Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't remove Rootkit.Agent


  • This topic is locked This topic is locked
18 replies to this topic

#1 snaptime1010

snaptime1010

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 02 June 2010 - 01:04 AM

I used Malwarebytes to remove a trojan on my windows vista system. However, it cannot remove the Rootkit.agent in c:\windows\system32\drivers\agikj.sys no matter how many times I try and how many times I reboot.

I would be very grateful for any assistance you can offer.

DDS.txt


DDS (Ver_10-03-17.01) - NTFSx86
Run by dar at 1:48:20.74 on Wed 06/02/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1675 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Users\dar\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Windows\system32\WUDFHost.exe
"C:\Windows\System32\svchost.exe"
C:\Windows\system32\svchost.exe -k WindowsMobile
c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\dar\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: IE Developer Toolbar: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [PxDotNetLoader] "c:\program files\fidelity investments\fidelity active trader\system\ATPStartupAssistant.exe"
uRun: [Google Update] "c:\users\dar\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [DVDAgent] "c:\program files\hewlett-packard\media\dvd\DVDAgent.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files\picturemover\bin\PictureMover.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://kewdigital.lifepics.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://sagesoftware.webex.com/client/T25L/webex/ieatgpc1.cab
TCP: {AE2288C0-0B3A-4D50-81BB-66442F43639C} = 68.87.64.146,68.87.75.194
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: x-atng - {7e8717b0-d862-11d5-8c9e-00010304f989} - c:\program files\fidelity investments\fidelity active trader\system\atngprot.dll
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
STS: EsozoniuMsu.Esozoniu: {030ab8db-a37c-4a28-aa47-48079571960e} - c:\windows\system32\esozoniu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\dar\appdata\roaming\mozilla\firefox\profiles\zux9snw5.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\dar\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2009-10-13 114184]
R2 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2008-10-10 24636]
R2 NanoServiceMain;NanoServiceMain;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2009-10-30 136448]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2008-9-19 65536]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2009-10-30 146440]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2009-10-13 97800]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2009-10-13 101384]
R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2008-8-26 207360]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-11-25 19456]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2008-5-22 20640]

=============== Created Last 30 ================

2010-06-02 05:32:32 0 d-sh--w- C:\$RECYCLE.BIN
2010-06-02 04:07:50 98816 ----a-w- c:\windows\sed.exe
2010-06-02 04:07:50 77312 ----a-w- c:\windows\MBR.exe
2010-06-02 04:07:50 256512 ----a-w- c:\windows\PEV.exe
2010-06-02 04:07:50 161792 ----a-w- c:\windows\SWREG.exe
2010-06-02 03:08:28 0 d-----w- c:\users\dar\appdata\roaming\Panda Security
2010-06-02 03:06:55 264 ----a-w- c:\windows\system32\PSUNCpl.dat
2010-06-02 03:05:59 0 d-----w- c:\programdata\Panda Security
2010-06-02 03:05:59 0 d-----w- c:\program files\Panda Security
2010-06-02 02:50:01 0 d-----w- c:\users\dar\appdata\roaming\Malwarebytes
2010-06-02 02:49:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-02 02:49:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-02 02:49:53 0 d-----w- c:\programdata\Malwarebytes
2010-06-02 02:49:53 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 11:55:51 0 d-----w- c:\programdata\Sun
2010-06-01 11:55:36 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-26 10:33:42 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 20:37:43 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-05-24 20:37:43 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-05-24 20:36:50 0 d-----w- c:\program files\iPod
2010-05-24 20:36:46 0 d-----w- c:\program files\iTunes
2010-05-24 20:31:58 0 d-----w- c:\program files\Bonjour
2010-05-24 13:40:49 0 d-----w- c:\program files\iPod(27)
2010-05-24 13:40:47 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-24 13:40:47 0 d-----w- c:\program files\iTunes(28)
2010-05-24 13:38:36 0 d-----w- c:\program files\QuickTime(37)
2010-05-24 13:34:06 0 d-----w- c:\program files\Bonjour(4)
2010-05-21 10:25:51 741376 ----a-w- c:\windows\system32\drivers\agikj.sys
2010-05-21 10:24:26 20 ----a-w- c:\users\dar\appdata\roaming\qvjsge.dat
2010-05-12 08:48:55 738816 ----a-w- c:\windows\system32\inetcomm.dll

==================== Find3M ====================

2010-06-01 20:18:11 164269 ----a-w- c:\windows\hpoins21.dat
2010-05-24 20:32:39 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-24 20:32:39 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-24 20:32:39 143360 ----a-w- c:\windows\inf\infstor.dat
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-10 23:37:01 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-12-06 22:35:07 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-01 16:24:05 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012010010120100102\index.dat
2008-08-26 21:28:35 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 1:53:52.70 ===============




BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:11:39 PM

Posted 04 June 2010 - 04:49 PM

Hi snaptime1010, and welcome to Bleeping Computer.

