Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit.Win32.ZAccess.c


  • This topic is locked This topic is locked
32 replies to this topic

#1 bbrooke

bbrooke

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:17 PM

Posted 06 August 2011 - 04:41 PM

Anyone up for a challenge...? :woot:

Symptoms:

(1) Google redirects, and

(2) I'm unable to run any anti-virus software (Webroot, MalwareBytes, SuperAntiSpyware). I get this error: "Windows cannot access the specified drive, path, or file. You may not have appropriate permissions to access the item". (Actually, I can start my Webroot software, but I'm unable to make any configuration changes or run a manual scan…)

I was able to run Kaspersky TDSS Killer. It found five issues but could not "cure" any of them. They are listed as: Rootkit.Win32.ZAccess.c (AFD, IPSec, MRxSmb, NetBT, redbook).

From what I've found in the bleepingcomputer forums, it sounds like this particular rootkit problem might be really hard to fix. So, I would be greatly appreciative for any guidance the experts can offer!

I have followed all the steps at the Preparation Guide page, except that I'm unable to turn back on the Windows Firewall (can't start the prerequisite Windows Firewall / Internet Connection Sharing (ICS) service -- surely due to my rootkit problem...).

My DDS Log is enclosed below, and the DDS attach.txt and GMER ark.txt files are attached.

THANK YOU in advance!

-- Brooke


.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Run by Administrator at 13:40:11 on 2011-08-06
.
============== Running Processes ===============
.
C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080122
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080122
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [Broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe"
mRun: [KADxMain] "c:\windows\system32\KADxMain.exe"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ECenter] "c:\dell\e-center\EULALauncher.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [CanonSolutionMenu] "c:\program files\canon\solutionmenu\CNSLMAIN.exe" /logon
mRun: [CanonMyPrinter] "c:\program files\canon\myprinter\BJMyPrt.exe" /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Kernel and Hardware Abstraction Layer] "KHALMNPR.EXE"
mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe"
mRun: [Trend Micro RUBotted V2.0 Beta] "c:\program files\trend micro\rubotted\RUBottedGUI.exe"
mRun: [SigmatelSysTrayApp] "stsystra.exe"
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_20.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260732854890
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.85.102 68.87.69.150
TCP: Interfaces\{B7A41A49-CDCF-4642-A24E-52F834E736BB} : DhcpNameServer = 68.87.85.102 68.87.69.150
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\hy2j59ay.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R? cbVSCService;Cobian Backup 10 Volume Shadow Copy service
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? LBeepKE;LBeepKE
R? NovacomD;Palm Novacom
R? NPF;NetGroup Packet Filter Driver
R? RUBotSrv;Trend Micro RUBotted Service
R? SASDIFSV;SASDIFSV
R? SASKUTIL;SASKUTIL
R? SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver
R? ssfmonm;ssfmonm
R? txbsro;txbsro
R? WebrootSpySweeperService;Webroot Spy Sweeper Engine
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? !SASCORE;SAS Core Service
S? WRConsumerService;Webroot Client Service
.
=============== Created Last 30 ================
.
2011-08-06 06:52:47 -------- d-----w- C:\BBM
2011-08-06 06:34:20 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Safe mirror
2011-08-06 06:33:16 -------- d-----w- c:\program files\Cobian Backup 10
2011-08-04 06:40:09 -------- d-----w- c:\documents and settings\administrator\application data\Helios
2011-08-04 06:26:09 44560 --sha-w- c:\windows\system32\c_79242.nl_
2011-08-04 06:09:57 -------- d-----w- c:\documents and settings\all users\application data\!SASCORE
2011-08-04 06:09:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-04 06:09:05 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
2011-08-04 06:08:35 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-08-04 05:34:47 -------- d--h--w- c:\windows\PIF
2011-07-16 22:38:52 -------- d-----w- c:\documents and settings\all users\application data\Sprint
2011-07-16 21:42:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-16 21:42:07 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-07-16 19:06:11 0 ------w- c:\windows\system32\HFX342.tmp
2011-07-16 18:08:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-07-16 17:53:56 -------- d-----w- C:\ba4ea83105f811f4f89547
2011-07-16 17:41:16 456320 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2011-07-16 17:41:10 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-07-16 17:41:04 692736 ------w- c:\windows\system32\dllcache\inetcomm.dll
2011-07-16 17:36:40 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-07-16 17:36:20 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-07-16 17:35:06 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2011-07-16 17:34:50 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2011-07-16 17:34:50 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-07-16 17:34:18 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-07-16 17:33:18 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2011-07-16 17:32:16 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-07-16 17:29:05 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2011-07-16 17:29:05 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2011-07-16 17:28:56 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2011-07-16 17:28:14 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2011-07-16 17:27:08 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2011-07-16 17:23:53 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2011-07-16 17:23:44 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2011-07-16 17:22:39 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2011-07-16 17:22:34 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2011-07-16 17:05:30 -------- d-----w- c:\windows\system32\XPSViewer
2011-07-16 17:05:01 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-07-16 17:04:44 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-07-16 17:04:44 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-07-16 17:04:44 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-07-16 17:04:44 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-07-16 17:04:44 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-07-16 17:04:44 117760 ------w- c:\windows\system32\prntvpt.dll
2011-07-16 17:04:43 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-07-16 17:04:43 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2011-07-16 17:04:43 -------- d-----w- C:\b0298d37f2cddf0dd2
2011-07-16 03:12:14 -------- d-----w- c:\documents and settings\all users\application data\Trend Micro
2011-07-16 03:02:08 -------- d-----w- c:\program files\WinPcap
2011-07-16 02:56:33 200464 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-07-16 02:56:33 -------- d-----w- c:\documents and settings\administrator\log
2011-07-16 02:26:25 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2011-07-16 02:18:19 -------- d-----w- c:\windows\pss
2011-07-16 01:44:30 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-07-16 01:44:30 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-07-16 01:44:30 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-07-16 01:41:41 -------- dc-h--w- c:\documents and settings\all users\application data\{24F72050-686C-4A15-B137-09FEB449D545}
2011-07-16 01:40:20 -------- d-----w- c:\program files\Webroot
2011-07-16 01:35:19 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Mozilla
2011-07-16 01:34:48 -------- d-----w- c:\documents and settings\all users\application data\Webroot
2011-07-16 01:34:31 -------- d-----w- c:\documents and settings\administrator\local settings\application data\PackageAware
.
==================== Find3M ====================
.
2011-08-06 06:28:25 301056 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-06 05:37:52 912640 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-04 07:42:58 276992 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-04 07:34:38 115200 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-04 06:35:16 325632 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-07-07 01:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 01:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-18 07:05:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 13:41:07.34 ===============

