Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a virus


  • This topic is locked This topic is locked
31 replies to this topic

#1 JaxNHayes

JaxNHayes

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 29 December 2010 - 06:58 PM

I had Antivirus scan on my computer on Dec. 21. I performed a search for it on the web and got to you site. I performed the removal guide from your website using rkill and malwarebytes. This seemed to clear it up until I tried to update malwarebytes, I got a quick blue screen and my computer rebooted. Then I had White Smoke Translator on it and removed that with malwarebytes. Now I have hidden audio ads going off and a web pop up from time to time, some are for antispyware. Two processes keep popping up: hki402.exe and lW8wG4pg.exe.
Here is the GMER log requested in the prep guide, I downloaded DDS but when I click the icon it won't run it only pulls up garbled up file on notepad. Thank you for help. Let me know what else you need to know.

Attached Files

  • Attached File  ark.txt   388.11KB   1 downloads

Edited by JaxNHayes, 29 December 2010 - 10:38 PM.


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:53 PM

Posted 06 January 2011 - 09:28 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 JaxNHayes

JaxNHayes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 07 January 2011 - 07:33 AM

Thank you. I was finally able to get dds to run here is the file. Now when I tried to run gmer again my computer freezes up so i just attached to original gmer file. I have had white smoke virus also but removed some of it with malwarebytes. Now malwarebytes doesn't find anything but there are some issues still on here. Thank you for your help.

Attached Files



#4 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:04:53 PM

Posted 07 January 2011 - 09:36 AM

Hello JaxNHayes


I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate.

Please subscribe to this topic. Click on the Watch Topic button, select Immediate Notification and click on proceed.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not, please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
PW

#5 JaxNHayes

JaxNHayes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 07 January 2011 - 10:14 AM

Hello pwgib

It all started with some antivirus scans popping up like Antivirus Scan and Antimalware. I did a search for Antivirus Scan and went to this site and performed the Rkill and Malwarebytes to remove it. Next thing I know there is something called White Smoke Translator on here and I thought I got rid of it with malwarebytes also but I still get some popups for antivirus software and sometimes I'll get an audio add but I don't see anything running other than some new processes. I really don't know what else to tell you other than I have noticed my computer running a little slower at times. I keep running Rkill to get rid of the processess that pop on. Also sometimes when the computer is setting idle it sounds like someone is clicking on new programs but I don't see any running, it's click, click click...... Pretty annoying. Let me know what I should do next to help you figure this out. I am running Windows XP Professional SP3.

#6 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:04:53 PM

Posted 08 January 2011 - 09:31 AM

Hi JaxNHayes,

Please do not attach or zip logs unless asked to. Copy and paste them directly into the reply box. :thumbup2:

The following is referring to FixCleaner which has a registry cleaner component.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

More information about registry cleaners can be found at Miekiemoes Blog


Step 1.

I need you to run MBAM.
  • Open MBAM
  • Click on the UpdateTab before performing a scan. Click on the Check for Updates button. If an update is found, the program will automatically update itself. After the update press the OK button to close that box and continue.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Step 2.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications

    Note - If you have AVG or CA installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download Opswat AppRemover http://www.appremover.com/supported-applications <----Important
    Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Step 3.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


Step 4.

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



In your next reply please include the following:

MBAM log
ComboFix.txt
RKUnhooker report



Thanks!!
PW

#7 JaxNHayes

JaxNHayes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 08 January 2011 - 01:09 PM

Hello pwgib

Everything went fine obtaining these reports. The only thing is that after I ran defogger it did not reboot the machine neither did I. I just went right on to the next step. Concerning the Fixcleaner, I have no prblem getting rid of it. It sounds like it could be more trouble than it's worth. Anyway here are the logs you requested:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5481

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/8/2011 10:39:53 AM
mbam-log-2011-01-08 (10-39-53).txt

Scan type: Quick scan
Objects scanned: 215493
Time elapsed: 55 minute(s), 14 second(s)

Memory Processes Infected: 27
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 9

Memory Processes Infected:
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 3092 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 3216 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 1936 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 4124 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 5856 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 2128 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 5096 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 2528 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 3060 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 5692 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 4520 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 4896 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 1768 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 3476 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 6060 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 4400 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 2276 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 5336 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 5400 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 5104 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 4648 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 1192 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 3336 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 2156 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 1212 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 5140 -> Unloaded process successfully.
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> 5960 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\qni8hj710fdl (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\Jax\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\Jax\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\chrome (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\Jax\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\components (PUP.MightyMagoo) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\all users\application data\lW8wG4pg.exe (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\Amanda\local settings\Temp\hki513.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Ira\local settings\Temp\hki484.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Jax\local settings\Temp\hki556.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Jax\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\chrome.manifest (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\Jax\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\install.rdf (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\Jax\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\chrome\mmtextlinks.jar (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\Jax\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\components\mmagootlf.dll (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\Jax\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\components\mmagootlf.xpt (PUP.MightyMagoo) -> Quarantined and deleted successfully.

===============================================================================================================================================================================================

ComboFix 11-01-07.02 - Ira 01/08/2011 11:40:45.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.695 [GMT -5:00]
Running from: c:\documents and settings\Ira\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\~GLHTTP1.TMP
c:\documents and settings\All Users\Application Data\lW8wG4pg.exe
c:\documents and settings\Ira\Application Data\1E1479F4BE48CA63116E5AA18A15D929
c:\documents and settings\Ira\Application Data\1E1479F4BE48CA63116E5AA18A15D929\enemies-names.txt
c:\documents and settings\Ira\Application Data\1E1479F4BE48CA63116E5AA18A15D929\local.ini
c:\documents and settings\Ira\Application Data\1E1479F4BE48CA63116E5AA18A15D929\lsrslt.ini
c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\Downloaded Installers
c:\program files\Downloaded Installers\{84932913-9A16-49FE-8C01-325C5917D302}\setup.msi
c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
c:\program files\iTunes\iTunesHelper.exe
c:\program files\Microsoft IntelliPoint\ipoint.exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\windows\ajomawixor.dll
c:\windows\esejijoh.dll
c:\windows\system32\BSTIeprintctl1.dll
c:\windows\system32\driVERs\xvchbnicl.sys
c:\windows\system32\lsp6.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At100.job
c:\windows\Tasks\At101.job
c:\windows\Tasks\At102.job
c:\windows\Tasks\At103.job
c:\windows\Tasks\At104.job
c:\windows\Tasks\At105.job
c:\windows\Tasks\At106.job
c:\windows\Tasks\At107.job
c:\windows\Tasks\At108.job
c:\windows\Tasks\At109.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At110.job
c:\windows\Tasks\At111.job
c:\windows\Tasks\At112.job
c:\windows\Tasks\At113.job
c:\windows\Tasks\At114.job
c:\windows\Tasks\At115.job
c:\windows\Tasks\At116.job
c:\windows\Tasks\At117.job
c:\windows\Tasks\At118.job
c:\windows\Tasks\At119.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At120.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At217.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At73.job
c:\windows\Tasks\At74.job
c:\windows\Tasks\At75.job
c:\windows\Tasks\At76.job
c:\windows\Tasks\At77.job
c:\windows\Tasks\At78.job
c:\windows\Tasks\At79.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At80.job
c:\windows\Tasks\At81.job
c:\windows\Tasks\At82.job
c:\windows\Tasks\At83.job
c:\windows\Tasks\At84.job
c:\windows\Tasks\At85.job
c:\windows\Tasks\At86.job
c:\windows\Tasks\At87.job
c:\windows\Tasks\At88.job
c:\windows\Tasks\At89.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\At90.job
c:\windows\Tasks\At91.job
c:\windows\Tasks\At92.job
c:\windows\Tasks\At93.job
c:\windows\Tasks\At94.job
c:\windows\Tasks\At95.job
c:\windows\Tasks\At96.job
c:\windows\Tasks\At97.job
c:\windows\Tasks\At98.job
c:\windows\Tasks\At99.job

<pre>
c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe ---^> c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
c:\program files\Common Files\Java\Java Update\jusched .exe ---^> c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe ---^> c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
c:\program files\iTunes\iTunesHelper .exe ---^> c:\program files\iTunes\iTunesHelper.exe
c:\program files\Microsoft IntelliPoint\ipoint .exe ---^> c:\program files\Microsoft IntelliPoint\ipoint.exe
c:\program files\QuickTime\qttask        .exe ---^> c:\program files\QuickTime\qttask.exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe ---^> c:\program files\Synaptics\SynTP\SynTPEnh.exe
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Legacy_xvchbnicl
-------\Service_xvchbnicl


((((((((((((((((((((((((( Files Created from 2010-12-08 to 2011-01-08 )))))))))))))))))))))))))))))))
.