I see that you've already used ComboFix on your own... Please post the contents of C:\ComboFix.txt in your reply...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 snaptime1010

snaptime1010
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 05 June 2010 - 07:56 AM

Thanks snemelk for looking at this.

Here is c:\combofix.txt


ComboFix 10-06-01.01 - dar 06/02/2010 13:16:32.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1827 [GMT -4:00]
Running from: c:\users\dar\Desktop\jackx.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-05-02 to 2010-06-02 )))))))))))))))))))))))))))))))
.

2010-06-02 03:08 . 2010-06-02 03:08 -------- d-----w- c:\users\dar\AppData\Roaming\Panda Security
2010-06-02 03:06 . 2010-06-02 03:06 264 ----a-w- c:\windows\system32\PSUNCpl.dat
2010-06-02 03:05 . 2010-06-02 03:05 -------- d-----w- c:\programdata\Panda Security
2010-06-02 03:05 . 2010-06-02 03:05 -------- d-----w- c:\program files\Panda Security
2010-06-02 02:50 . 2010-06-02 02:50 -------- d-----w- c:\users\dar\AppData\Roaming\Malwarebytes
2010-06-02 02:49 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-02 02:49 . 2010-06-02 02:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 02:49 . 2010-06-02 02:49 -------- d-----w- c:\programdata\Malwarebytes
2010-06-02 02:49 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-01 11:55 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-26 10:33 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 20:37 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-05-24 20:37 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-05-24 20:36 . 2010-05-24 20:36 -------- d-----w- c:\program files\iPod
2010-05-24 20:36 . 2010-05-24 20:37 -------- d-----w- c:\program files\iTunes
2010-05-24 20:34 . 2010-05-24 20:34 -------- d-----w- c:\program files\Apple Software Update
2010-05-24 20:31 . 2010-05-24 20:31 -------- d-----w- c:\program files\Bonjour
2010-05-24 13:40 . 2010-05-24 13:40 -------- d-----w- c:\program files\iPod(27)
2010-05-24 13:40 . 2010-05-24 13:41 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-24 13:40 . 2010-05-24 13:41 -------- d-----w- c:\program files\iTunes(28)
2010-05-24 13:38 . 2010-05-24 13:39 -------- d-----w- c:\program files\QuickTime(37)
2010-05-24 13:34 . 2010-05-24 13:34 -------- d-----w- c:\program files\Bonjour(4)
2010-05-21 10:26 . 2010-06-01 19:41 120 ----a-w- c:\users\dar\AppData\Local\Hkerejataz.dat
2010-05-21 10:26 . 2010-06-01 10:36 0 ----a-w- c:\users\dar\AppData\Local\Evohujanec.bin
2010-05-12 08:48 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-01 20:18 . 2008-11-05 19:28 164269 ----a-w- c:\windows\hpoins21.dat
2010-06-01 11:55 . 2008-08-26 20:57 -------- d-----w- c:\program files\Common Files\Java
2010-06-01 11:55 . 2008-08-26 20:57 -------- d-----w- c:\program files\Java
2010-05-24 20:36 . 2009-06-04 13:10 -------- d-----w- c:\program files\Common Files\Apple
2010-05-24 20:36 . 2009-06-04 13:13 -------- d-----w- c:\programdata\Apple Computer
2010-05-24 20:35 . 2009-06-04 13:13 -------- d-----w- c:\program files\QuickTime
2010-05-24 18:38 . 2009-06-04 12:34 -------- d-----w- c:\users\dar\AppData\Roaming\dvdcss
2010-05-24 18:38 . 2009-12-17 14:13 -------- d-----w- c:\program files\Safari
2010-05-24 13:43 . 2009-06-04 13:14 -------- d-----w- c:\users\dar\AppData\Roaming\Apple Computer
2010-05-21 19:01 . 2008-08-26 21:09 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-21 10:24 . 2010-05-21 10:24 20 ----a-w- c:\users\dar\AppData\Roaming\qvjsge.dat
2010-05-19 14:42 . 2008-11-18 19:44 -------- d-----w- c:\program files\Paint.NET
2010-05-13 07:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-13 07:01 . 2008-10-24 22:57 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 15:21 . 2009-10-02 21:32 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-10 23:37 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-05 14:01 . 2010-04-15 04:53 420352 ----a-w- c:\windows\system32\vbscript.dll
2008-08-26 21:28 . 2008-08-26 21:28 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot_2010-06-02_05.23.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2010-06-02 17:11 52496 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-06-02 17:11 62280 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-10-24 22:13 . 2010-06-02 17:11 10180 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1776571630-2760082200-3331130590-1000_UserData.bin
+ 2008-10-24 22:12 . 2010-06-02 17:07 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-10-24 22:12 . 2010-06-02 05:04 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-10-24 22:12 . 2010-06-02 17:07 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-10-24 22:12 . 2010-06-02 05:04 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-24 22:12 . 2010-06-02 17:07 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-10-24 22:12 . 2010-06-02 05:04 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-05 00:24 . 2010-06-02 05:43 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-05 00:24 . 2010-06-02 05:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-05 00:24 . 2010-06-02 05:04 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-05 00:24 . 2010-06-02 05:43 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-05 00:24 . 2010-06-02 05:43 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-05 00:24 . 2010-06-02 05:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-06-02 05:04 . 2010-06-02 05:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-06-02 17:07 . 2010-06-02 17:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-06-02 05:04 . 2010-06-02 05:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-06-02 17:07 . 2010-06-02 17:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-10-25 00:03 . 2010-06-02 15:56 208636 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2006-11-02 10:33 . 2010-06-02 17:13 694912 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-06-02 05:11 694912 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-06-02 05:11 139338 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-06-02 17:13 139338 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2009-11-02 13:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Pending Delete Icon]
@="{0847B599-9191-4A27-BD61-DE11598D3B1B}"
[HKEY_CLASSES_ROOT\CLSID\{0847B599-9191-4A27-BD61-DE11598D3B1B}]
2009-11-02 13:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2009-11-02 13:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"PxDotNetLoader"="c:\program files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2009-01-14 42336]
"Google Update"="c:\users\dar\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-04-01 136176]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-02 75008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2009-10-30 361728]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-10-10 41042]
PictureMover.lnk - c:\program files\PictureMover\Bin\PictureMover.exe [2008-6-3 413696]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{030AB8DB-A37C-4A28-AA47-48079571960E}"= "c:\windows\system32\esozoniu.dll" [2007-03-31 319488]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
perf_isv REG_SZ c:\windows\system32\dplahost.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:9a,a8,da,6e,07,2b,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1776571630-2760082200-3331130590-1000]
"EnableNotificationsRef"=dword:00000001