Attached Files


Edited by heir, 07 August 2011 - 03:25 AM.
removed textformat on log


BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 07 August 2011 - 03:49 AM

:welcome: to BC

Please don't format logs when posting them, just paste them in as they are unless your asked to do otherwise.

Please run tools from normal mode, (not safemode) unless you are asked to.

Step 1.
ComboFix:

Download ComboFix from one of these locations:

Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. Here is a howto for some of the applications.
    They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Step 2.
Things I would like to see in your reply:

  • The content of C:ComboFix.txt from step 1.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 bbrooke

bbrooke
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:17 PM

Posted 07 August 2011 - 08:03 PM

Thank you for responding so quickly!

I turned off Webroot and RUBotted before running ComboFix. But, ComboFix rebooted Windows after installing Microsoft Windows Recovery Console (I had to get the WRC file from the support.microsoft.com website by following these steps), and I think Webroot and RUBotted might have restarted themselves during that reboot. Hopefully that won't cause problems...?

In any case -- my ComboFix log is enclosed below. Let me know what to do next...! :busy:

Thanks again,
Brooke


ComboFix 11-08-03.03 - Brooke 08/07/2011 11:55:53.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1660 [GMT -6:00]
Running from: c:\documents and settings\Brooke\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brooke\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Internet Explorer\SET21B.tmp
c:\program files\Internet Explorer\SET21F.tmp
c:\program files\Internet Explorer\SET220.tmp
c:\windows\$NtUninstallKB25508$
c:\windows\$NtUninstallKB25508$\3440034359
c:\windows\$NtUninstallKB25508$\3785260485\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB25508$\3785260485\click.tlb
c:\windows\$NtUninstallKB25508$\3785260485\L\odetmngk
c:\windows\$NtUninstallKB25508$\3785260485\loader.tlb
c:\windows\$NtUninstallKB25508$\3785260485\U\@00000001
c:\windows\$NtUninstallKB25508$\3785260485\U\@000000c0
c:\windows\$NtUninstallKB25508$\3785260485\U\@000000cb
c:\windows\$NtUninstallKB25508$\3785260485\U\@000000cf
c:\windows\$NtUninstallKB25508$\3785260485\U\@80000000
c:\windows\$NtUninstallKB25508$\3785260485\U\@800000c0
c:\windows\$NtUninstallKB25508$\3785260485\U\@800000cb
c:\windows\$NtUninstallKB25508$\3785260485\U\@800000cf
c:\windows\system32\c_79242.nls
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2011-07-07 to 2011-08-07 )))))))))))))))))))))))))))))))
.
.
2011-08-07 17:52 . 2011-02-16 13:25 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-06 06:52 . 2011-08-06 07:41 -------- d-----w- C:\BBM
2011-08-06 06:33 . 2011-08-06 06:34 -------- d-----w- c:\program files\Cobian Backup 10
2011-08-04 06:26 . 2011-08-07 17:24 44560 --sha-w- c:\windows\system32\c_79242.nl_
2011-08-04 06:09 . 2011-08-04 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
2011-08-04 06:09 . 2011-08-04 06:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-04 06:08 . 2011-08-04 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-04 05:34 . 2011-08-04 05:34 -------- d--h--w- c:\windows\PIF
2011-07-16 22:38 . 2011-07-16 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint
2011-07-16 21:42 . 2011-07-16 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-07-16 21:42 . 2011-07-16 21:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-16 19:06 . 2011-07-16 19:06 0 ------w- c:\windows\system32\HFX342.tmp
2011-07-16 18:08 . 2011-04-25 15:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-07-16 17:53 . 2011-07-16 18:38 -------- d-----w- C:\ba4ea83105f811f4f89547
2011-07-16 17:41 . 2011-04-29 16:19 456320 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2011-07-16 17:41 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-07-16 17:41 . 2011-05-02 15:31 692736 ------w- c:\windows\system32\dllcache\inetcomm.dll
2011-07-16 17:36 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-07-16 17:36 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-07-16 17:35 . 2010-08-16 08:45 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2011-07-16 17:34 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2011-07-16 17:34 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-07-16 17:34 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-07-16 17:33 . 2010-06-18 13:36 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2011-07-16 17:32 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-07-16 17:29 . 2010-08-27 08:02 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2011-07-16 17:29 . 2009-10-15 16:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2011-07-16 17:28 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2011-07-16 17:28 . 2010-06-14 07:41 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2011-07-16 17:27 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2011-07-16 17:23 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2011-07-16 17:23 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2011-07-16 17:22 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2011-07-16 17:22 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2011-07-16 17:05 . 2011-07-16 17:05 -------- d-----w- c:\windows\system32\XPSViewer
2011-07-16 17:05 . 2011-07-16 17:05 -------- d-----w- c:\program files\Reference Assemblies
2011-07-16 17:05 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-07-16 17:04 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-07-16 17:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-07-16 17:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-07-16 17:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-07-16 17:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-07-16 17:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-07-16 17:04 . 2011-07-16 17:05 -------- d-----w- C:\b0298d37f2cddf0dd2
2011-07-16 17:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-07-16 17:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2011-07-16 03:12 . 2011-07-16 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-07-16 03:02 . 2011-07-16 03:02 -------- d-----w- c:\program files\WinPcap
2011-07-16 02:56 . 2011-05-16 01:04 200464 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-07-16 01:44 . 2011-07-11 16:07 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-07-16 01:44 . 2011-07-11 16:07 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-07-16 01:44 . 2011-07-11 16:07 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-07-16 01:41 . 2011-07-16 01:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}
2011-07-16 01:40 . 2011-07-16 01:40 -------- d-----w- c:\program files\Webroot
2011-07-16 01:34 . 2011-08-03 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2011-07-16 01:32 . 2011-08-06 19:39 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-06 06:28 . 2004-08-10 18:51 301056 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-06 05:37 . 2004-08-10 18:51 912640 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-04 07:34 . 2004-08-10 18:59 115200 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-04 06:35 . 2004-08-10 18:51 325632 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-07-07 01:52 . 2010-10-02 18:06 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 01:52 . 2010-10-02 18:06 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02 . 2004-08-10 18:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-18 07:05 . 2011-05-18 07:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-25 01:13 . 2011-05-11 15:51 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2011-04-21 . B6E13F9C120C776A89D783E26D6C15C5 . 634648 . . [7.00.6000.17098] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2011-04-21 . 3E23DBEBE1020D52C63235E4189FAC03 . 634648 . . [7.00.6000.21300] . . c:\windows\$hf_mig$\KB2530548-IE7\SP3QFE\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2007-08-14 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB2530548-IE7\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 138008]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-05-14 1191936]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2011-08-03 1382984]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-8-3 813584]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 03:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-05-27 20:52 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-07-13 21:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-11 07:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 17:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SprintRcAppSvc"=3 (0x3)
"RoxWatch9"=3 (0x3)
"RoxMediaDB9"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Zone Five Software\\SportTracks 2.1\\SportTracks.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Trend Micro\\RUBotted\\RUBottedGUI.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\FastCheck\\FastCheck.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/18/2011 6:02 PM 123264]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [8/6/2011 12:34 AM 67584]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [8/3/2010 10:12 PM 10384]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 12:19 PM 50704]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [7/15/2011 9:01 PM 439632]
R2 ssfmonm;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [7/15/2011 7:44 PM 45584]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [8/3/2011 10:17 AM 3381184]
S0 txbsro;txbsro;c:\windows\system32\drivers\fehgq.sys --> c:\windows\system32\drivers\fehgq.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacom\x86\novacomd.exe [8/14/2009 10:44 AM 33280]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [4/14/2010 8:29 PM 32408]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080122
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080122
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com
TCP: DhcpNameServer = 68.87.85.102 68.87.69.150
FF - ProfilePath - c:\documents and settings\Brooke\Application Data\Mozilla\Firefox\Profiles\w1w9f3ba.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - user.js: yahoo.homepage.dontask - true
.
.
------- File Associations -------
.
.txt=TextPad.txt
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-43826423.sys
SafeBoot-82102642.sys
MSConfigStartUp-RDVCHG - c:\program files\Sprint\Sprint SmartView\RDVCHG.exe
MSConfigStartUp-Sprint SmartView - c:\program files\Sprint\Sprint SmartView\SprintSV.exe
AddRemove-GPSBabel Plugin_is1 - c:\program files\Zone Five Software\SportTracks 2.1\Plugins\GPSBabel Plugin\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-07 12:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.afd]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.ipsec]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.netbt]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.redbook]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(512)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(1088)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\stsystra.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\wscript.exe
.
**************************************************************************
.
Completion time: 2011-08-07 12:11:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-07 18:11
.
Pre-Run: 63,907,971,072 bytes free
Post-Run: 64,126,193,664 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - CBB2833CC2B6EDCC4B5A45F606341213