2010-12-31 16:03 . 2010-12-31 16:03 -------- d-sh--w- c:\documents and settings\Amanda\IECompatCache
2010-12-30 19:38 . 2010-12-30 19:38 -------- d-sh--w- c:\documents and settings\Jax\IECompatCache
2010-12-29 17:39 . 2010-12-29 17:39 -------- d-----w- c:\documents and settings\Ira\Local Settings\Application Data\Safe mirror
2010-12-29 17:38 . 2010-12-29 17:39 -------- d-----w- c:\program files\Cobian Backup 10
2010-12-29 16:16 . 2010-12-29 17:27 -------- d-----w- c:\windows\system32\NtmsData
2010-12-29 14:02 . 2010-12-29 14:02 54016 ----a-w- c:\windows\system32\drivers\ttgnskvd.sys
2010-12-29 13:05 . 2010-12-29 13:05 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2010-12-29 11:31 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-29 10:53 . 2011-01-04 10:19 -------- d-----w- c:\documents and settings\Ira\Application Data\FixCleaner
2010-12-29 10:53 . 2011-01-04 10:19 -------- d-----w- c:\program files\FixCleaner
2010-12-29 10:19 . 2010-12-29 10:19 54016 ----a-w- c:\windows\system32\drivers\ajvc.sys
2010-12-26 21:23 . 2010-12-26 21:23 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-12-25 12:35 . 2010-12-25 12:35 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-12-25 03:24 . 2010-12-25 03:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-24 13:30 . 2010-12-24 13:30 0 ----a-w- c:\windows\system32\lsp6.tmp
2010-12-23 03:42 . 2010-12-23 03:42 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-22 18:53 . 2010-12-22 18:56 -------- d-----w- c:\documents and settings\Jax\Application Data\Autodesk
2010-12-22 18:53 . 2010-12-22 18:53 -------- d-----w- c:\documents and settings\Jax\Local Settings\Application Data\Autodesk
2010-12-22 16:53 . 2010-12-22 16:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-12-22 16:51 . 2010-12-22 16:51 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-12-22 09:10 . 2010-12-22 09:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-12-22 07:43 . 2010-12-22 07:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-12-17 06:47 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-17 06:46 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-15 19:13 . 2010-12-16 19:31 -------- d-----w- C:\CCU Resume
2010-12-14 20:04 . 2010-12-14 20:05 -------- d-----w- c:\documents and settings\Ira\Local Settings\Application Data\Roblox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2008-08-13 01:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2008-08-13 01:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 21:34 . 2008-01-20 20:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-06 00:26 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 08:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 08:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 08:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 08:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.
<pre>
c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Hp\HP Software Update\HPWuSchd2 .exe
c:\program files\HPQ\Default Settings\cpqset .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam   .exe
c:\program files\Malwarebytes' Anti-Malware\mbam  .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Messenger\msmsgs .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FixCleaner"="c:\program files\FixCleaner\FixCleaner.exe" [2010-11-18 46896472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-10-12 409600]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 101136]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe" [2010-12-26 53248]

c:\documents and settings\Ira\Start Menu\Programs\Startup\
Update StruCalc.lnk - c:\program files\StruCalc 7.0\WiseUpdt.exe [2008-1-20 162834]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2010-9-12 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-22 734872]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-9-30 57344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [9/12/2010 10:53 PM 10448]
R3 hpnuhst;HP NUSB Host;c:\windows\system32\drivers\hpnuhst.sys [9/10/2009 11:15 PM 12032]
R3 HPNUHUB;HP NUSB Hub;c:\windows\system32\drivers\hpnuhub.sys [9/10/2009 11:15 PM 39552]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 4:06 AM 231424]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [3/18/2010 4:01 AM 40912]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [3/18/2010 4:01 AM 10448]
S2 pciinfo;HP Pci Information; [x]
S3 HPWPAUSB;Wireless Printer Adapter;c:\windows\system32\drivers\HPWPAUSB.sys [9/10/2009 6:33 PM 18560]
S3 SCPMPR5;SCPMPR5 NDIS Protocol Driver;\??\d:\scpmpr5.sys --> d:\SCPMPR5.SYS [?]
S3 SCPNDIS5;SCPNDIS5 NDIS Protocol Driver;\??\d:\scpndis5.sys --> d:\SCPNDIS5.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2011-01-07 c:\windows\Tasks\FixCleaner Scan.job
- c:\program files\FixCleaner\FixCleaner.exe [2010-11-18 12:55]

2007-07-03 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2006-11-21 21:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-08 12:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ea,7e,35,b8,6c,e0,db,4e,9a,22,a5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ea,7e,35,b8,6c,e0,db,4e,9a,22,a5,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

- - - - - - - > 'lsass.exe'(1048)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3640)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\HPQ\SHARED\HPQWMI.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2011-01-08 12:36:26 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-08 17:36

Pre-Run: 32,878,649,344 bytes free
Post-Run: 37,836,414,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2AEF4784F697B54642F5275918706C60
==============================================================================================================================================================================================