R3 BC08BD6E;BC08BD6E;c:\windows\system32\BC08BD6E.exe [x]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2008-11-25 19456]
R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2008-05-22 20640]
S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys [2009-10-13 114184]
S2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-10-10 24636]
S2 NanoServiceMain;NanoServiceMain;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [2009-10-30 136448]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys [2009-10-30 146440]
S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys [2009-10-13 97800]
S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys [2009-10-13 101384]
S3 HSXHWBS3;HSXHWBS3;c:\windows\system32\DRIVERS\HSXHWBS3.sys [2008-02-12 207360]


--- Other Services/Drivers In Memory ---

*Deregistered* - agikj

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-06-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-03 11:32]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1776571630-2760082200-3331130590-1000Core.job
- c:\users\dar\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-01 10:56]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1776571630-2760082200-3331130590-1000UA.job
- c:\users\dar\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-01 10:56]

2010-05-29 c:\windows\Tasks\Norton Security Scan for dar.job
- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-26 20:45]

2010-06-02 c:\windows\Tasks\WebReg Photosmart C7200 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2007-10-15 01:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {AE2288C0-0B3A-4D50-81BB-66442F43639C} = 68.87.64.146,68.87.75.194
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://kewdigital.lifepics.com/net/Uploader/LPUploader57.cab
FF - ProfilePath - c:\users\dar\AppData\Roaming\Mozilla\Firefox\Profiles\zux9snw5.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\dar\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-02 13:27
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\agikj]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4816)
c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
c:\windows\system32\esozoniu.dll
c:\windows\system32\IoctlPe.dll
.
Completion time: 2010-06-02 13:38:25
ComboFix-quarantined-files.txt 2010-06-02 17:38
ComboFix2.txt 2010-06-02 05:34
ComboFix3.txt 2010-06-02 04:51

Pre-Run: 58,331,992,064 bytes free
Post-Run: 58,292,924,416 bytes free

- - End Of File - - 4EF8FF843630C79E317CBFEF50FEC5FE


#4 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:11:39 PM

Posted 05 June 2010 - 11:43 AM

Hi again snaptime1010!!.. smile.gif

ComboFix has been run a few times - note that this makes my work harder... Also,
Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Ok, please do the following:

Firstly,
Open Notepad and copy/paste the text in the codebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/320962/cant-remove-rootkitagent/

Collect::
c:\users\dar\AppData\Local\Hkerejataz.dat
c:\windows\system32\drivers\agikj.sys
c:\users\dar\appdata\roaming\qvjsge.dat
c:\windows\system32\dplahost.dll
c:\windows\system32\BC08BD6E.exe
Suspect::
c:\windows\system32\esozoniu.dll
c:\windows\system32\IoctlPe.dll
File::
c:\users\dar\AppData\Local\Evohujanec.bin
Registry::
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
Driver::
BC08BD6E
agikj


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Secondly,
Please follow the Preparation Guide and run Gmer - post the logfile...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#5 snaptime1010

snaptime1010
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 05 June 2010 - 04:58 PM

Here is the combofix log. I'll run the gmer, but it was bluescreening before. I'll post it in the next reply.