#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 08 August 2011 - 01:17 AM

:thumbsup:

Let's move on.

Step 1.
CFSCript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\system32\HFX342.tmp
c:\windows\system32\drivers\fehgq.sys
Driver::
txbsro
Dirlook::
C:\ba4ea83105f811f4f89547
C:\b0298d37f2cddf0dd2
Filelook::
c:\windows\system32\c_79242.nl_

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step MBAM.
MBAM:

  • Launch Malwarebytes' Anti-Malware.
  • Update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 3.
ESET Online SCanner:

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Step 4.
Things I would like to see in your reply:

  • The content of C:\ComboFix.txt from step 1.
  • The content of the log from MBAM in step 2.
  • The content of the log from EOS in step 3.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 bbrooke

bbrooke
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:17 PM

Posted 09 August 2011 - 12:09 AM

Hello again...

0. I closed RUBotted and Webroot from the system tray, and I also killed their associated processes in the Task Manager (RUBotSrv.exe and WRConsumerService.exe).

1. I ran ComboFix with the scipt you sent; the log file is enclosed below. (Note: It prompted me again to install Windows Recovery Console, even though I already did that yesterday...)

2. I ran MBAM and the log is enclosed below. It did not find any issues. BUT -- my MBAM database is 23 days old and I got an error when I tried to update it before my Quick Scan:

"PROGRAM ERROR UPDATING (11004, 0, No address found). The requested name is valid, but it does not have the correct associated data being resolved for."


Now I realize I cannot access the internet, either through wireless or my network cable...(I'm submitting this update from my work laptop). I have rebooted and I have also tried to repair network connections in the Control Panel. When I try to repair the network connection, this is the error message I get:

"Windows could not finish repairing the problem because the following action cannot be completed: Failed to query TCP/IP settings of the connection. Cannot proceed."


3. I can't run the ESET Online Scanner since it requires an internet connection... (I downloaded the EOS exe file to a thumb drive in order to get it onto my infected PC, but it still tried to access the internet to download components and updates when I launched it; I couldn't get past that step.)

:smash:

Thanks again,
Brooke


ComboFix 11-08-07.03 - Brooke 08/08/2011 22:26:44.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1463 [GMT -6:00]
Running from: c:\documents and settings\Brooke\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brooke\Desktop\CFScript.txt
AV: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.
FILE ::
"c:\windows\system32\drivers\fehgq.sys"
"c:\windows\system32\HFX342.tmp"
.
.
((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 )))))))))))))))))))))))))))))))
.
.
2011-08-07 17:52 . 2011-02-16 13:25 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-07 17:52 . 2011-02-16 13:25 138496 ----a-w- c:\windows\system32\dllcache\afd.sys
2011-08-06 06:52 . 2011-08-06 07:41 -------- d-----w- C:\BBM
2011-08-06 06:33 . 2011-08-06 06:34 -------- d-----w- c:\program files\Cobian Backup 10
2011-08-04 06:26 . 2011-08-07 17:24 44560 --sha-w- c:\windows\system32\c_79242.nl_
2011-08-04 06:09 . 2011-08-04 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
2011-08-04 06:09 . 2011-08-04 06:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-04 06:08 . 2011-08-04 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-04 05:34 . 2011-08-04 05:34 -------- d--h--w- c:\windows\PIF
2011-07-16 22:38 . 2011-07-16 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint
2011-07-16 21:42 . 2011-07-16 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-07-16 21:42 . 2011-07-16 21:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-16 18:08 . 2011-04-25 15:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-07-16 17:53 . 2011-07-16 18:38 -------- d-----w- C:\ba4ea83105f811f4f89547
2011-07-16 17:41 . 2011-04-29 16:19 456320 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2011-07-16 17:41 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-07-16 17:41 . 2011-05-02 15:31 692736 ------w- c:\windows\system32\dllcache\inetcomm.dll
2011-07-16 17:36 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-07-16 17:36 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-07-16 17:35 . 2010-08-16 08:45 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2011-07-16 17:34 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2011-07-16 17:34 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-07-16 17:34 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-07-16 17:33 . 2010-06-18 13:36 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2011-07-16 17:32 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-07-16 17:29 . 2010-08-27 08:02 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2011-07-16 17:29 . 2009-10-15 16:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2011-07-16 17:28 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2011-07-16 17:28 . 2010-06-14 07:41 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2011-07-16 17:27 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2011-07-16 17:23 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2011-07-16 17:23 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2011-07-16 17:22 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2011-07-16 17:22 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2011-07-16 17:05 . 2011-07-16 17:05 -------- d-----w- c:\windows\system32\XPSViewer
2011-07-16 17:05 . 2011-07-16 17:05 -------- d-----w- c:\program files\Reference Assemblies
2011-07-16 17:05 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-07-16 17:04 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-07-16 17:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-07-16 17:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-07-16 17:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-07-16 17:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-07-16 17:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-07-16 17:04 . 2011-07-16 17:05 -------- d-----w- C:\b0298d37f2cddf0dd2
2011-07-16 17:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-07-16 17:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2011-07-16 03:12 . 2011-07-16 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-07-16 03:02 . 2011-07-16 03:02 -------- d-----w- c:\program files\WinPcap
2011-07-16 02:56 . 2011-05-16 01:04 200464 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-07-16 01:44 . 2011-07-11 16:07 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-07-16 01:44 . 2011-07-11 16:07 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-07-16 01:44 . 2011-07-11 16:07 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-07-16 01:41 . 2011-07-16 01:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}
2011-07-16 01:40 . 2011-07-16 01:40 -------- d-----w- c:\program files\Webroot
2011-07-16 01:34 . 2011-08-03 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2011-07-16 01:32 . 2011-08-06 19:39 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-06 06:28 . 2004-08-10 18:51 301056 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-06 05:37 . 2004-08-10 18:51 912640 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-04 07:34 . 2004-08-10 18:59 115200 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-04 06:35 . 2004-08-10 18:51 325632 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-07-08 13:55 . 2010-10-02 18:06 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-08 13:55 . 2010-10-02 18:06 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02 . 2004-08-10 18:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-18 07:05 . 2011-05-18 07:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-25 01:13 . 2011-05-11 15:51 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\system32\c_79242.nl_ ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 44560
Created time: 2011-08-04 06:26
Modified time: 2011-08-07 17:24
