\Henriette\ntuser.dat
[2010/05/31 16:47:06 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/31 16:47:06 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/31 16:47:06 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/31 16:47:06 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/31 16:47:06 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/31 16:37:44 | 000,001,548 | ---- | C] () -- C:\Documents and Settings\Henriette\Desktop\CCleaner.lnk
[2010/05/31 15:31:06 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/03/02 10:12:21 | 000,102,432 | ---- | C] () -- C:\WINDOWS\System32\msvcrt2.dll
[2010/02/08 11:06:50 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\rscomm.dll
[2010/02/08 11:06:50 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\rscagent.dll
[2010/02/08 11:06:50 | 000,100,352 | ---- | C] () -- C:\WINDOWS\System32\plce.dll
[2010/02/08 11:06:50 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\commpro.dll
[2010/02/08 11:06:50 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\comms.dll
[2010/02/08 11:06:49 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\zkemsdk.dll
[2009/03/12 09:47:29 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2009/03/12 09:47:29 | 000,000,131 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2009/03/12 09:47:13 | 011,194,368 | ---- | C] () -- C:\WINDOWS\System32\zhhp_res.dll
[2009/03/12 09:47:13 | 000,749,568 | ---- | C] () -- C:\WINDOWS\System32\agissi.dll
[2009/03/12 09:46:34 | 000,000,606 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2009/01/22 09:21:46 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
[2009/01/22 09:21:42 | 000,006,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\ds1410d.sys
[2009/01/22 09:21:40 | 000,015,600 | ---- | C] () -- C:\WINDOWS\System32\Ctl3dnt.dll
[2009/01/22 09:21:40 | 000,015,276 | ---- | C] () -- C:\WINDOWS\System32\Ctl3d33.dll
[2009/01/22 09:21:40 | 000,000,148 | ---- | C] () -- C:\WINDOWS\System32\Foxpro.ini
[2009/01/22 09:21:36 | 000,500,853 | ---- | C] () -- C:\WINDOWS\System32\Mcw16.dll
[2009/01/22 09:21:36 | 000,396,800 | ---- | C] () -- C:\WINDOWS\System32\Mcw32.dll
[2009/01/22 09:21:36 | 000,076,800 | ---- | C] () -- C:\WINDOWS\System32\Haspfp32.dll
[2009/01/20 15:35:48 | 000,171,008 | ---- | C] () -- C:\WINDOWS\System32\RPTlprUi.dll
[2009/01/20 15:35:48 | 000,042,496 | ---- | C] () -- C:\WINDOWS\System32\RPTlpr.dll
[2009/01/20 09:10:07 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/08/04 14:00:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/08/04 14:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
< End of report >
---------------------
Extras.txt
---------------------
OTL Extras logfile created on: 6/4/2010 8:10:55 AM - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\Henriette\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