ComboFix 10-06-03.01 - dar 06/05/2010 16:40:58.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1731 [GMT -4:00]
Running from: c:\users\dar\Desktop\jackx.exe
Command switches used :: c:\users\dar\Desktop\cfscript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\dar\AppData\Local\Evohujanec.bin"

file zipped: c:\users\dar\AppData\Local\Hkerejataz.dat
file zipped: c:\users\dar\appdata\roaming\qvjsge.dat
file zipped: c:\windows\system32\drivers\agikj.sys
file zipped: c:\windows\System32\esozoniu.dll
file zipped: c:\windows\System32\ioctlpe.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\dar\AppData\Local\Evohujanec.bin
c:\users\dar\AppData\Local\Hkerejataz.dat
c:\users\dar\appdata\roaming\qvjsge.dat
c:\windows\system32\drivers\agikj.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AGIKJ
-------\Service_agikj
-------\Service_BC08BD6E


((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 )))))))))))))))))))))))))))))))
.

2010-06-05 20:52 . 2010-06-05 20:58 -------- d-----w- c:\users\dar\AppData\Local\temp
2010-06-05 20:52 . 2010-06-05 20:52 -------- d-----w- c:\users\rat\AppData\Local\temp
2010-06-05 20:52 . 2010-06-05 20:52 -------- d-----w- c:\users\postgres\AppData\Local\temp
2010-06-05 20:52 . 2010-06-05 20:52 -------- d-----w- c:\users\drop\AppData\Local\temp
2010-06-05 20:52 . 2010-06-05 20:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-02 03:08 . 2010-06-02 03:08 -------- d-----w- c:\users\dar\AppData\Roaming\Panda Security
2010-06-02 03:06 . 2010-06-02 03:06 264 ----a-w- c:\windows\system32\PSUNCpl.dat
2010-06-02 03:05 . 2010-06-02 03:05 -------- d-----w- c:\programdata\Panda Security
2010-06-02 03:05 . 2010-06-02 03:05 -------- d-----w- c:\program files\Panda Security
2010-06-02 02:50 . 2010-06-02 02:50 -------- d-----w- c:\users\dar\AppData\Roaming\Malwarebytes
2010-06-02 02:49 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-02 02:49 . 2010-06-02 02:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 02:49 . 2010-06-02 02:49 -------- d-----w- c:\programdata\Malwarebytes
2010-06-02 02:49 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-01 11:55 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-26 10:33 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 20:37 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-05-24 20:37 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-05-24 20:36 . 2010-05-24 20:36 -------- d-----w- c:\program files\iPod
2010-05-24 20:36 . 2010-05-24 20:37 -------- d-----w- c:\program files\iTunes
2010-05-24 20:34 . 2010-05-24 20:34 -------- d-----w- c:\program files\Apple Software Update
2010-05-24 20:31 . 2010-05-24 20:31 -------- d-----w- c:\program files\Bonjour
2010-05-24 13:40 . 2010-05-24 13:40 -------- d-----w- c:\program files\iPod(27)
2010-05-24 13:40 . 2010-05-24 13:41 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-24 13:40 . 2010-05-24 13:41 -------- d-----w- c:\program files\iTunes(28)
2010-05-24 13:38 . 2010-05-24 13:39 -------- d-----w- c:\program files\QuickTime(37)
2010-05-24 13:34 . 2010-05-24 13:34 -------- d-----w- c:\program files\Bonjour(4)
2010-05-12 08:48 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-01 20:18 . 2008-11-05 19:28 164269 ----a-w- c:\windows\hpoins21.dat
2010-06-01 11:55 . 2008-08-26 20:57 -------- d-----w- c:\program files\Common Files\Java
2010-06-01 11:55 . 2008-08-26 20:57 -------- d-----w- c:\program files\Java
2010-05-24 20:36 . 2009-06-04 13:10 -------- d-----w- c:\program files\Common Files\Apple
2010-05-24 20:36 . 2009-06-04 13:13 -------- d-----w- c:\programdata\Apple Computer
2010-05-24 20:35 . 2009-06-04 13:13 -------- d-----w- c:\program files\QuickTime
2010-05-24 18:38 . 2009-06-04 12:34 -------- d-----w- c:\users\dar\AppData\Roaming\dvdcss
2010-05-24 18:38 . 2009-12-17 14:13 -------- d-----w- c:\program files\Safari
2010-05-24 13:43 . 2009-06-04 13:14 -------- d-----w- c:\users\dar\AppData\Roaming\Apple Computer
2010-05-21 19:01 . 2008-08-26 21:09 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-19 14:42 . 2008-11-18 19:44 -------- d-----w- c:\program files\Paint.NET
2010-05-13 14:36 . 2008-12-11 00:35 8224 ----a-w- c:\users\rat\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-13 07:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-13 07:01 . 2008-10-24 22:57 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 15:21 . 2009-10-02 21:32 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2008-08-26 21:28 . 2008-08-26 21:28 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2009-11-02 13:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Pending Delete Icon]
@="{0847B599-9191-4A27-BD61-DE11598D3B1B}"
[HKEY_CLASSES_ROOT\CLSID\{0847B599-9191-4A27-BD61-DE11598D3B1B}]
2009-11-02 13:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2009-11-02 13:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"PxDotNetLoader"="c:\program files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2009-01-14 42336]
"Google Update"="c:\users\dar\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-04-01 136176]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-02 75008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2009-10-30 361728]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-10-10 41042]
PictureMover.lnk - c:\program files\PictureMover\Bin\PictureMover.exe [2008-6-3 413696]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{030AB8DB-A37C-4A28-AA47-48079571960E}"= "c:\windows\system32\esozoniu.dll" [2007-03-31 319488]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:9a,a8,da,6e,07,2b,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1776571630-2760082200-3331130590-1000]
"EnableNotificationsRef"=dword:00000001