MD5: 5259CB265C95F8609B53523794C37A57
SHA1: A584239B92DA4B7CA9F5AE75BA5194E4A5FF2CD1
.
---- Directory of C:\b0298d37f2cddf0dd2 ----
.
2011-07-16 17:04 . 2008-06-19 05:33 72 ------w- c:\b0298d37f2cddf0dd2\i386\msxpsinc.ppd
2011-07-16 17:04 . 2008-06-19 05:33 72 ------w- c:\b0298d37f2cddf0dd2\amd64\msxpsinc.ppd
2011-07-16 17:04 . 2008-06-19 05:33 2204 ------w- c:\b0298d37f2cddf0dd2\i386\msxpsdrv.inf
2011-07-16 17:04 . 2008-06-19 17:03 73 ------w- c:\b0298d37f2cddf0dd2\i386\msxpsinc.gpd
2011-07-16 17:04 . 2008-06-19 05:33 2204 ------w- c:\b0298d37f2cddf0dd2\amd64\msxpsdrv.inf
2011-07-16 17:04 . 2008-07-06 12:06 10929 ------w- c:\b0298d37f2cddf0dd2\amd64\msxpsdrv.cat
2011-07-16 17:04 . 2008-07-06 12:06 10929 ------w- c:\b0298d37f2cddf0dd2\i386\msxpsdrv.cat
2011-07-16 17:04 . 2008-07-06 12:06 147456 ------w- c:\b0298d37f2cddf0dd2\amd64\filterpipelineprintproc.dll
2011-07-16 17:04 . 2008-07-06 12:06 89088 ------w- c:\b0298d37f2cddf0dd2\i386\filterpipelineprintproc.dll
2011-07-16 17:04 . 2008-07-06 12:06 765440 ------w- c:\b0298d37f2cddf0dd2\i386\mxdwdrv.dll
2011-07-16 17:04 . 2008-07-06 12:06 1676288 ------w- c:\b0298d37f2cddf0dd2\i386\xpssvcs.dll
2011-07-16 17:04 . 2008-07-06 12:06 748032 ------w- c:\b0298d37f2cddf0dd2\amd64\mxdwdrv.dll
2008-07-06 23:36 . 2008-07-06 23:36 2936832 ------w- c:\b0298d37f2cddf0dd2\amd64\xpssvcs.dll
2008-06-19 17:03 . 2008-06-19 17:03 73 ------w- c:\b0298d37f2cddf0dd2\amd64\msxpsinc.gpd
.
---- Directory of C:\ba4ea83105f811f4f89547 ----
.
2009-03-08 20:23 . 2009-03-08 20:23 58464 ----a-w- c:\ba4ea83105f811f4f89547\update\iecustom.dll
2009-03-08 20:21 . 2009-03-08 20:21 4096 ----a-w- c:\ba4ea83105f811f4f89547\ie4uinit.exe.mui
2009-01-08 00:21 . 2009-01-08 00:21 755744 ----a-w- c:\ba4ea83105f811f4f89547\update\update.exe
2009-01-08 00:21 . 2009-01-08 00:21 382496 ----a-w- c:\ba4ea83105f811f4f89547\update\updspapi.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2011-04-21 . B6E13F9C120C776A89D783E26D6C15C5 . 634648 . . [7.00.6000.17098] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2011-04-21 . 3E23DBEBE1020D52C63235E4189FAC03 . 634648 . . [7.00.6000.21300] . . c:\windows\$hf_mig$\KB2530548-IE7\SP3QFE\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2007-08-14 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB2530548-IE7\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-08-07_18.05.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-08 18:28 . 2011-08-08 18:28 16384 c:\windows\Temp\Perflib_Perfdata_808.dat
+ 2008-01-30 03:20 . 2011-08-08 18:27 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-30 03:20 . 2011-08-07 18:05 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-30 03:20 . 2011-08-08 18:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-30 03:20 . 2011-08-07 18:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-30 03:20 . 2011-08-08 18:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-01-30 03:20 . 2011-08-07 18:05 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 138008]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-05-14 1191936]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2011-08-03 1382984]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-08 449584]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-8-3 813584]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 03:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-05-27 20:52 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-07-13 21:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-11 07:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 17:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SprintRcAppSvc"=3 (0x3)
"RoxWatch9"=3 (0x3)
"RoxMediaDB9"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Zone Five Software\\SportTracks 2.1\\SportTracks.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Trend Micro\\RUBotted\\RUBottedGUI.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\FastCheck\\FastCheck.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/18/2011 6:02 PM 123264]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [8/6/2011 12:34 AM 67584]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [8/3/2010 10:12 PM 10384]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 12:19 PM 50704]
R2 ssfmonm;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [7/15/2011 7:44 PM 45584]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacom\x86\novacomd.exe [8/14/2009 10:44 AM 33280]
S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [7/15/2011 9:01 PM 439632]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [8/3/2011 10:17 AM 3381184]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [4/14/2010 8:29 PM 32408]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080122
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080122
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com
TCP: DhcpNameServer = 68.87.85.102 68.87.69.150
FF - ProfilePath - c:\documents and settings\Brooke\Application Data\Mozilla\Firefox\Profiles\w1w9f3ba.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-08 22:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.afd]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.ipsec]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.netbt]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.redbook]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(504)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2156)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-08 22:33:23
ComboFix-quarantined-files.txt 2011-08-09 04:33
ComboFix2.txt 2011-08-08 18:32
ComboFix3.txt 2011-08-07 18:11
.
Pre-Run: 64,106,979,328 bytes free
Post-Run: 64,091,430,912 bytes free
.
- - End Of File - - 536462084DC2419E613E2F39810D28D8