959.00 Mb Total Physical Memory | 680.00 Mb Available Physical Memory | 71.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 65.79 Gb Free Space | 88.28% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 7.45 Gb Total Space | 7.43 Gb Free Space | 99.78% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ADMIN
Current User Name: Henriette1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\CtDrvInsAll.exe" = C:\WINDOWS\system32\CtDrvInsAll.exe:*:Enabled:DHCP Router -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe" = C:\Program Files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe:*:Enabled:Panasonic Communications Utility -- (Panasonic Communications Co., Ltd.)
"C:\Program Files\Panasonic\Panasonic-DMS\Network MFP Utilities\CnfgEditor\SYSTEM\mfrspool.exe" = C:\Program Files\Panasonic\Panasonic-DMS\Network MFP Utilities\CnfgEditor\SYSTEM\mfrspool.exe:*:Enabled:Panasonic Network Configuration/Adress Book Editor -- (Panasonic Communications Co., Ltd.)
"C:\Program Files\Panasonic\TrapMonitor\Trapmnnt.exe" = C:\Program Files\Panasonic\TrapMonitor\Trapmnnt.exe:*:Enabled:Panasonic Trap Monitor Service -- (Panasonic)
"C:\Program Files\Panasonic\Panasonic-DMS\LFax\NaeCMN.exe" = C:\Program Files\Panasonic\Panasonic-DMS\LFax\NaeCMN.exe:*:Enabled:Panasonic Fax Driver(Address Book) -- ()
"C:\Program Files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe" = C:\Program Files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe:*:Enabled:Panasonic Trap Receiving Services -- (Panasonic Communications Co., Ltd.)
"C:\Program Files\Panasonic\Panasonic-DMS\Device Monitor\DMList.exe" = C:\Program Files\Panasonic\Panasonic-DMS\Device Monitor\DMList.exe:*:Enabled:Panasonic Device Monitor -- (Panasonic Communications Co., Ltd. )
"C:\WINDOWS\system32\CtDrvInsAll.exe" = C:\WINDOWS\system32\CtDrvInsAll.exe:*:Enabled:DHCP Router -- File not found
"C:\WINDOWS\system32\dlllhost.exe" = C:\WINDOWS\system32\dlllhost.exe:*:Enabled:Netlogon -- File not found
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{23E8D2D6-F7C8-4A35-816C-6C914EE0A601}" = Citrix Presentation Server Client - Web Only
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{44CDB8EC-569D-4C61-B18C-8768A1FC7E15}" = Panasonic RPT Network Printer Port
"{695603EE-5D13-4406-A034-B1346652CC4D}" = Windows Firewall Setting Tool
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{78F2FF7C-AC3C-430C-83A7-E2859FBA630A}" = Panasonic Printing System
"{873AF01F-143B-4F30-A3DC-034B84A25CDA}" = Direct Printing System
"{8B52FD74-DE41-4C87-8221-0566A5887E13}" = Device Monitor Model
"{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}" = Kaspersky Internet Security 2009
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{924149AC-E9A7-4CA1-8028-BD2391E2C773}" = Device Monitor Common
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{BE0CA31E-0FD0-44FA-BE90-B793049572BA}" = Quick Image Navigator
"{BEFBBD6D-9C6D-4EE3-BC62-6FC72866CF8E}" = Panasonic Document Management System
"{C5429B04-A343-4882-8291-9A8BDDF62393}" = Network Configuration and Address Book Editor Common
"{D1DDEC86-EF31-4BB1-9C35-F996D38C0CF0}" = Panasonic Fax Driver
"{DEA90EEC-CA16-4092-9604-25B2ACC5273B}" = Communications Utility
"{DEC264C1-6234-4739-94B3-630CD04C4CAE}" = Document Manager
"{E3675BDC-6C45-42F8-AB58-D53AD4A31194}" = Device Explorer
"{F0520D42-802C-4C30-B8CF-8DCA7DD84B41}" = Panasonic Job Status Utility
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"ATR9800 for Windows" = ATR9800 for Windows
"Babylon" = Babylon
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"HP-Color LaserJet 2600n" = Color LaserJet 2600n
"InstallShield_{695603EE-5D13-4406-A034-B1346652CC4D}" = Panasonic Windows Firewall Setting Tool
"InstallShield_{78F2FF7C-AC3C-430C-83A7-E2859FBA630A}" = Panasonic Printer Drivers
"InstallShield_{873AF01F-143B-4F30-A3DC-034B84A25CDA}" = Panasonic Direct Printing System
"InstallShield_{8B52FD74-DE41-4C87-8221-0566A5887E13}" = Panasonic Device Monitor Model(DP-C405 / C305 / C265 Series)
"InstallShield_{924149AC-E9A7-4CA1-8028-BD2391E2C773}" = Panasonic Device Monitor Common
"InstallShield_{BE0CA31E-0FD0-44FA-BE90-B793049572BA}" = Panasonic Quick Image Navigator
"InstallShield_{BEFBBD6D-9C6D-4EE3-BC62-6FC72866CF8E}" = Panasonic Document Management System
"InstallShield_{C5429B04-A343-4882-8291-9A8BDDF62393}" = Panasonic Network Configuration and Address Book Editor Common
"InstallShield_{DEA90EEC-CA16-4092-9604-25B2ACC5273B}" = Panasonic Communications Utility
"InstallShield_{E3675BDC-6C45-42F8-AB58-D53AD4A31194}" = Panasonic Device Explorer
"InstallShield_{F0520D42-802C-4C30-B8CF-8DCA7DD84B41}" = Panasonic Job Status Utility
"InstallWIX_{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}" = Kaspersky Internet Security 2009
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5
"ms32" = ms32
"NeroMultiInstaller!UninstallKey" = Nero Suite
"OE-Mail Recovery_is1" = OE-Mail Recovery 1.7
"PROHYBRIDR" = 2007 Microsoft Office system
"Vision Unique" = Vision Unique
"WIC" = Windows Imaging Component
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/5/2009 9:21:59 AM | Computer Name = ADMIN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module mshtml.dll, version 6.0.2900.2180, fault address 0x00098e09.