R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2008-11-25 19456]
R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2008-05-22 20640]
S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys [2009-10-13 114184]
S2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-10-10 24636]
S2 NanoServiceMain;NanoServiceMain;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [2009-10-30 136448]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys [2009-10-30 146440]
S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys [2009-10-13 97800]
S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys [2009-10-13 101384]
S3 HSXHWBS3;HSXHWBS3;c:\windows\system32\DRIVERS\HSXHWBS3.sys [2008-02-12 207360]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - AGIKJ
*Deregistered* - agikj

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-06-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-03 11:32]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1776571630-2760082200-3331130590-1000Core.job
- c:\users\dar\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-01 10:56]

2010-06-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1776571630-2760082200-3331130590-1000UA.job
- c:\users\dar\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-01 10:56]

2010-05-29 c:\windows\Tasks\Norton Security Scan for dar.job
- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-26 20:45]

2010-06-02 c:\windows\Tasks\WebReg Photosmart C7200 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2007-10-15 01:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {AE2288C0-0B3A-4D50-81BB-66442F43639C} = 68.87.64.146,68.87.75.194
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://kewdigital.lifepics.com/net/Uploader/LPUploader57.cab
FF - ProfilePath - c:\users\dar\AppData\Roaming\Mozilla\Firefox\Profiles\zux9snw5.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\dar\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-05 16:57
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\agikj]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2752)
c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\esozoniu.dll
c:\windows\system32\MSVBVM60.DLL
c:\windows\system32\IoctlPe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-06-05 17:10:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-05 21:10
ComboFix2.txt 2010-06-02 17:38
ComboFix3.txt 2010-06-02 05:34
ComboFix4.txt 2010-06-02 04:51

Pre-Run: 57,553,711,104 bytes free
Post-Run: 57,163,898,880 bytes free

- - End Of File - - 536D093E0E26D078A67CE57A52A3679E
Upload was successful




#6 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:11:39 PM

Posted 06 June 2010 - 04:22 AM

Hi again snaptime1010!!.. smile.gif

That looks better, however, the rootkit infection seems to be still active...
Two files I've scripted for an upload:
c:\windows\System32\esozoniu.dll
c:\windows\System32\ioctlpe.dll

look clean to me... However, if the infection regenerates, we'll script them out...

Let's try a little more powerful tool:

Firstly,
Download The Avenger by Swandog46, and save it to your Desktop.
  • Extract avenger.exe from the Zip file and save it to your Desktop.
  • Run avenger.exe by double-clicking on it.
  • The Do not change any check box options!!
  • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    QUOTE
    Drivers to delete:
    agikj
    Files to delete:
    c:\windows\system32\drivers\agikj.sys

  • Now click the Execute button.
  • Click Yes to the prompt to confirm you want to execute.
  • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
  • Your PC should reboot, if not, reboot it yourself.
  • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
  • Please post the content of the logfile.

Secondly,
Please try running Gmer once again... Post the logfile, if possible...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#7 snaptime1010

snaptime1010
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 06 June 2010 - 08:07 AM

Thanks again for looking at this snemelk!

gmer is still running, it's been running for about 14 hours now, it's almost through all the files.