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF0BF000 C:\WINDOWS\System32\ati3duag.dll 2433024 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2066816 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2066816 bytes
0x804D7000 RAW 2066816 bytes
0x804D7000 WMIxWDM 2066816 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF7090000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1400832 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF6DAB000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1036288 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF6CFB000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 720896 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xBF311000 C:\WINDOWS\System32\ativvaxx.dll 606208 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xF7286000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xEE821000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xEE8C4000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6B6B000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF6FAA000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 376832 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0xEEA6F000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xEB49D000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xF6F05000 C:\WINDOWS\system32\drivers\camc6hal.sys 352256 bytes (Conexant Systems Inc., Conexant AmcHal Driver)
0xEBD14000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 258048 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF051000 C:\WINDOWS\System32\ati2cqag.dll 233472 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xF6EA8000 C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys 233472 bytes (Conexant Systems, Inc., HSFHWATI WDM driver)
0xBF08A000 C:\WINDOWS\System32\atikvmag.dll 217088 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xF6C69000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7006000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 192512 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xF73D6000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xEBE1D000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7259000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xBA113000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEE934000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xEEA47000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF6F82000 C:\WINDOWS\system32\drivers\tifm21.sys 163840 bytes (Texas Instruments, tifm21.sys)
0xF7362000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xEEA21000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF6EE1000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF7058000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF7035000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xEE9FF000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806D0000 ACPI_HAL 131840 bytes
0x806D0000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF732A000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7388000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF73A7000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF723F000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF734A000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xEE809000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7313000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6CAA000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xEBF90000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6F6E000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xF707C000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEEAC8000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF6F5B000 C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys 77824 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xF6CE9000 C:\WINDOWS\system32\DRIVERS\bridge.sys 73728 bytes (Microsoft Corporation, MAC Bridge Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF73C5000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6C99000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7765000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF75A5000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF75D5000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7515000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF76B5000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF75F5000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF75B5000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xEC31C000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7695000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7525000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF7585000 C:\WINDOWS\system32\DRIVERS\AmdK8.sys 57344 bytes (Advanced Micro Devices, AMD Processor Driver)
0xF7565000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF75C5000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7605000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7545000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7745000 C:\WINDOWS\System32\Drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xF7625000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7715000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7595000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7535000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7615000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75E5000 C:\WINDOWS\system32\drivers\camc6aud.sys 40960 bytes (Conexant Systems Inc., Conexant WDM AC97 Audio Driver)
0xF7665000 C:\WINDOWS\system32\DRIVERS\hpnuhub.sys 40960 bytes (Hewlett-Packard Development Company, HP USB Virtual Driver)
0xF7505000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7655000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7645000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7555000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7705000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7735000 C:\WINDOWS\System32\Drivers\LEqdUsb.Sys 36864 bytes (Logitech, Inc., Logitech Equad USB Driver.)
0xF7635000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF76D5000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xBA608000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF76C5000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF77D5000 C:\ComboFix\catchme.sys 32768 bytes
0xF782D000 C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys 32768 bytes (Logitech, Inc., Logitech HID Filter Driver.)
0xF7845000 C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys 32768 bytes (Logitech, Inc., Logitech Mouse Filter Driver.)
0xF7885000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF7905000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF77B5000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF784D000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF78D5000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7785000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF78A5000 C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF78CD000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF790D000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF78E5000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF78F5000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF778D000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF77BD000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7795000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF77CD000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF78AD000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF781D000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF77DD000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7921000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF7A01000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xEEB13000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF79C1000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xEC1FD000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7925000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF7919000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF791D000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xEEB0F000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF79C5000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF79C9000 C:\WINDOWS\system32\DRIVERS\hpnuhst.sys 12288 bytes (Hewlett-Packard Development Company, HP USB Virtual Driver)
0x86EDB000 C:\WINDOWS\system32\KDCOM.DLL 12288 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xEB629000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xEEB0B000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF71E6000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF6CD1000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF79AD000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xF6CC5000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF7A0B000 aliide.sys 8192 bytes (Acer Laboratories Inc., ALi mini IDE Driver)
0xF7A37000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7A0D000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7A5D000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7A47000 C:\WINDOWS\system32\drivers\EABFiltr.sys 8192 bytes (Hewlett-Packard Development Company, L.P., QLB PS/2 Keyboard filter driver)
0xF7A33000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7A07000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7A3B000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7A45000 C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 8192 bytes
0xF7A3F000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7A1F000 C:\WINDOWS\system32\DRIVERS\serscan.sys 8192 bytes (Microsoft Corporation, Serial Imaging Device Driver)
0xF7A27000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7A19000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7A09000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7A05000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7BEC000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7C3E000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7BCA000 C:\WINDOWS\System32\Drivers\LBeepKE.sys 4096 bytes (Logitech, Inc., Logitech Consumer Control Filter Driver.)
0xF7B3A000 C:\WINDOWS\System32\Drivers\LHidEqd.Sys 4096 bytes (Logitech, Inc., Logitech HID Filter Driver.)
0xF7C33000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7ACE000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7ACD000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x86F1939B ?_empty_? 3173 bytes
==============================================
>Stealth
==============================================
0xF734A000 WARNING: suspicious driver modification [atapi.sys::0x86F1939B]




#8 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:04:53 PM

Posted 09 January 2011 - 06:16 AM

Hi JaxNHayes,

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to clean the machine please perform the following procedures.


Step 1.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.

We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:

Renv::
c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Hp\HP Software Update\HPWuSchd2 .exe
c:\program files\HPQ\Default Settings\cpqset .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam   .exe
c:\program files\Malwarebytes' Anti-Malware\mbam  .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Messenger\msmsgs .exe

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uInternet Settings,ProxyOverride = <local>

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Step 3.

  • Please download mbrcheck from Here
  • Save that file to your desktop and double click on it to run it.
  • It will show a Black screen with some data on it then hit any key to continue.
  • Once it finishes there will be a log produced on your desktop that is labeled mbrcheck*.txt (where the * is date)
  • Please post the contents of that log in your next reply.

Step 4.

We need to check some files.
  • Click on this link--> virustotal
  • Click the browse button. Copy and paste the following lines in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.

c:\windows\system32\lsp6.tmp

c:\windows\system32\drivers\ttgnskvd.sys

c:\windows\system32\drivers\ajvc.sys



If the file has been analyzed before, click the Reanalyse File Now button.

Please copy and paste the results of the scan in your next post.

In your next reply please include the following:

TDSS log
ComboFix.txt
MBRCheck report
VirusTotal results


Thanks!!
PW

#9 JaxNHayes

JaxNHayes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 09 January 2011 - 03:23 PM

I would like to clean it up please. Here is the info you wanted:


2011/01/09 09:44:31.0046 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/09 09:44:31.0046 ================================================================================
2011/01/09 09:44:31.0046 SystemInfo:
2011/01/09 09:44:31.0046
2011/01/09 09:44:31.0046 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/09 09:44:31.0046 Product type: Workstation
2011/01/09 09:44:31.0046 ComputerName: IRA2
2011/01/09 09:44:31.0046 UserName: Ira
2011/01/09 09:44:31.0046 Windows directory: C:\WINDOWS
2011/01/09 09:44:31.0046 System windows directory: C:\WINDOWS
2011/01/09 09:44:31.0046 Processor architecture: Intel x86
2011/01/09 09:44:31.0046 Number of processors: 1
2011/01/09 09:44:31.0046 Page size: 0x1000
2011/01/09 09:44:31.0046 Boot type: Normal boot
2011/01/09 09:44:31.0046 ================================================================================
2011/01/09 09:44:31.0656 Initialize success
2011/01/09 09:44:42.0921 ================================================================================
2011/01/09 09:44:42.0921 Scan started
2011/01/09 09:44:42.0921 Mode: Manual;
2011/01/09 09:44:42.0921 ================================================================================
2011/01/09 09:44:47.0875 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/09 09:44:48.0796 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/01/09 09:44:50.0421 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/09 09:44:51.0437 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/09 09:44:54.0546 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/01/09 09:44:55.0390 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/01/09 09:44:57.0062 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/01/09 09:45:00.0109 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/09 09:45:00.0937 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/09 09:45:03.0734 ati2mtag (6ef070828e7b8c6f45d8f0e9ce28ca8b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/01/09 09:45:04.0578 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/09 09:45:05.0500 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/09 09:45:06.0593 BCM43XX (fa4a4a50b4b2647afedc676cc68c69cc) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/01/09 09:45:07.0687 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/09 09:45:08.0515 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/01/09 09:45:08.0671 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/01/09 09:45:09.0500 BTWUSB (e76dc88f00d50f46072feb2371769978) C:\WINDOWS\system32\Drivers\btwusb.sys
2011/01/09 09:45:10.0328 CAMCAUD (c2ef37f09cfee9665e6cd7c0b0afb84f) C:\WINDOWS\system32\drivers\camc6aud.sys
2011/01/09 09:45:11.0437 CAMCHALA (512df898de5c0654647acd5c82f0bd99) C:\WINDOWS\system32\drivers\camc6hal.sys
2011/01/09 09:45:12.0640 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/09 09:45:14.0156 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/09 09:45:14.0984 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/09 09:45:15.0859 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/09 09:45:17.0406 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/01/09 09:45:18.0906 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/01/09 09:45:22.0000 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/09 09:45:23.0500 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/09 09:45:25.0109 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/09 09:45:26.0000 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/09 09:45:26.0812 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/09 09:45:28.0390 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/09 09:45:29.0203 eabfiltr (c6aca0190ee7b614673ee0c91863b1eb) C:\WINDOWS\system32\drivers\EABFiltr.sys
2011/01/09 09:45:30.0015 eabusb (da1011db09ad641de40cd5cca70c0c43) C:\WINDOWS\system32\drivers\eabusb.sys
2011/01/09 09:45:30.0984 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/09 09:45:31.0906 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/09 09:45:32.0734 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/09 09:45:33.0562 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/09 09:45:34.0468 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/09 09:45:35.0375 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/09 09:45:36.0250 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/09 09:45:37.0171 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/01/09 09:45:38.0000 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/09 09:45:38.0843 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/09 09:45:40.0375 hpnuhst (ac6abca57a9ca35dca94f9d0c60758bf) C:\WINDOWS\system32\DRIVERS\hpnuhst.sys
2011/01/09 09:45:41.0187 HPNUHUB (bf5e0555c119693f8d611e0b046e9517) C:\WINDOWS\system32\DRIVERS\hpnuhub.sys
2011/01/09 09:45:42.0046 HPWPAUSB (92b41d08a1109746023999061ef73a11) C:\WINDOWS\system32\Drivers\HPWPAUSB.sys
2011/01/09 09:45:42.0890 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/01/09 09:45:43.0750 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/01/09 09:45:44.0578 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/01/09 09:45:45.0578 HSFHWATI (14794f142befc962ab142584607a6631) C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
2011/01/09 09:45:47.0484 HSF_DP (f99bb4e2b462198b2b0a82d0949f0c41) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/01/09 09:45:49.0421 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/09 09:45:52.0390 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/09 09:45:53.0250 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/09 09:45:54.0812 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/01/09 09:45:55.0609 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/09 09:45:56.0453 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/09 09:45:57.0281 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/09 09:45:58.0218 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/09 09:45:59.0203 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/09 09:46:00.0078 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/09 09:46:00.0859 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/09 09:46:01.0671 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/09 09:46:02.0468 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/09 09:46:03.0390 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/09 09:46:04.0406 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/09 09:46:05.0296 LBeepKE (ca63fe81705ad660e482bef210bf2c73) C:\WINDOWS\system32\Drivers\LBeepKE.sys
2011/01/09 09:46:06.0828 LEqdUsb (ed8f9311cae12c41a58dae2ea6d6c849) C:\WINDOWS\system32\Drivers\LEqdUsb.Sys
2011/01/09 09:46:07.0656 LHidEqd (9943f10c60eaf714c7010b37025a5ac5) C:\WINDOWS\system32\Drivers\LHidEqd.Sys
2011/01/09 09:46:08.0468 LHidFilt (b68309f25c5787385da842eb5b496958) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2011/01/09 09:46:09.0312 LMouFilt (63d3b1d3cd267fcc186a0146b80d453b) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2011/01/09 09:46:10.0125 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/01/09 09:46:10.0968 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/09 09:46:11.0781 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/09 09:46:12.0656 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/09 09:46:13.0453 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/09 09:46:14.0265 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/09 09:46:15.0953 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/09 09:46:17.0296 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/09 09:46:18.0500 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/09 09:46:19.0343 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/09 09:46:20.0109 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/09 09:46:20.0890 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/09 09:46:21.0687 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/09 09:46:22.0531 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/09 09:46:23.0531 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/09 09:46:24.0468 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/09 09:46:25.0234 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/09 09:46:26.0078 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/09 09:46:26.0953 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/09 09:46:27.0781 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/09 09:46:28.0718 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/09 09:46:29.0718 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/01/09 09:46:30.0562 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/09 09:46:31.0859 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/09 09:46:33.0234 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/01/09 09:46:34.0031 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/09 09:46:34.0828 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/09 09:46:35.0609 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/09 09:46:36.0437 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/01/09 09:46:37.0343 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/09 09:46:38.0187 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/09 09:46:38.0953 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/09 09:46:39.0781 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/09 09:46:41.0328 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/09 09:46:42.0906 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/01/09 09:46:48.0218 Point32 (dcdf0421a1c14f2923e298a30fd7636d) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/01/09 09:46:49.0046 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/09 09:46:49.0890 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/09 09:46:50.0812 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/09 09:46:51.0625 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/09 09:46:52.0437 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/09 09:46:56.0906 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/09 09:46:57.0687 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/01/09 09:46:58.0531 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/09 09:46:59.0359 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/09 09:47:00.0171 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/09 09:47:01.0078 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/09 09:47:01.0984 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/09 09:47:02.0937 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/09 09:47:04.0000 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/09 09:47:04.0937 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/09 09:47:05.0890 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
2011/01/09 09:47:06.0875 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/01/09 09:47:07.0796 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/09 09:47:08.0625 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/09 09:47:09.0468 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/09 09:47:10.0312 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/09 09:47:11.0875 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys
2011/01/09 09:47:13.0453 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/09 09:47:14.0343 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/09 09:47:15.0546 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/09 09:47:16.0656 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/01/09 09:47:17.0453 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/09 09:47:18.0281 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/09 09:47:22.0406 SynTP (f484c77f748729129d5cc9c965d9f701) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/01/09 09:47:23.0406 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/09 09:47:24.0578 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/09 09:47:25.0703 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/09 09:47:26.0515 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/09 09:47:27.0343 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/09 09:47:28.0312 tifm21 (0edc3cf7b38f4260eb006c38e4a44de4) C:\WINDOWS\system32\drivers\tifm21.sys
2011/01/09 09:47:30.0031 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/09 09:47:31.0953 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/09 09:47:33.0125 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/01/09 09:47:33.0968 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/09 09:47:34.0781 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/09 09:47:35.0640 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/09 09:47:36.0484 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/01/09 09:47:37.0281 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/09 09:47:38.0078 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/09 09:47:38.0875 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/09 09:47:39.0687 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/09 09:47:40.0515 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/09 09:47:41.0296 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/01/09 09:47:42.0093 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/09 09:47:42.0937 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/09 09:47:44.0187 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/01/09 09:47:46.0218 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/09 09:47:47.0734 winachsf (214bc3ad84907ad6ad655ac5465f449a) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/01/09 09:47:49.0265 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/01/09 09:47:50.0140 WpdUsb (c1b3d9d75c3fb735f5fa3a5806aded57) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/01/09 09:47:50.0984 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/01/09 09:47:51.0125 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/09 09:47:51.0125 ================================================================================
2011/01/09 09:47:51.0125 Scan finished
2011/01/09 09:47:51.0125 ================================================================================
2011/01/09 09:47:51.0156 Detected object count: 1
2011/01/09 09:48:22.0531 \HardDisk0 - will be cured after reboot
2011/01/09 09:48:22.0531 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/09 09:48:29.0015 Deinitialize success


==============================================================================================================================================================================================

ComboFix 11-01-07.02 - Ira 01/09/2011 10:06:06.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.588 [GMT -5:00]
Running from: c:\documents and settings\Ira\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ira\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\lW8wG4pg.exe
c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
c:\program files\Microsoft IntelliPoint\ipoint.exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At12.job

.
((((((((((((((((((((((((( Files Created from 2010-12-09 to 2011-01-09 )))))))))))))))))))))))))))))))
.