MBAM LOG

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7035

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/8/2011 11:03:06 PM
mbam-log-2011-08-08 (23-03-06).txt

Scan type: Quick scan
Objects scanned: 174772
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by bbrooke, 09 August 2011 - 12:13 AM.


#6 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 09 August 2011 - 07:47 AM

We need to find out why the connection to Internet was lost.

Step 1.
Flashdrive disinfector:

Do this from the computer with the working internet connection.

Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Use the thumb-drive to transfer the files between the computers.

Step 2.
DDS:

Run DDS and post the logs (DDS.txt and Attach.txt) in your reply.

Step 3.
Things I would like to see in your reply:

  • The logs from DDS in step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#7 bbrooke

bbrooke
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:17 PM

Posted 09 August 2011 - 11:31 AM

Yeah, I figured it was risky to transfer files back and forth between my two laptops with that thumb drive. But, I'm hoping (gambling!) that my work-issued laptop is hardened better than my personal one was...(the work laptop has a locked-down collection of McAfee apps with policy enforcement every 15 minutes, etc.).

1. I ran Flash_Disinfector. It seemed to run fine, and it didn't report any issues on my thumb drive. I don't see "autorun.inf" on the thumb drive now, even though I have my options set to show hidden files and folders. Just FYI in case that's significant...

2. My new DDS log files are enclosed below.

Note: The first time I ran ComboFix, I got this popup message (below). I didn't mention it because I assumed it was included in the log file I posted for you. Sorry if me not mentioning that caused any complication...

You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection. If for any reason that you're unable to connect to the internet after running ComboFix, reboot once and see if that fixes it. If it's not fixed, run ComboFix one more time.