Error - 11/5/2009 9:23:03 AM | Computer Name = ADMIN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module mshtml.dll, version 6.0.2900.2180, fault address 0x00098e09.

Error - 11/9/2009 2:07:03 AM | Computer Name = ADMIN | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/9/2009 2:20:08 AM | Computer Name = ADMIN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module mshtml.dll, version 6.0.2900.2180, fault address 0x0009d1a8.

Error - 11/9/2009 4:55:36 AM | Computer Name = ADMIN | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/11/2009 1:46:33 AM | Computer Name = ADMIN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module mshtml.dll, version 6.0.2900.2180, fault address 0x00098e09.

Error - 11/19/2009 1:57:07 AM | Computer Name = ADMIN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module mshtml.dll, version 6.0.2900.2180, fault address 0x000d82b2.

Error - 11/20/2009 6:44:19 AM | Computer Name = ADMIN | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/1/2009 2:19:27 AM | Computer Name = ADMIN | Source = Application Hang | ID = 1002
Description = Hanging application AcroRd32.exe, version 9.0.0.332, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/2/2009 9:55:36 AM | Computer Name = ADMIN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module unknown, version 0.0.0.0, fault address 0x03e79934.

[ System Events ]
Error - 5/31/2010 10:46:13 AM | Computer Name = ADMIN | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 5/31/2010 10:49:30 AM | Computer Name = ADMIN | Source = Service Control Manager | ID = 7034
Description = The Websense CPM Report Scheduler service terminated unexpectedly.
It has done this 1 time(s).

Error - 5/31/2010 10:54:48 AM | Computer Name = ADMIN | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 5/31/2010 11:16:04 AM | Computer Name = ADMIN | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 5/31/2010 11:44:34 AM | Computer Name = ADMIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/31/2010 11:44:48 AM | Computer Name = ADMIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/31/2010 11:45:56 AM | Computer Name = ADMIN | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 6/1/2010 1:54:58 AM | Computer Name = ADMIN | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 6/3/2010 1:25:40 AM | Computer Name = ADMIN | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 6/4/2010 1:05:10 AM | Computer Name = ADMIN | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.


< End of report >
--------------------
gmer.log
--------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-04 10:32:09
Windows 5.1.2600 Service Pack 2
Running: sv2ejk50.exe; Driver: C:\DOCUME~1\HENRIE~1\LOCALS~1\Temp\axtdrpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xF6ED61DA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xF6ED67AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xF6ED81EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xF6ED7B9C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xF6ED5950]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF6ED9B7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xF6ED65AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xF6ED5D92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xF6ED5F92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xF6ED7EAC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xF6EDA084]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xF6ED60A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xF6ED6110]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xF6ED7D5E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xF6ED9620]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xF6ED79F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xF6ED5AB2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xF6ED63B2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xF6ED9BA6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xF6ED62FE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xF6ED6178]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xF6ED5E7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xF6ED5C5A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xF6ED9888]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xF6ED55D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xF6ED8A74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xF6ED5734]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xF6ED9F56]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xF6ED53D0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xF6ED808C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xF6ED66AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xF6ED971A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xF6ED9BD0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xF6ED5B08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xF6ED9CB4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xF6ED9DE0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xF6ED954C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xF6ED647E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xF6ED64F0]

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F67D516D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F67D4FC2

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + FB 804E4FBC 4 Bytes JMP 25F6ED81
.text ntoskrnl.exe!ZwYieldExecution + 473 804E5334 12 Bytes [B4, 9C, ED, F6, E0, 9D, ED, ...]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xF63DA400, 0x7EE2E, 0xE0000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xF6477A20] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xF6477A20]
.protect˙˙˙˙hardlockunknown last code section [0xF6477800, 0x4E48, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xF6477800, 0x4E48, 0xE0000020]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F719FCC0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F719FCC0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\mrxdav.sys[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\ParVdm.SYS[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\USBSTOR.SYS[ntoskrnl.exe!IoCreateDevice] [F719FB70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x42 0xA0 0x29 0x8E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x42 0xA0 0x29 0x8E ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll

---- EOF - GMER 1.0.15 ----


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:06 PM

Posted 04 June 2010 - 04:09 AM

Hi there,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Badassbiker

Badassbiker
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:06:06 PM

Posted 04 June 2010 - 04:48 AM

Hi Elise,

I have run combofix and it completed its scan, there were some messages about files that it was deleting and then the PC restarted. Now I get a message that I must activate Windows. When I click on activate Windows online I get a message that activation failed and I must contact telephonic support. It will not let me log in to Windows.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:06 PM