I'll run the avenger once gmer is done.

#8 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:11:39 PM

Posted 06 June 2010 - 02:19 PM

Hi again!.. smile.gif

QUOTE(snaptime1010 @ Jun 6 2010, 03:07 PM) View Post
Thanks again for looking at this snemelk!

No problem at all!!..

QUOTE
gmer is still running, it's been running for about 14 hours now, it's almost through all the files.

Ok, if it takes too long, just terminate a scan and post the partial results (if possible)... Then run a script with The Avenger...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#9 snaptime1010

snaptime1010
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 06 June 2010 - 03:38 PM

Here is the gmer log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-06 16:36:13
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\dar\AppData\Local\Temp\fxldypow.sys


---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\agikj.sys A device attached to the system is not functioning. !
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8F001340, 0x3DA8C7, 0xE8000020]
? C:\Users\dar\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !
? C:\Users\dar\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? C:\Windows\System32\svchost.exe[224] image checksum mismatch; time/date stamp mismatch; unknown module: imagehlp.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[6012] ntdll.dll!LdrLoadDll 77809390 5 Bytes JMP 00BC13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8794F9F0

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] agikj <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\agikj@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\agikj@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\agikj@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\agikj@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet027\Services\agikj@Type 1
Reg HKLM\SYSTEM\ControlSet027\Services\agikj@Start 0
Reg HKLM\SYSTEM\ControlSet027\Services\agikj@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet027\Services\agikj@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet028\Services\agikj@Type 1
Reg HKLM\SYSTEM\ControlSet028\Services\agikj@Start 0
Reg HKLM\SYSTEM\ControlSet028\Services\agikj@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet028\Services\agikj@Group Boot Bus Extender

---- Files - GMER 1.0.15 ----

File C:\Users\dar\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\AZ4FZ4AU\www.skinnykitty.com.\media 0 bytes
File C:\Users\dar\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\AZ4FZ4AU\www.skinnykitty.com.\media\flowplayer 0 bytes
File C:\Users\dar\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\AZ4FZ4AU\www.skinnykitty.com.\media\flowplayer\flowplayer-3.1.5.swf 0 bytes
File C:\Users\dar\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.skinnykitty.com.\settings.sol 90 bytes

---- EOF - GMER 1.0.15 ----


#10 snaptime1010

snaptime1010
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 06 June 2010 - 03:56 PM

This is the avenger.txt log. Avenger was run after gmer above.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "agikj" deleted successfully.
File "c:\windows\system32\drivers\agikj.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


I'll gmer again, but see if I can run it on just some of the files, because it seems to take about 24 hours with all the files I have.



#11 snaptime1010

snaptime1010
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 06 June 2010 - 04:12 PM

I'm trying to run gmer again, but it keeps crashing when it looks at: \Device\HaddiskVolumeShadowCopy1 popping up a "debug or cancel" dialog. Sometimes when I hit cancel, windows bluescreens and creates a minidump.

#12 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:11:39 PM

Posted 06 June 2010 - 04:19 PM

Hi again snaptime1010!!.. smile.gif

QUOTE(snaptime1010 @ Jun 6 2010, 11:12 PM) View Post
I'm trying to run gmer again, but it keeps crashing when it looks at: \Device\HaddiskVolumeShadowCopy1 popping up a "debug or cancel" dialog. Sometimes when I hit cancel, windows bluescreens and creates a minidump.

I see... Ok, for now, re-run ComboFix please:

Delete your current copy of ComboFix (delete a file from your Desktop), and download and run a new version (remember about disabling protection programs):

Link 1
Link 2

Post the logfile... If it comes clean, the Gmer scan may not be needed...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#13 snaptime1010

snaptime1010
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 06 June 2010 - 04:47 PM

Ok, here is the combofix.log:

ComboFix 10-06-06.01 - dar 06/06/2010 17:29:06.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1663 [GMT -4:00]
Running from: c:\users\dar\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 )))))))))))))))))))))))))))))))
.