2010-12-31 16:03 . 2010-12-31 16:03 -------- d-sh--w- c:\documents and settings\Amanda\IECompatCache
2010-12-30 19:38 . 2010-12-30 19:38 -------- d-sh--w- c:\documents and settings\Jax\IECompatCache
2010-12-29 17:39 . 2010-12-29 17:39 -------- d-----w- c:\documents and settings\Ira\Local Settings\Application Data\Safe mirror
2010-12-29 17:38 . 2010-12-29 17:39 -------- d-----w- c:\program files\Cobian Backup 10
2010-12-29 16:16 . 2010-12-29 17:27 -------- d-----w- c:\windows\system32\NtmsData
2010-12-29 14:02 . 2010-12-29 14:02 54016 ----a-w- c:\windows\system32\drivers\ttgnskvd.sys
2010-12-29 13:05 . 2010-12-29 13:05 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2010-12-29 11:31 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-29 10:53 . 2011-01-04 10:19 -------- d-----w- c:\documents and settings\Ira\Application Data\FixCleaner
2010-12-29 10:53 . 2011-01-04 10:19 -------- d-----w- c:\program files\FixCleaner
2010-12-29 10:19 . 2010-12-29 10:19 54016 ----a-w- c:\windows\system32\drivers\ajvc.sys
2010-12-26 21:23 . 2010-12-26 21:23 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-12-25 12:35 . 2010-12-25 12:35 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-12-25 03:24 . 2010-12-25 03:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-24 13:30 . 2010-12-24 13:30 0 ----a-w- c:\windows\system32\lsp6.tmp
2010-12-23 03:42 . 2010-12-23 03:42 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-22 18:53 . 2010-12-22 18:56 -------- d-----w- c:\documents and settings\Jax\Application Data\Autodesk
2010-12-22 18:53 . 2010-12-22 18:53 -------- d-----w- c:\documents and settings\Jax\Local Settings\Application Data\Autodesk
2010-12-22 16:53 . 2010-12-22 16:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-12-22 16:51 . 2010-12-22 16:51 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-12-22 09:10 . 2010-12-22 09:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-12-22 07:43 . 2010-12-22 07:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-12-17 06:47 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-17 06:46 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-15 19:13 . 2010-12-16 19:31 -------- d-----w- C:\CCU Resume
2010-12-14 20:04 . 2010-12-14 20:05 -------- d-----w- c:\documents and settings\Ira\Local Settings\Application Data\Roblox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2008-08-13 01:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2008-08-13 01:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 21:34 . 2008-01-20 20:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-06 00:26 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 08:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 08:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 08:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 08:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.
<pre>
c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe
c:\program files\Microsoft IntelliPoint\ipoint .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FixCleaner"="c:\program files\FixCleaner\FixCleaner.exe" [2010-11-18 46896472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [N/A]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [N/A]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [N/A]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-10-12 409600]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [N/A]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 101136]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [N/A]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe" [2010-12-26 53248]

c:\documents and settings\Ira\Start Menu\Programs\Startup\
Update StruCalc.lnk - c:\program files\StruCalc 7.0\WiseUpdt.exe [2008-1-20 162834]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2010-9-12 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-22 734872]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-9-30 57344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\qttask.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [9/12/2010 10:53 PM 10448]
R3 hpnuhst;HP NUSB Host;c:\windows\system32\drivers\hpnuhst.sys [9/10/2009 11:15 PM 12032]
R3 HPNUHUB;HP NUSB Hub;c:\windows\system32\drivers\hpnuhub.sys [9/10/2009 11:15 PM 39552]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 4:06 AM 231424]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [3/18/2010 4:01 AM 40912]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [3/18/2010 4:01 AM 10448]
S2 pciinfo;HP Pci Information; [x]
S3 HPWPAUSB;Wireless Printer Adapter;c:\windows\system32\drivers\HPWPAUSB.sys [9/10/2009 6:33 PM 18560]
S3 SCPMPR5;SCPMPR5 NDIS Protocol Driver;\??\d:\scpmpr5.sys --> d:\SCPMPR5.SYS [?]
S3 SCPNDIS5;SCPNDIS5 NDIS Protocol Driver;\??\d:\scpndis5.sys --> d:\SCPNDIS5.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-09 10:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ea,7e,35,b8,6c,e0,db,4e,9a,22,a5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ea,7e,35,b8,6c,e0,db,4e,9a,22,a5,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
Completion time: 2011-01-09 10:24:01
ComboFix-quarantined-files.txt 2011-01-09 15:23
ComboFix2.txt 2011-01-08 17:36

Pre-Run: 37,804,584,960 bytes free
Post-Run: 37,828,407,296 bytes free

- - End Of File - - D0795C10AF43F7D1969D95153821450D


=============================================================================================================================================================================================


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 144):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF79D2000 \WINDOWS\system32\KDCOM.DLL
0xF78E2000 \WINDOWS\system32\BOOTVID.dll
0xF73A3000 ACPI.sys
0xF79D4000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7392000 pci.sys
0xF74D2000 isapnp.sys
0xF74E2000 ohci1394.sys
0xF74F2000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF78E6000 compbatt.sys
0xF78EA000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A9A000 pciide.sys
0xF7752000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF79D6000 intelide.sys
0xF79D8000 viaide.sys
0xF79DA000 aliide.sys
0xF7374000 pcmcia.sys
0xF7502000 MountMgr.sys
0xF7355000 ftdisk.sys
0xF79DC000 dmload.sys
0xF732F000 dmio.sys
0xF78EE000 ACPIEC.sys
0xF7A9B000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF775A000 PartMgr.sys
0xF7512000 VolSnap.sys
0xF7317000 atapi.sys
0xF7522000 disk.sys
0xF7532000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF72F7000 fltmgr.sys
0xF72E5000 sr.sys
0xF7762000 PxHelp20.sys
0xF72CE000 KSecDD.sys
0xF7241000 Ntfs.sys
0xF7214000 NDIS.sys
0xF71FA000 Mup.sys
0xF7552000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF7976000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF704B000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF7037000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77EA000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF7013000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF781A000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7562000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7572000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7582000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6FF0000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7872000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF7592000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF789A000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6FC1000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF79E6000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF78DA000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79CA000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF75A2000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF6F99000 \SystemRoot\system32\drivers\tifm21.sys
0xF6F85000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF6F72000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
0xF6F1C000 \SystemRoot\system32\drivers\camc6hal.sys
0xF75B2000 \SystemRoot\system32\drivers\camc6aud.sys
0xF6EF8000 \SystemRoot\system32\drivers\portcls.sys
0xF75C2000 \SystemRoot\system32\drivers\drmk.sys
0xF6EBF000 \SystemRoot\system32\DRIVERS\HSFHWATI.sys
0xF6DC2000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF6D12000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF77F2000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7B0F000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF6D00000 \SystemRoot\system32\DRIVERS\bridge.sys
0xF7812000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF75D2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF71A9000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6CC1000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF75E2000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF75F2000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF6CB0000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7602000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7882000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7892000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6C80000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7612000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79F0000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6B82000 \SystemRoot\system32\DRIVERS\update.sys
0xF7982000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF798A000 \SystemRoot\system32\DRIVERS\hpnuhst.sys
0xF7622000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7632000 \SystemRoot\system32\DRIVERS\hpnuhub.sys
0xF7662000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79FA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B54000 \SystemRoot\System32\Drivers\Null.SYS
0xF79FE000 \SystemRoot\System32\Drivers\Beep.SYS
0xF783A000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF784A000 \SystemRoot\System32\drivers\vga.sys
0xF7A02000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A06000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF785A000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF786A000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6CF4000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEEADF000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEEA86000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEEA5E000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF6CE4000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xEEA38000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEEA16000 \SystemRoot\System32\drivers\afd.sys
0xF7682000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF7692000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF787A000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF76A2000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEE94B000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEE8DB000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF76D2000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7A0C000 \??\C:\WINDOWS\system32\drivers\EABFiltr.sys
0xF7986000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF76E2000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7702000 \SystemRoot\System32\Drivers\LEqdUsb.Sys
0xF7712000 \SystemRoot\System32\Drivers\WDFLDR.SYS
0xEE838000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xEEB2A000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xEEB22000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7BE8000 \SystemRoot\System32\Drivers\LHidEqd.Sys
0xF77AA000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xF77C2000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xF7722000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEE820000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A26000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEEB26000 \SystemRoot\System32\drivers\Dxapi.sys
0xF78B2000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B1A000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF051000 \SystemRoot\System32\ati2cqag.dll
0xBF08A000 \SystemRoot\System32\atikvmag.dll
0xBF0BF000 \SystemRoot\System32\ati3duag.dll
0xBF311000 \SystemRoot\System32\ativvaxx.dll
0xEE80C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEC336000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7A9F000 \SystemRoot\System32\Drivers\LBeepKE.sys
0xEC367000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEC036000 \SystemRoot\system32\DRIVERS\srv.sys
0xEBD51000 \SystemRoot\system32\drivers\wdmaud.sys
0xEBD76000 \SystemRoot\system32\drivers\sysaudio.sys
0xEBC63000 \SystemRoot\system32\drivers\kmixer.sys
0xEB972000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 45):
0 System Idle Process
4 System
620 C:\WINDOWS\system32\smss.exe
748 csrss.exe
804 C:\WINDOWS\system32\winlogon.exe
856 C:\WINDOWS\system32\services.exe
868 C:\WINDOWS\system32\lsass.exe
1032 C:\WINDOWS\system32\ati2evxx.exe
1088 C:\WINDOWS\system32\svchost.exe
1196 svchost.exe
1296 C:\WINDOWS\system32\svchost.exe
1348 svchost.exe
1512 svchost.exe
1732 C:\WINDOWS\system32\spoolsv.exe
1824 svchost.exe
1860 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1888 C:\Program Files\Bonjour\mDNSResponder.exe
1996 C:\WINDOWS\system32\svchost.exe
2016 C:\WINDOWS\system32\svchost.exe
196 C:\Program Files\Java\jre6\bin\jqs.exe
252 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
220 C:\WINDOWS\system32\svchost.exe
276 C:\WINDOWS\system32\svchost.exe
308 C:\WINDOWS\system32\svchost.exe
456 wdfmgr.exe
1260 C:\WINDOWS\system32\wuauclt.exe
1988 alg.exe
320 C:\WINDOWS\system32\wscntfy.exe
1464 C:\WINDOWS\system32\ati2evxx.exe
1500 C:\WINDOWS\explorer.exe
1544 wmiprvse.exe
2420 C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
2592 C:\Program Files\Logitech\SetPointP\SetPoint.exe
2720 C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
2732 C:\Program Files\FixCleaner\FixCleaner.exe
2820 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
2868 C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
2924 C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
3248 C:\WINDOWS\system32\ctfmon.exe
3340 C:\Program Files\Hp\Digital Imaging\bin\hpqste08.exe
3384 C:\Program Files\Hp\Digital Imaging\bin\hpqbam08.exe
3536 C:\Program Files\Hp\Digital Imaging\bin\hpqgpc01.exe
3652 C:\WINDOWS\system32\msiexec.exe
364 C:\WINDOWS\system32\wuauclt.exe
2532 C:\Documents and Settings\Ira\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HTS541080G9AT00, Rev: MB4OA60A