Posted 04 June 2010 - 04:51 AM

Do you have a legit copy of Windows? If so you can use Microsofts (free) telephone support.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Badassbiker

Badassbiker
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:06:06 PM

Posted 04 June 2010 - 04:53 AM

I do have a legit copy, I will try that and get back to you.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:06 PM

Posted 04 June 2010 - 05:20 AM

Okay, I hope you get this issue fixed. In case you need help finding the contact details, please let me know smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Badassbiker

Badassbiker
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:06:06 PM

Posted 04 June 2010 - 05:28 AM

Okay, I managed to get Windows activated again. thumbup.gif . Here is the combofix log:

ComboFix 10-06-03.01 - Henriette1 06/04/2010 11:37:02.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.556 [GMT 2:00]
Running from: c:\documents and settings\Henriette\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Office\Recent\date\unlock\index\Browser\ms32.sys
c:\documents and settings\All Users\Application Data\Microsoft\Office\Recent\date\unlock\index\Browser\reclicks32.dll
c:\documents and settings\All Users\Application Data\Microsoft\Office\Recent\date\unlock\index\Browser\s1co.exe
c:\windows\system32\kernel33.dll
c:\windows\system32\msvcrt2.dll

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{2B3B6B9E-49E0-4B25-84E8-C37F8396D53B}\RP233\A0046955.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ICF


((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-05-31 14:37 . 2010-05-31 14:37 -------- d-----w- c:\program files\CCleaner
2010-05-31 13:30 . 2010-05-31 13:31 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-24 09:09 . 2008-06-12 10:09 33088 ----a-w- c:\documents and settings\Henriette\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-14 13:41 . 2010-05-14 13:41 -------- d-----w- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-04 10:20 . 2010-03-04 07:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-06-04 09:40 . 2010-03-04 07:16 335904 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-06-04 09:40 . 2010-03-04 07:16 2228 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-06-04 09:40 . 2010-03-04 07:16 1831456 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-06-04 09:40 . 2010-03-04 07:16 15388 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-31 12:41 . 2010-02-05 08:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-05 07:28 . 2010-03-04 07:17 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-05-05 07:28 . 2010-03-04 07:17 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-29 13:39 . 2010-02-05 08:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2010-02-05 08:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-16 08:43 . 2009-01-20 13:33 237 ----a-w- c:\program files\PanaHDS.ini
2009-01-29 09:41 . 2009-01-29 09:41 22 ----a-w- c:\program files\InstSuccess.ini
.

------- Sigcheck -------

[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2004-08-04 . 7399D854596BFEFEED6B60879F28CE07 . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RPT Msgsrv"="c:\program files\Panasonic\Panasonic-DMS\RPT Network Printer Port\Msgsrv.exe" [2007-04-11 57344]
"Panasonic Device Monitor Wakeup"="c:\program files\Panasonic\Panasonic-DMS\Device Monitor\DMWakeup.exe" [2006-11-02 303104]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2010-03-04 208616]
"jobagi"="c:\windows\system32\vyjob.exe" [2010-03-04 168960]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Application Data\Microsoft\Shortcuts\
Job Status Utility.lnk - c:\program files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe [2007-3-4 147456]
Panasonic Communications Utility.lnk - c:\program files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe [2006-5-9 176128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleiI.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleiI.lnk
backup=c:\windows\pss\BlueSoleiI.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
c:\documents and settings\Henriette\glvhoer.exe \u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2009-09-08 16:34 3730832 ----a-w- c:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixBluetooth]
c:\documents and settings\Henriette\Local Settings\Temp\pb3\BlueSoleiI.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Connection Wizard Setup Tool]
c:\program files\Internet Explorer\Connection Wizard\icwsetup.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jobagi]
2010-03-04 07:11 168960 ----a-w- c:\windows\system32\vyjob.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft® System Manager]
c:\windows\system32\174217.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-03 23:06 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinXPService]
c:\documents and settings\All Users\Application Data\Microsoft\Office\Recent\date\unlock\index\Browser\iexplorer.pif [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ICF"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Port Controller\\Mfpscdl.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Network MFP Utilities\\CnfgEditor\\SYSTEM\\mfrspool.exe"=
"c:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\LFax\\NaeCMN.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\LRecvTrap\\LRecvTrap.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Device Monitor\\DMList.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/20/2009 8:47 AM 664064]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 6:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
S2 zii9wxiofdhoe5;Websense CPM Report Scheduler;c:\windows\system32\hounnehehoos.exe [3/4/2010 9:11 AM 168960]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E2ABAEB9-DDCA-C89F-DAEB-5CE3D076FD06}]
c:\windows\system32\incognito.exe [BU]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.za/
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
TCP: {588DEB4A-5988-4468-B644-BAAE80FD0036} = 192.168.0.10
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-04 12:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x8639FA40]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x8639fa40
\Driver\ACPI -> ACPI.sys @ 0xf7729cb8
\Driver\atapi -> atapi.sys @ 0xf76c02f0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059ece9
ParseProcedure -> ntoskrnl.exe @ 0x8057e98a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059ece9
ParseProcedure -> ntoskrnl.exe @ 0x8057e98a
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf75caaf9
PacketIndicateHandler -> NDIS.sys @ 0xf75d5b21
SendHandler -> NDIS.sys @ 0xf75ca938
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Panasonic\TrapMonitor\Trapmnnt.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-06-04 12:23:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-04 10:23
ComboFix2.txt 2010-05-31 15:09