2010-06-06 21:37 . 2010-06-06 21:37 -------- d-----w- c:\users\rat\AppData\Local\temp
2010-06-06 21:37 . 2010-06-06 21:37 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-06 21:37 . 2010-06-06 21:37 -------- d-----w- c:\users\postgres\AppData\Local\temp
2010-06-06 21:37 . 2010-06-06 21:37 -------- d-----w- c:\users\drop\AppData\Local\temp
2010-06-06 21:37 . 2010-06-06 21:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-05 20:52 . 2010-06-06 21:38 -------- d-----w- c:\users\dar\AppData\Local\temp
2010-06-02 03:08 . 2010-06-02 03:08 -------- d-----w- c:\users\dar\AppData\Roaming\Panda Security
2010-06-02 03:06 . 2010-06-02 03:06 264 ----a-w- c:\windows\system32\PSUNCpl.dat
2010-06-02 03:05 . 2010-06-02 03:05 -------- d-----w- c:\programdata\Panda Security
2010-06-02 03:05 . 2010-06-02 03:05 -------- d-----w- c:\program files\Panda Security
2010-06-02 02:50 . 2010-06-02 02:50 -------- d-----w- c:\users\dar\AppData\Roaming\Malwarebytes
2010-06-02 02:49 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-02 02:49 . 2010-06-02 02:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 02:49 . 2010-06-02 02:49 -------- d-----w- c:\programdata\Malwarebytes
2010-06-02 02:49 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-01 11:55 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-26 10:33 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 20:37 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-05-24 20:37 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-05-24 20:36 . 2010-05-24 20:36 -------- d-----w- c:\program files\iPod
2010-05-24 20:36 . 2010-05-24 20:37 -------- d-----w- c:\program files\iTunes
2010-05-24 20:34 . 2010-05-24 20:34 -------- d-----w- c:\program files\Apple Software Update
2010-05-24 20:31 . 2010-05-24 20:31 -------- d-----w- c:\program files\Bonjour
2010-05-24 13:40 . 2010-05-24 13:40 -------- d-----w- c:\program files\iPod(27)
2010-05-24 13:40 . 2010-05-24 13:41 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-24 13:40 . 2010-05-24 13:41 -------- d-----w- c:\program files\iTunes(28)
2010-05-24 13:38 . 2010-05-24 13:39 -------- d-----w- c:\program files\QuickTime(37)
2010-05-24 13:34 . 2010-05-24 13:34 -------- d-----w- c:\program files\Bonjour(4)
2010-05-12 08:48 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 20:44 . 2009-11-05 23:17 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-05 04:24 . 2008-11-17 15:09 164880 ---ha-w- c:\users\dar\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
2010-06-01 20:18 . 2008-11-05 19:28 164269 ----a-w- c:\windows\hpoins21.dat
2010-06-01 15:41 . 2008-11-03 17:36 7155 ----a-w- c:\programdata\Intuit\QuickBooks 2008\qbbackup.sys
2010-06-01 11:55 . 2008-08-26 20:57 -------- d-----w- c:\program files\Common Files\Java
2010-06-01 11:55 . 2008-08-26 20:57 -------- d-----w- c:\program files\Java
2010-05-24 20:36 . 2009-06-04 13:10 -------- d-----w- c:\program files\Common Files\Apple
2010-05-24 20:36 . 2009-06-04 13:13 -------- d-----w- c:\programdata\Apple Computer
2010-05-24 20:35 . 2009-06-04 13:13 -------- d-----w- c:\program files\QuickTime
2010-05-24 18:38 . 2009-06-04 12:34 -------- d-----w- c:\users\dar\AppData\Roaming\dvdcss
2010-05-24 18:38 . 2009-12-17 14:13 -------- d-----w- c:\program files\Safari
2010-05-24 13:43 . 2009-06-04 13:14 -------- d-----w- c:\users\dar\AppData\Roaming\Apple Computer
2010-05-21 19:01 . 2008-08-26 21:09 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-19 14:42 . 2008-11-18 19:44 -------- d-----w- c:\program files\Paint.NET
2010-05-13 14:36 . 2008-12-11 00:35 8224 ----a-w- c:\users\rat\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-13 07:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-13 07:01 . 2008-10-24 22:57 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 15:21 . 2009-10-02 21:32 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-28 19:45 . 2010-04-28 19:45 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-10 23:37 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2008-08-26 21:28 . 2008-08-26 21:28 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot_2010-06-02_05.23.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2010-06-06 21:26 53090 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-06-06 21:26 62820 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-10-24 22:13 . 2010-06-06 21:26 10894 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1776571630-2760082200-3331130590-1000_UserData.bin
+ 2008-10-24 22:12 . 2010-06-06 21:22 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-10-24 22:12 . 2010-06-02 05:04 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-10-24 22:12 . 2010-06-06 21:22 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-10-24 22:12 . 2010-06-02 05:04 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-24 22:12 . 2010-06-06 21:22 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-10-24 22:12 . 2010-06-02 05:04 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-05 00:24 . 2010-06-02 05:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-05 00:24 . 2010-06-02 05:43 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-05 00:24 . 2010-06-02 05:43 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-05 00:24 . 2010-06-02 05:04 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-05 00:24 . 2010-06-02 05:43 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-05 00:24 . 2010-06-02 05:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-06 07:02 . 2010-06-06 07:02 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2010-06-02 05:04 . 2010-06-02 05:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-06-06 21:22 . 2010-06-06 21:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-06-02 05:04 . 2010-06-02 05:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-06-06 21:22 . 2010-06-06 21:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-10-25 00:03 . 2010-06-06 20:35 209400 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
- 2006-11-02 10:33 . 2010-06-02 05:11 694912 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-06-06 21:31 694912 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-06-02 05:11 139338 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-06-06 21:31 139338 c:\windows\System32\perfc009.dat
+ 2010-06-06 07:01 . 2010-06-06 07:01 20242432 c:\windows\Installer\22b92cf.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2009-11-02 13:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Pending Delete Icon]
@="{0847B599-9191-4A27-BD61-DE11598D3B1B}"
[HKEY_CLASSES_ROOT\CLSID\{0847B599-9191-4A27-BD61-DE11598D3B1B}]
2009-11-02 13:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2009-11-02 13:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"PxDotNetLoader"="c:\program files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2009-01-14 42336]
"Google Update"="c:\users\dar\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-04-01 136176]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-02 75008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2009-10-30 361728]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-10-10 41042]
PictureMover.lnk - c:\program files\PictureMover\Bin\PictureMover.exe [2008-6-3 413696]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{030AB8DB-A37C-4A28-AA47-48079571960E}"= "c:\windows\system32\esozoniu.dll" [2007-03-31 319488]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:9a,a8,da,6e,07,2b,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1776571630-2760082200-3331130590-1000]
"EnableNotificationsRef"=dword:00000001