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows 98 MBR code detected
SHA1: 48F01D7E76A0F3C038D08611E3FDC0EE4EF9FD3E


Done!


=============================================================================================================================================================================================


When I sent c:\windows\system32\lsp6.tmp to virustotal it did not produce a report.


==============================================================================================================================================================================================

c:\windows\system32\drivers\ttgnkvd.sys results:


Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

6 VT Community user(s) with a total of 1313 reputation credit(s) say(s) this sample is goodware. 2 VT Community user(s) with a total of 1270 reputation credit(s) say(s) this sample is malware.
File name: ttgnskvd.sys
Submission date: 2011-01-09 20:05:19 (UTC)
Current status: queued queued analysing finished


Result: 2/ 42 (4.8%)
VT Community

controversial
Safety score: 50.8%
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.01.09.00 2011.01.08 -
AntiVir 7.11.1.58 2011.01.09 -
Antiy-AVL 2.0.3.7 2011.01.09 -
Avast 4.8.1351.0 2011.01.09 -
Avast5 5.0.677.0 2011.01.09 -
AVG 9.0.0.851 2011.01.09 -
BitDefender 7.2 2011.01.09 -
CAT-QuickHeal 11.00 2011.01.09 -
ClamAV 0.96.4.0 2011.01.09 BC.Heuristics.Rootkit.B-9.MV
Command 5.2.11.5 2011.01.08 -
Comodo 7341 2011.01.09 -
DrWeb 5.0.2.03300 2011.01.09 -
eSafe 7.0.17.0 2011.01.06 Win32.TrojanHorse
eTrust-Vet 36.1.8087 2011.01.07 -
F-Prot 4.6.2.117 2011.01.08 -
F-Secure 9.0.16160.0 2011.01.09 -
Fortinet 4.2.254.0 2011.01.09 -
GData 21 2011.01.09 -
Ikarus T3.1.1.90.0 2011.01.09 -
Jiangmin 13.0.900 2011.01.09 -
K7AntiVirus 9.75.3472 2011.01.07 -
Kaspersky 7.0.0.125 2011.01.09 -
McAfee 5.400.0.1158 2011.01.09 -
McAfee-GW-Edition 2010.1C 2011.01.09 -
Microsoft 1.6402 2011.01.09 -
NOD32 5772 2011.01.09 -
Norman 6.06.12 2011.01.09 -
nProtect 2011-01-09.01 2011.01.09 -
Panda 10.0.2.7 2011.01.09 -
PCTools 7.0.3.5 2011.01.09 -
Prevx 3.0 2011.01.09 -
Rising 22.81.05.00 2011.01.08 -
Sophos 4.61.0 2011.01.09 -
SUPERAntiSpyware 4.40.0.1006 2011.01.09 -
Symantec 20101.3.0.103 2011.01.09 -
TheHacker 6.7.0.1.112 2011.01.09 -
TrendMicro 9.120.0.1004 2011.01.09 -
TrendMicro-HouseCall 9.120.0.1004 2011.01.09 -
VBA32 3.12.14.2 2011.01.06 -
VIPRE 8008 2011.01.09 -
ViRobot 2011.1.8.4244 2011.01.09 -
VirusBuster 13.6.136.0 2011.01.09 -
Additional informationShow all
MD5 : e6d35f3aa51a65eb35c1f2340154a25e
SHA1 : aabbd57e20d2e7041f9e7abce6cfd8a53c366537
SHA256: 3da4f51682e7d42c5569f1fb1adc6295182962e36f748219e1d0c8f2389ba516
ssdeep: 768:Bosx0q2ph6P2Jpz8ftoSUiJP7hYTCMrhwYKUzY4q:j076P2Jpz8ftBUMPaCMrhwY
File size : 54016 bytes
First seen: 2009-09-18 00:44:25
Last seen : 2011-01-09 20:05:19
TrID:
Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xC505
timedatestamp....: 0x4A9EE5B5 (Wed Sep 02 21:37:57 2009)
machinetype......: 0x14c (I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x480, 0xBD9F, 0xBE00, 5.83, 9474f39576a0e15bdbaa2ea3355f0a4a
.rdata, 0xC280, 0x126, 0x180, 3.78, 375b710d9f213cfced30e9fdb29567e1
.data, 0xC400, 0xC0, 0x100, 0.33, 786971ca2b109729eda604b44d6c72ad
INIT, 0xC500, 0x3C8, 0x400, 5.20, eea49a93a73afb6afc178455582133c6
.reloc, 0xC900, 0x9EC, 0xA00, 6.62, bddd5a40c508bfc84ec87de5f8e6a5d3

[[ 1 import(s) ]]
ntoskrnl.exe: ZwWriteFile, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePool, RtlPrefixUnicodeString, memcpy, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwSetInformationFile, ZwQueryInformationFile, ZwQueryDirectoryFile, ZwOpenFile, KeTickCount, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion, KeBugCheckEx



VT Community

8
User:GDIcommando
Reputation:12 credits
Comment date:2010-10-29 19:17:14 (UTC)This file is dropped by Malwarebytes' Anti-Malware (malwarebytes.org) when you select to clean an infection. If this file is really malware like some of you say, then how come MBAM drops it?