Pre-Run: 70,565,548,032 bytes free
Post-Run: 70,582,468,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - B97C8DDD4C613CFF491377CA5D5F3B5D


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:06 PM

Posted 04 June 2010 - 05:36 AM

Hello again, well done thumbup2.gif

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


CF-SCRIPT
-------------
Open notepad and copy/paste the text in the quotebox below into it:

CODE
<http://www.bleepingcomputer.com/forums/index.php?showtopic=320686&view=findpost&p=1785075>

Collect::
c:\windows\system32\vyjob.exe

FCopy::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"jobagi"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jobagi]


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Badassbiker

Badassbiker
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:06:06 PM

Posted 04 June 2010 - 06:13 AM

Hi Elise,

The file has been uploaded. Here is the next combofix log:

ComboFix 10-06-03.01 - Henriette1 06/04/2010 12:53:18.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.654 [GMT 2:00]
Running from: c:\documents and settings\Henriette\Desktop\ComboFix.exe
Command switches used :: e:\henriette\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

file zipped: c:\windows\system32\vyjob.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\vyjob.exe

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-05-31 14:37 . 2010-05-31 14:37 -------- d-----w- c:\program files\CCleaner
2010-05-31 13:30 . 2010-05-31 13:31 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-24 09:09 . 2008-06-12 10:09 33088 ----a-w- c:\documents and settings\Henriette\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-14 13:41 . 2010-05-14 13:41 -------- d-----w- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-04 10:51 . 2010-03-04 07:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-06-04 10:50 . 2010-03-04 07:16 335904 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-06-04 10:50 . 2010-03-04 07:16 2228 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-06-04 10:50 . 2010-03-04 07:16 1831456 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-06-04 10:50 . 2010-03-04 07:16 15388 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-31 12:41 . 2010-02-05 08:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-05 07:28 . 2010-03-04 07:17 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-05-05 07:28 . 2010-03-04 07:17 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-29 13:39 . 2010-02-05 08:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2010-02-05 08:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-16 08:43 . 2009-01-20 13:33 237 ----a-w- c:\program files\PanaHDS.ini
2009-01-29 09:41 . 2009-01-29 09:41 22 ----a-w- c:\program files\InstSuccess.ini
.