R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2008-11-25 19456]
R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2008-05-22 20640]
S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys [2009-10-13 114184]
S2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-10-10 24636]
S2 NanoServiceMain;NanoServiceMain;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [2009-10-30 136448]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys [2009-10-30 146440]
S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys [2009-10-13 97800]
S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys [2009-10-13 101384]
S3 HSXHWBS3;HSXHWBS3;c:\windows\system32\DRIVERS\HSXHWBS3.sys [2008-02-12 207360]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-06-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-03 11:32]

2010-06-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1776571630-2760082200-3331130590-1000Core.job
- c:\users\dar\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-01 10:56]

2010-06-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1776571630-2760082200-3331130590-1000UA.job
- c:\users\dar\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-01 10:56]

2010-05-29 c:\windows\Tasks\Norton Security Scan for dar.job
- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-26 20:45]

2010-06-02 c:\windows\Tasks\WebReg Photosmart C7200 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2007-10-15 01:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {AE2288C0-0B3A-4D50-81BB-66442F43639C} = 68.87.64.146,68.87.75.194
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://kewdigital.lifepics.com/net/Uploader/LPUploader57.cab
FF - ProfilePath - c:\users\dar\AppData\Roaming\Mozilla\Firefox\Profiles\zux9snw5.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\dar\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 17:38
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(6136)
c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
c:\windows\system32\esozoniu.dll
.
Completion time: 2010-06-06 17:44:10
ComboFix-quarantined-files.txt 2010-06-06 21:44
ComboFix2.txt 2010-06-05 21:56
ComboFix3.txt 2010-06-02 17:38
ComboFix4.txt 2010-06-02 05:34
ComboFix5.txt 2010-06-06 21:28

Pre-Run: 78,297,796,608 bytes free
Post-Run: 78,266,118,144 bytes free

- - End Of File - - B1FEB6FA7C54574CCD8537C1621B732D


#14 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:11:39 PM

Posted 07 June 2010 - 07:44 AM

Hi again snaptime1010!!.. smile.gif.

ComboFix logfile looks ok to me... Does any problem persist??..

QUOTE(snaptime1010 @ Jun 6 2010, 11:12 PM) View Post
I'm trying to run gmer again, but it keeps crashing when it looks at: \Device\HaddiskVolumeShadowCopy1 popping up a "debug or cancel" dialog. Sometimes when I hit cancel, windows bluescreens and creates a minidump.

We'll try running Gmer once again, I want to confirm this rootkit infection is removed now...
Run Gmer, uncheck Devices and run a scan... If it takes more than 1 or 2 hours to run, just terminate it, and run a scan with only Services box checked (+ check your c:\ drive to scan)... That should tell us enough to proceed...

Afterwards, please do the following:

Download OTL.exe by OldTimer to your Desktop.
  • Close all windows and double click OTL.exe.
  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :Commands
    [EmptyTemp]
    [EMPTYFLASH]

  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Then,
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#15 snaptime1010

snaptime1010
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 07 June 2010 - 08:02 AM

I unchecked devices and files, the 300GB drive is what takes so long. Here is the gmer output

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-07 09:00:55
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\dar\AppData\Local\Temp\fxldypow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8EC07340, 0x3DA8C7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[2376] ntdll.dll!LdrLoadDll 771D9390 5 Bytes JMP 012913F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- EOF - GMER 1.0.15 ----


I'll run the otl and security check now and post the logs after each one.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users