The file itself as far as I know is in no way malware. It is used by some malware to end protected processes etc, to disable AV products just like it is used by MBAM and others to disable rootkit malware. Tags: Goodware, Was this comment helpful? Yes (2) | No (0) | Report abuse Reported as abuseful User:Anonymous
Reputation:1 credits
Comment date:2010-11-22 18:10:43 (UTC)Tags: Goodware, rootkitWas this comment helpful? Yes (1) | No (0) | Report abuse Reported as abuseful User:Anonymous
Reputation:1 credits
Comment date:2010-12-22 16:51:58 (UTC)avenger driver, legitimate tool. Driver is also used by MBAM. Tags: Goodware, rootkitWas this comment helpful? Yes (2) | No (0) | Report abuse Reported as abuseful
User:LT1

Reputation:1269 credits

Comment date:2010-09-29 17:53:30 (UTC)
Tags: Malware,
Was this comment helpful? Yes (1) | No (5) | Report abuse Reported as abuseful
User:siri

Reputation:999 credits

Comment date:2010-10-01 13:42:47 (UTC)
Legit tool: Avenger
Tags: Goodware, avenger, rootkit
Was this comment helpful? Yes (7) | No (1) | Report abuse Reported as abuseful
User:Anonymous

Reputation:1 credits

Comment date:2010-10-04 15:58:28 (UTC)
SIRI IS CORRECT

This is part of Avenger, a low level driver to remove other malware. Delete it if you wish, Avenger always creates a new random driver when it needs to.
Tags: Goodware,
Was this comment helpful? Yes (5) | No (0) | Report abuse Reported as abuseful
User:dr_Bora

Reputation:299 credits

Comment date:2010-10-08 21:30:18 (UTC)
Legit file.
Tags: Goodware, rootkit, avenger
Was this comment helpful? Yes (7) | No (0) | Report abuse Reported as abuseful
User:Anonymous

Reputation:1 credits

Comment date:2010-10-17 08:01:11 (UTC)
Tags: Malware, rootkit, avenger
Was this comment helpful? Yes (1) | No (6) | Report abuse Reported as abuseful

==============================================================================================================================================================================================

c:\windows\system32\drivers\ajvc.sys results:

6 VT Community user(s) with a total of 1313 reputation credit(s) say(s) this sample is goodware. 2 VT Community user(s) with a total of 1270 reputation credit(s) say(s) this sample is malware.
File name: ajvc.sys
Submission date: 2011-01-09 20:10:53 (UTC)
Current status: queued queued analysing finished


Result: 2/ 41 (4.9%)
VT Community

controversial
Safety score: 50.8%
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.01.09.00 2011.01.08 -
AntiVir 7.11.1.58 2011.01.09 -
Antiy-AVL 2.0.3.7 2011.01.09 -
Avast 4.8.1351.0 2011.01.09 -
Avast5 5.0.677.0 2011.01.09 -
AVG 9.0.0.851 2011.01.09 -
BitDefender 7.2 2011.01.09 -
CAT-QuickHeal 11.00 2011.01.09 -
ClamAV 0.96.4.0 2011.01.09 BC.Heuristics.Rootkit.B-9.MV
Command 5.2.11.5 2011.01.08 -
Comodo 7341 2011.01.09 -
Emsisoft 5.1.0.1 2011.01.09 -
eSafe 7.0.17.0 2011.01.06 Win32.TrojanHorse
eTrust-Vet 36.1.8087 2011.01.07 -
F-Prot 4.6.2.117 2011.01.08 -
F-Secure 9.0.16160.0 2011.01.09 -
Fortinet 4.2.254.0 2011.01.09 -
GData 21 2011.01.09 -
Ikarus T3.1.1.90.0 2011.01.09 -
Jiangmin 13.0.900 2011.01.09 -
K7AntiVirus 9.75.3472 2011.01.07 -
Kaspersky 7.0.0.125 2011.01.09 -
McAfee 5.400.0.1158 2011.01.09 -
McAfee-GW-Edition 2010.1C 2011.01.09 -
Microsoft 1.6402 2011.01.09 -
NOD32 5772 2011.01.09 -
Norman 6.06.12 2011.01.09 -
nProtect 2011-01-09.01 2011.01.09 -
Panda 10.0.2.7 2011.01.09 -
PCTools 7.0.3.5 2011.01.09 -
Prevx 3.0 2011.01.09 -
Rising 22.81.05.00 2011.01.08 -
Sophos 4.61.0 2011.01.09 -
SUPERAntiSpyware 4.40.0.1006 2011.01.09 -
Symantec 20101.3.0.103 2011.01.09 -
TheHacker 6.7.0.1.112 2011.01.09 -
TrendMicro 9.120.0.1004 2011.01.09 -
TrendMicro-HouseCall 9.120.0.1004 2011.01.09 -
VIPRE 8008 2011.01.09 -
ViRobot 2011.1.8.4244 2011.01.09 -
VirusBuster 13.6.136.0 2011.01.09 -
Additional informationShow all
MD5 : e6d35f3aa51a65eb35c1f2340154a25e
SHA1 : aabbd57e20d2e7041f9e7abce6cfd8a53c366537
SHA256: 3da4f51682e7d42c5569f1fb1adc6295182962e36f748219e1d0c8f2389ba516
ssdeep: 768:Bosx0q2ph6P2Jpz8ftoSUiJP7hYTCMrhwYKUzY4q:j076P2Jpz8ftBUMPaCMrhwY
File size : 54016 bytes
First seen: 2009-09-18 00:44:25
Last seen : 2011-01-09 20:10:53
TrID:
Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xC505
timedatestamp....: 0x4A9EE5B5 (Wed Sep 02 21:37:57 2009)
machinetype......: 0x14c (I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x480, 0xBD9F, 0xBE00, 5.83, 9474f39576a0e15bdbaa2ea3355f0a4a
.rdata, 0xC280, 0x126, 0x180, 3.78, 375b710d9f213cfced30e9fdb29567e1
.data, 0xC400, 0xC0, 0x100, 0.33, 786971ca2b109729eda604b44d6c72ad
INIT, 0xC500, 0x3C8, 0x400, 5.20, eea49a93a73afb6afc178455582133c6
.reloc, 0xC900, 0x9EC, 0xA00, 6.62, bddd5a40c508bfc84ec87de5f8e6a5d3

[[ 1 import(s) ]]
ntoskrnl.exe: ZwWriteFile, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePool, RtlPrefixUnicodeString, memcpy, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwSetInformationFile, ZwQueryInformationFile, ZwQueryDirectoryFile, ZwOpenFile, KeTickCount, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion, KeBugCheckEx



VT Community

8
User:LT1

Reputation:1269 credits

Comment date:2010-09-29 17:53:30 (UTC)
Tags: Malware,
Was this comment helpful? Yes (1) | No (5) | Report abuse Reported as abuseful
User:siri

Reputation:999 credits

Comment date:2010-10-01 13:42:47 (UTC)
Legit tool: Avenger
Tags: Goodware, avenger, rootkit
Was this comment helpful? Yes (7) | No (1) | Report abuse Reported as abuseful
User:Anonymous

Reputation:1 credits

Comment date:2010-10-04 15:58:28 (UTC)
SIRI IS CORRECT

This is part of Avenger, a low level driver to remove other malware. Delete it if you wish, Avenger always creates a new random driver when it needs to.
Tags: Goodware,
Was this comment helpful? Yes (5) | No (0) | Report abuse Reported as abuseful
User:dr_Bora

Reputation:299 credits

Comment date:2010-10-08 21:30:18 (UTC)
Legit file.
Tags: Goodware, rootkit, avenger
Was this comment helpful? Yes (7) | No (0) | Report abuse Reported as abuseful
User:Anonymous

Reputation:1 credits

Comment date:2010-10-17 08:01:11 (UTC)
Tags: Malware, rootkit, avenger







#10 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:04:53 PM

Posted 10 January 2011 - 09:42 AM

Hi JaxNHayes,


Step 1.