((((((((((((((((((((((((((((( SnapShot@2010-06-04_10.20.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-20 05:16 . 2010-06-04 10:51 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-20 05:16 . 2010-06-04 09:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-20 05:16 . 2010-06-04 10:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-20 05:16 . 2010-06-04 09:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-20 05:16 . 2010-06-04 10:51 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-20 05:16 . 2010-06-04 09:41 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RPT Msgsrv"="c:\program files\Panasonic\Panasonic-DMS\RPT Network Printer Port\Msgsrv.exe" [2007-04-11 57344]
"Panasonic Device Monitor Wakeup"="c:\program files\Panasonic\Panasonic-DMS\Device Monitor\DMWakeup.exe" [2006-11-02 303104]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2010-03-04 208616]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Application Data\Microsoft\Shortcuts\
Job Status Utility.lnk - c:\program files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe [2007-3-4 147456]
Panasonic Communications Utility.lnk - c:\program files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe [2006-5-9 176128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleiI.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleiI.lnk
backup=c:\windows\pss\BlueSoleiI.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
c:\documents and settings\Henriette\glvhoer.exe \u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2009-09-08 16:34 3730832 ----a-w- c:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixBluetooth]
c:\documents and settings\Henriette\Local Settings\Temp\pb3\BlueSoleiI.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Connection Wizard Setup Tool]
c:\program files\Internet Explorer\Connection Wizard\icwsetup.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft® System Manager]
c:\windows\system32\174217.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-03 23:06 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinXPService]
c:\documents and settings\All Users\Application Data\Microsoft\Office\Recent\date\unlock\index\Browser\iexplorer.pif [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ICF"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Port Controller\\Mfpscdl.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Network MFP Utilities\\CnfgEditor\\SYSTEM\\mfrspool.exe"=
"c:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\LFax\\NaeCMN.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\LRecvTrap\\LRecvTrap.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Device Monitor\\DMList.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 6:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
S2 zii9wxiofdhoe5;Websense CPM Report Scheduler;c:\windows\system32\hounnehehoos.exe [3/4/2010 9:11 AM 168960]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/20/2009 8:47 AM 664064]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E2ABAEB9-DDCA-C89F-DAEB-5CE3D076FD06}]
c:\windows\system32\incognito.exe [BU]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.za/
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
TCP: {588DEB4A-5988-4468-B644-BAAE80FD0036} = 192.168.0.10
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-04 12:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-06-04 12:58:09
ComboFix-quarantined-files.txt 2010-06-04 10:58
ComboFix2.txt 2010-06-04 10:23
ComboFix3.txt 2010-05-31 15:09

Pre-Run: 70,583,648,256 bytes free
Post-Run: 70,552,334,336 bytes free

- - End Of File - - D82DA78D7E8C68313C14A8E3E7169005


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:06 PM

Posted 04 June 2010 - 08:31 AM

Sorry, I forgot to delete one bad service.

CF-SCRIPT
-------------
Open notepad and copy/paste the text in the quotebox below into it:

CODE
Driver::
zii9wxiofdhoe5

Collect::
c:\windows\system32\hounnehehoos.exe


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


When done, please visit this site and follow the instructions for uploading the 2 C:\Qoobox\Quarantine\[4]-Submit_2010-xx-xx@xx.xx.zip files.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Badassbiker

Badassbiker
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:06:06 PM

Posted 04 June 2010 - 09:29 AM

Hi Elise, thanks very much for your great assistance so far. I'm going to owe you a big bunch of flowers when this is done! thumbup2.gif

I have uploaded the file and latest log follows.

Regards,

Hugo

ComboFix 10-06-03.01 - Henriette1 06/04/2010 16:04:26.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.627 [GMT 2:00]
Running from: c:\documents and settings\Henriette\Desktop\ComboFix.exe
Command switches used :: e:\henriette\CFscript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

file zipped: c:\windows\system32\hounnehehoos.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hounnehehoos.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZII9WXIOFDHOE5
-------\Service_zii9wxiofdhoe5


((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-05-31 14:37 . 2010-05-31 14:37 -------- d-----w- c:\program files\CCleaner
2010-05-31 13:30 . 2010-05-31 13:31 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-24 09:09 . 2008-06-12 10:09 33088 ----a-w- c:\documents and settings\Henriette\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-14 13:41 . 2010-05-14 13:41 -------- d-----w- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-04 14:09 . 2010-03-04 07:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-06-04 14:08 . 2010-03-04 07:16 335904 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-06-04 14:08 . 2010-03-04 07:16 2228 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-06-04 14:08 . 2010-03-04 07:16 1831456 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-06-04 14:08 . 2010-03-04 07:16 15388 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-31 12:41 . 2010-02-05 08:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-05 07:28 . 2010-03-04 07:17 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-05-05 07:28 . 2010-03-04 07:17 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-29 13:39 . 2010-02-05 08:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2010-02-05 08:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-16 08:43 . 2009-01-20 13:33 237 ----a-w- c:\program files\PanaHDS.ini
2009-01-29 09:41 . 2009-01-29 09:41 22 ----a-w- c:\program files\InstSuccess.ini
.