We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:


RenV::
c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe
c:\program files\Microsoft IntelliPoint\ipoint .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note:

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.


Step 2.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :service
    ttgnskvd 
    ajvc
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Step 3.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note: If ESET finds nothing there will be no log produced


Step 4.

You should still have RKUnhooker on your desktop. :thumbup2:

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".


In your next reply please include the folllowing:

ComboFix.txt
SystemLook.txt
ESET results
RkUnhooker report


Thanks!!

Edited by pwgib, 10 January 2011 - 11:28 AM.
Added SystemLook

PW

#11 JaxNHayes

JaxNHayes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 10 January 2011 - 11:27 AM

I ran combofix and the window popped up when it was finished, but it could not submit the files so it created a file to submit later. How can I submit that for analysis.

#12 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:04:53 PM

Posted 10 January 2011 - 11:30 AM

Hi JaxNHayes,

Ignore my edit in the previous post for SystemLook

Please post the ComboFix.txt log


Thanks!!
PW

#13 JaxNHayes

JaxNHayes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 10 January 2011 - 12:12 PM

Here is the combofix log. Do I need to run the other steps now (ESET & RKUnhooker) or wait.


ComboFix 11-01-09.03 - Ira 01/10/2011 10:49:04.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.627 [GMT -5:00]
Running from: c:\documents and settings\Ira\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ira\Desktop\CFScript.txt

file zipped: c:\windows\system32\drivers\ajvc.sys
file zipped: c:\windows\system32\drivers\ttgnskvd.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ajvc.sys
c:\windows\system32\drivers\ttgnskvd.sys

.
((((((((((((((((((((((((( Files Created from 2010-12-10 to 2011-01-10 )))))))))))))))))))))))))))))))
.

2010-12-31 16:03 . 2010-12-31 16:03 -------- d-sh--w- c:\documents and settings\Amanda\IECompatCache
2010-12-30 19:38 . 2010-12-30 19:38 -------- d-sh--w- c:\documents and settings\Jax\IECompatCache
2010-12-29 17:39 . 2010-12-29 17:39 -------- d-----w- c:\documents and settings\Ira\Local Settings\Application Data\Safe mirror
2010-12-29 17:38 . 2010-12-29 17:39 -------- d-----w- c:\program files\Cobian Backup 10
2010-12-29 16:16 . 2010-12-29 17:27 -------- d-----w- c:\windows\system32\NtmsData
2010-12-29 13:05 . 2010-12-29 13:05 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2010-12-29 11:31 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-29 10:53 . 2011-01-04 10:19 -------- d-----w- c:\documents and settings\Ira\Application Data\FixCleaner
2010-12-29 10:53 . 2011-01-04 10:19 -------- d-----w- c:\program files\FixCleaner
2010-12-26 21:23 . 2010-12-26 21:23 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-12-25 12:35 . 2010-12-25 12:35 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-12-22 16:51 . 2010-12-22 16:51 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-12-22 09:10 . 2010-12-22 09:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-12-22 07:43 . 2010-12-22 07:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-12-17 06:47 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-17 06:46 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-15 19:13 . 2010-12-16 19:31 -------- d-----w- C:\CCU Resume
2010-12-14 20:04 . 2010-12-14 20:05 -------- d-----w- c:\documents and settings\Ira\Local Settings\Application Data\Roblox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2008-08-13 01:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2008-08-13 01:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 21:34 . 2008-01-20 20:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-06 00:26 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 08:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 08:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 08:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 08:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( SnapShot@2011-01-09_15.19.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-10 15:22 . 2011-01-10 15:22 16384 c:\windows\Temp\Perflib_Perfdata_45c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FixCleaner"="c:\program files\FixCleaner\FixCleaner.exe" [2010-11-18 46896472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-10-12 409600]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 101136]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe" [2010-12-26 53248]

c:\documents and settings\Ira\Start Menu\Programs\Startup\
Update StruCalc.lnk - c:\program files\StruCalc 7.0\WiseUpdt.exe [2008-1-20 162834]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2010-9-12 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-22 734872]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [9/12/2010 10:53 PM 10448]
R3 hpnuhst;HP NUSB Host;c:\windows\system32\drivers\hpnuhst.sys [9/10/2009 11:15 PM 12032]
R3 HPNUHUB;HP NUSB Hub;c:\windows\system32\drivers\hpnuhub.sys [9/10/2009 11:15 PM 39552]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 4:06 AM 231424]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [3/18/2010 4:01 AM 40912]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [3/18/2010 4:01 AM 10448]
S2 pciinfo;HP Pci Information; [x]
S3 HPWPAUSB;Wireless Printer Adapter;c:\windows\system32\drivers\HPWPAUSB.sys [9/10/2009 6:33 PM 18560]
S3 SCPMPR5;SCPMPR5 NDIS Protocol Driver;\??\d:\scpmpr5.sys --> d:\SCPMPR5.SYS [?]
S3 SCPNDIS5;SCPNDIS5 NDIS Protocol Driver;\??\d:\scpndis5.sys --> d:\SCPNDIS5.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-10 10:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ea,7e,35,b8,6c,e0,db,4e,9a,22,a5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ea,7e,35,b8,6c,e0,db,4e,9a,22,a5,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
Completion time: 2011-01-10 11:04:48
ComboFix-quarantined-files.txt 2011-01-10 16:04
ComboFix2.txt 2011-01-09 15:24
ComboFix3.txt 2011-01-08 17:36

Pre-Run: 37,637,738,496 bytes free
Post-Run: 37,714,837,504 bytes free

- - End Of File - - 09862758BBB076062501B6D1E185BD6E




#14 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:04:53 PM

Posted 10 January 2011 - 12:43 PM

Hi JaxNHayes,

We will take care of the files to submit before we finish. The database was probably offline. :)

Do I need to run the other steps now (ESET & RKUnhooker) or wait.
Please run both and post the logs. :thumbup2:

Step 1.

Please go to Add/Remove Progams and uninstall the following old versions of Java.

Information about using Add/Remove Programs here

J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ SE Runtime Environment 6 Update 1



Your Adobe Reader is out of date. Please go here to update. Uncheck the McAfee scan option. :wink:

You may need to manually delete older copies of Adobe Reader via Add/Remove Programs.


Step 2.

We need to create an OTL Report
  • Please download OTL from the following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In your next reply please include the following:

ESET results
RKUnhooker log
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized


How is your computer running? Any pop-ups or redirects?


Thanks!!

Edited by pwgib, 10 January 2011 - 12:44 PM.

PW

#15 JaxNHayes

JaxNHayes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 10 January 2011 - 02:31 PM

I am in the process of running ESET and it has gotten to step 3 of 4 and seems to have stopped at 50%. The timer is still ticking but the files scanned seems to have stopped for the past 10 -15 minutes. Should I restart the scan?

NEVER MIND IT IS STILL WORKING JUST SLOW.

Edited by JaxNHayes, 10 January 2011 - 02:51 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users