((((((((((((((((((((((((((((( SnapShot@2010-06-04_10.20.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-20 05:16 . 2010-06-04 14:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-20 05:16 . 2010-06-04 09:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-20 05:16 . 2010-06-04 14:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-20 05:16 . 2010-06-04 09:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-20 05:16 . 2010-06-04 14:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-20 05:16 . 2010-06-04 09:41 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-03-04 07:11 . 2010-03-04 07:11 168960 c:\windows\system32\vyjob.exe
- 2010-03-04 07:11 . 2010-03-04 07:11 168960 c:\windows\system32\vyjob.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RPT Msgsrv"="c:\program files\Panasonic\Panasonic-DMS\RPT Network Printer Port\Msgsrv.exe" [2007-04-11 57344]
"Panasonic Device Monitor Wakeup"="c:\program files\Panasonic\Panasonic-DMS\Device Monitor\DMWakeup.exe" [2006-11-02 303104]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2010-03-04 208616]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"jobagi"="c:\windows\system32\vyjob.exe" [2010-03-04 168960]

c:\documents and settings\All Users\Application Data\Microsoft\Shortcuts\
Job Status Utility.lnk - c:\program files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe [2007-3-4 147456]
Panasonic Communications Utility.lnk - c:\program files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe [2006-5-9 176128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleiI.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleiI.lnk
backup=c:\windows\pss\BlueSoleiI.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
c:\documents and settings\Henriette\glvhoer.exe \u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2009-09-08 16:34 3730832 ----a-w- c:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixBluetooth]
c:\documents and settings\Henriette\Local Settings\Temp\pb3\BlueSoleiI.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Connection Wizard Setup Tool]
c:\program files\Internet Explorer\Connection Wizard\icwsetup.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft® System Manager]
c:\windows\system32\174217.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-03 23:06 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinXPService]
c:\documents and settings\All Users\Application Data\Microsoft\Office\Recent\date\unlock\index\Browser\iexplorer.pif [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ICF"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Port Controller\\Mfpscdl.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Network MFP Utilities\\CnfgEditor\\SYSTEM\\mfrspool.exe"=
"c:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\LFax\\NaeCMN.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\LRecvTrap\\LRecvTrap.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Device Monitor\\DMList.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 6:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
S2 zii9wxiofdhoe5;Websense CPM Report Scheduler;c:\windows\system32\hounnehehoos.exe [6/4/2010 4:10 PM 168960]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/20/2009 8:47 AM 664064]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E2ABAEB9-DDCA-C89F-DAEB-5CE3D076FD06}]
c:\windows\system32\incognito.exe [BU]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.za/
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-04 16:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\hounnehehoos.exe 168960 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Panasonic\TrapMonitor\Trapmnnt.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-06-04 16:12:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-04 14:12
ComboFix2.txt 2010-06-04 10:58
ComboFix3.txt 2010-06-04 10:23
ComboFix4.txt 2010-05-31 15:09

Pre-Run: 70,553,227,264 bytes free
Post-Run: 70,523,367,424 bytes free

- - End Of File - - BF62259087CD703D7380A095AA8C91B5


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:06 PM

Posted 04 June 2010 - 03:13 PM

Hi Hugo,

Well that looks like our service got recreated ohmy.gif

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
Driver::
zii9wxiofdhoe5

Rootkit::
c:\windows\system32\hounnehehoos.exe

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Badassbiker

Badassbiker
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:06:06 PM

Posted 07 June 2010 - 01:25 AM

Hi Elise,

Here is the latest log:

ComboFix 10-06-06.01 - Henriette1 06/07/2010 7:59.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.621 [GMT 2:00]
Running from: c:\documents and settings\Henriette\Desktop\ComboFix.exe
Command switches used :: e:\henriette\CFscript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\Microsoft\Shortcuts
c:\documents and settings\All Users\Application Data\Microsoft\Shortcuts\Job Status Utility.lnk
c:\documents and settings\All Users\Application Data\Microsoft\Shortcuts\Panasonic Communications Utility.lnk

----- BITS: Possible infected sites -----

hxxp://server.platinume.co.za
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZII9WXIOFDHOE5
-------\Service_zii9wxiofdhoe5


((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.

2010-06-05 11:01 . 2009-10-20 14:58 263552 -c----w- c:\windows\system32\dllcache\http.sys
2010-06-04 15:24 . 2010-06-04 15:24 -------- d-----w- c:\windows\ServicePackFiles
2010-06-04 15:19 . 2006-03-17 00:38 28672 ------w- c:\windows\system32\verclsid.exe
2010-06-04 15:19 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-06-04 15:19 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-06-04 15:17 . 2010-02-16 13:19 2181376 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-06-04 15:17 . 2010-02-16 13:17 2137088 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-06-04 15:17 . 2010-02-16 12:39 2058368 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-06-04 15:17 . 2010-02-16 12:39 2016768 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-06-04 15:17 . 2006-06-01 18:47 27648 -c----w- c:\windows\system32\dllcache\jgpl400.dll
2010-06-04 15:17 . 2006-06-01 18:47 163840 -c----w- c:\windows\system32\dllcache\jgdw400.dll
2010-06-04 15:16 . 2009-11-27 17:33 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2010-06-04 15:15 . 2009-11-27 16:37 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2010-06-04 15:15 . 2009-11-27 16:37 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2010-06-04 15:14 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-04 15:12 . 2010-06-05 13:00 -------- d--h--w- c:\windows\$hf_mig$
2010-05-31 14:37 . 2010-05-31 14:37 -------- d-----w- c:\program files\CCleaner
2010-05-31 13:30 . 2010-05-31 13:31 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-24 09:09 . 2008-06-12 10:09 33088 ----a-w- c:\documents and settings\Henriette\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-14 13:41 . 2010-05-14 13:41 -------- d-----w- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-07 06:07 . 2010-03-04 07:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-06-07 06:03 . 2010-03-04 07:16 344096 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-06-07 06:03 . 2010-03-04 07:16 2256 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-06-07 06:03 . 2010-03-04 07:16 1831456 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-06-07 06:03 . 2010-03-04 07:16 15388 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-06-04 15:35 . 2010-03-04 07:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-31 12:41 . 2010-02-05 08:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-05 07:28 . 2010-03-04 07:17 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-05-05 07:28 . 2010-03-04 07:17 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-29 13:39 . 2010-02-05 08:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2010-02-05 08:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 08:02 . 2004-08-04 12:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2009-03-16 08:43 . 2009-01-20 13:33 237 ----a-w- c:\program files\PanaHDS.ini
2009-01-29 09:41 . 2009-01-29 09:41 22 ----a-w- c:\program files\InstSuccess.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RPT Msgsrv"="c:\program files\Panasonic\Panasonic-DMS\RPT Network Printer Port\Msgsrv.exe" [2007-04-11 57344]
"Panasonic Device Monitor Wakeup"="c:\program files\Panasonic\Panasonic-DMS\Device Monitor\DMWakeup.exe" [2006-11-02 303104]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2010-03-04 208616]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"jobagi"="c:\windows\system32\vyjob.exe" [2010-03-04 168960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Job Status Utility.lnk - c:\program files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe [2007-3-4 147456]
Panasonic Communications Utility.lnk - c:\program files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe [2006-5-9 176128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleiI.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleiI.lnk
backup=c:\windows\pss\BlueSoleiI.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
c:\documents and settings\Henriette\glvhoer.exe \u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2009-09-08 16:34 3730832 ----a-w- c:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixBluetooth]
c:\documents and settings\Henriette\Local Settings\Temp\pb3\BlueSoleiI.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Connection Wizard Setup Tool]
c:\program files\Internet Explorer\Connection Wizard\icwsetup.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft® System Manager]
c:\windows\system32\174217.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinXPService]
c:\documents and settings\All Users\Application Data\Microsoft\Office\Recent\date\unlock\index\Browser\iexplorer.pif [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ICF"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Port Controller\\Mfpscdl.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Network MFP Utilities\\CnfgEditor\\SYSTEM\\mfrspool.exe"=
"c:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\LFax\\NaeCMN.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\LRecvTrap\\LRecvTrap.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Device Monitor\\DMList.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 6:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
S2 zii9wxiofdhoe5;Websense CPM Report Scheduler;c:\windows\system32\hounnehehoos.exe [6/7/2010 8:07 AM 168960]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/20/2009 8:47 AM 664064]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E2ABAEB9-DDCA-C89F-DAEB-5CE3D076FD06}]
c:\windows\system32\incognito.exe [BU]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.za/
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 08:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\hounnehehoos.exe 168960 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Panasonic\TrapMonitor\Trapmnnt.exe
.
**************************************************************************
.
Completion time: 2010-06-07 08:10:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-07 06:10
ComboFix2.txt 2010-06-04 14:12
ComboFix3.txt 2010-06-04 10:58
ComboFix4.txt 2010-06-04 10:23
ComboFix5.txt 2010-06-07 05:58

Pre-Run: 68,042,776,576 bytes free
Post-Run: 68,014,206,976 bytes free

- - End Of File - - AAFF06450B5829C9412788CCBA10A55F





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users