(Last night I rebooted, tried to repair network connections in the control panel, and re-ran ComboFix -- still no internet access. I'm assuming this has more to do with the rootkit problem than with anything ComboFix did...)

Thanks,
Brooke


:scratchhead:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Run by Brooke at 10:13:17 on 2011-08-09
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1598 [GMT -6:00]
.
AV: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080122
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080122
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [Broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe"
mRun: [KADxMain] "c:\windows\system32\KADxMain.exe"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ECenter] "c:\dell\e-center\EULALauncher.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [CanonSolutionMenu] "c:\program files\canon\solutionmenu\CNSLMAIN.exe" /logon
mRun: [CanonMyPrinter] "c:\program files\canon\myprinter\BJMyPrt.exe" /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [Kernel and Hardware Abstraction Layer] "KHALMNPR.EXE"
mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe"
mRun: [Trend Micro RUBotted V2.0 Beta] "c:\program files\trend micro\rubotted\RUBottedGUI.exe"
mRun: [SigmatelSysTrayApp] "stsystra.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: microsoft.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260732854890
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.85.102 68.87.69.150
TCP: Interfaces\{B7A41A49-CDCF-4642-A24E-52F834E736BB} : DhcpNameServer = 68.87.85.102 68.87.69.150
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\brooke\application data\mozilla\firefox\profiles\w1w9f3ba.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\brooke\application data\mozilla\firefox\profiles\w1w9f3ba.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-7-18 123264]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-8-6 67584]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-8-3 10384]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 ssfmonm;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [2011-7-15 45584]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NovacomD;Palm Novacom;c:\program files\palm, inc\novacom\x86\novacomd.exe [2009-8-14 33280]
S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2011-7-15 439632]
S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\security\current\plugins\antimalware\AEI.exe [2011-7-15 3996864]
S2 WRConsumerService;Webroot Client Service;c:\program files\webroot\security\current\framework\WRConsumerService.exe [2011-8-3 3381184]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2010-4-14 32408]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
.txt=TextPad.txt
.
=============== Created Last 30 ================
.
2011-08-09 04:53:21 -------- d-----w- c:\program files\ESET
2011-08-09 04:25:42 98816 ----a-w- c:\windows\sed.exe
2011-08-09 04:25:42 518144 ----a-w- c:\windows\SWREG.exe
2011-08-09 04:25:42 256000 ----a-w- c:\windows\PEV.exe
2011-08-09 04:25:42 208896 ----a-w- c:\windows\MBR.exe
2011-08-07 17:52:29 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-07 17:52:29 138496 ----a-w- c:\windows\system32\dllcache\afd.sys
2011-08-07 17:49:16 -------- d-sha-r- C:\cmdcons
2011-08-06 06:52:47 -------- d-----w- C:\BBM
2011-08-06 06:33:16 -------- d-----w- c:\program files\Cobian Backup 10
2011-08-04 06:26:09 44560 --sha-w- c:\windows\system32\c_79242.nl_
2011-08-04 06:09:57 -------- d-----w- c:\documents and settings\all users\application data\!SASCORE
2011-08-04 06:09:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-04 06:08:35 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-08-04 05:34:47 -------- d--h--w- c:\windows\PIF
2011-07-16 22:38:52 -------- d-----w- c:\documents and settings\all users\application data\Sprint
2011-07-16 21:42:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-16 21:42:07 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-07-16 18:08:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-07-16 17:53:56 -------- d-----w- C:\ba4ea83105f811f4f89547
2011-07-16 17:41:16 456320 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2011-07-16 17:41:10 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-07-16 17:41:04 692736 ------w- c:\windows\system32\dllcache\inetcomm.dll
2011-07-16 17:36:40 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-07-16 17:36:20 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-07-16 17:35:06 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2011-07-16 17:34:50 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2011-07-16 17:34:50 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-07-16 17:34:18 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-07-16 17:33:18 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2011-07-16 17:32:16 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-07-16 17:29:05 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2011-07-16 17:29:05 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2011-07-16 17:28:56 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2011-07-16 17:28:14 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2011-07-16 17:27:08 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2011-07-16 17:23:53 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2011-07-16 17:23:44 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2011-07-16 17:22:39 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2011-07-16 17:22:34 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2011-07-16 17:05:30 -------- d-----w- c:\windows\system32\XPSViewer
2011-07-16 17:05:01 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-07-16 17:04:44 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-07-16 17:04:44 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-07-16 17:04:44 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-07-16 17:04:44 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-07-16 17:04:44 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-07-16 17:04:44 117760 ------w- c:\windows\system32\prntvpt.dll
2011-07-16 17:04:43 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-07-16 17:04:43 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2011-07-16 17:04:43 -------- d-----w- C:\b0298d37f2cddf0dd2
2011-07-16 03:12:14 -------- d-----w- c:\documents and settings\all users\application data\Trend Micro
2011-07-16 03:02:08 -------- d-----w- c:\program files\WinPcap
2011-07-16 02:56:33 200464 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-07-16 02:18:19 -------- d-----w- c:\windows\pss
2011-07-16 01:44:30 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-07-16 01:44:30 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-07-16 01:44:30 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-07-16 01:41:41 -------- dc-h--w- c:\documents and settings\all users\application data\{24F72050-686C-4A15-B137-09FEB449D545}
2011-07-16 01:40:20 -------- d-----w- c:\program files\Webroot
2011-07-16 01:34:48 -------- d-----w- c:\documents and settings\all users\application data\Webroot
.
==================== Find3M ====================
.
2011-08-06 06:28:25 301056 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-06 05:37:52 912640 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-04 07:34:38 115200 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-04 06:35:16 325632 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-07-08 13:55:36 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-08 13:55:36 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-18 07:05:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 10:13:32.14 ===============

attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/29/2008 8:29:35 PM
System Uptime: 8/9/2011 9:59:02 AM (1 hours ago)
.
Motherboard: Dell Inc. | | 0NX907
Processor: Intel® Core™2 Duo CPU T5270 @ 1.40GHz | Microprocessor | 1396/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 146 GiB total, 59.715 GiB free.
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMOPTIARC_DVD+-RW_AD-5560A________________DD11____\4E434D303455383238363638373546433130454B
Manufacturer: (Standard CD-ROM drives)
Name: Optiarc DVD+-RW AD-5560A
PNP Device ID: IDE\CDROMOPTIARC_DVD+-RW_AD-5560A________________DD11____\4E434D303455383238363638373546433130454B
Service: cdrom
.
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Canon MX700 ser Network
Device ID: ROOT\CANON_IJ_NETWORK\0000
Manufacturer: Canon
Name: Canon MX700 ser Network
PNP Device ID: ROOT\CANON_IJ_NETWORK\0000
Service: StillCam
.
==== System Restore Points ===================
.
RP448: 4/20/2011 10:48:21 PM - System Checkpoint
RP449: 4/29/2011 12:26:20 PM - System Checkpoint
RP450: 4/30/2011 2:07:08 PM - System Checkpoint
RP451: 5/7/2011 9:40:16 AM - Software Distribution Service 3.0
RP452: 5/13/2011 7:50:00 PM - System Checkpoint
RP453: 5/18/2011 12:49:25 AM - Removed Bonjour
RP454: 5/18/2011 12:55:06 AM - Removed QuickRoute
RP455: 5/18/2011 12:55:54 AM - Installed QuickRoute
RP456: 5/18/2011 1:29:11 AM - Removed QuickRoute
RP457: 5/18/2011 1:30:43 AM - Installed QuickRoute
RP458: 5/18/2011 1:42:39 AM - Removed QuickRoute
RP459: 5/18/2011 1:44:10 AM - Installed QuickRoute
RP460: 5/19/2011 10:58:32 AM - System Checkpoint
RP461: 5/21/2011 12:03:38 PM - System Checkpoint
RP462: 5/25/2011 8:21:05 AM - System Checkpoint
RP463: 5/27/2011 10:28:40 AM - System Checkpoint
RP464: 5/28/2011 11:27:31 AM - System Checkpoint
RP465: 6/2/2011 9:08:22 AM - System Checkpoint
RP466: 6/4/2011 9:03:04 AM - System Checkpoint
RP467: 6/8/2011 10:48:01 AM - System Checkpoint
RP468: 6/9/2011 8:11:12 PM - System Checkpoint
RP469: 6/11/2011 10:31:54 AM - System Checkpoint
RP470: 6/14/2011 10:26:04 AM - System Checkpoint
RP471: 6/16/2011 10:40:41 AM - System Checkpoint
RP472: 6/18/2011 11:09:52 AM - System Checkpoint
RP473: 6/19/2011 11:50:03 AM - System Checkpoint
RP474: 6/20/2011 1:20:03 PM - System Checkpoint
RP475: 6/21/2011 9:52:39 PM - System Checkpoint
RP476: 6/23/2011 9:19:19 PM - System Checkpoint
RP477: 6/27/2011 9:51:13 PM - System Checkpoint
RP478: 6/29/2011 8:26:53 PM - System Checkpoint
RP479: 7/1/2011 9:08:17 PM - System Checkpoint
RP480: 7/5/2011 7:56:43 PM - System Checkpoint
RP481: 7/7/2011 8:50:55 AM - System Checkpoint
RP482: 7/8/2011 10:27:35 AM - System Checkpoint
RP483: 7/9/2011 11:28:19 AM - System Checkpoint
RP484: 7/12/2011 8:59:09 AM - System Checkpoint
RP485: 7/15/2011 1:34:47 PM - System Checkpoint
RP486: 7/16/2011 10:59:53 AM - Software Distribution Service 3.0
RP487: 7/16/2011 11:14:26 AM - Printer Driver Microsoft XPS Document Writer Installed
RP488: 7/16/2011 11:44:17 AM - Software Distribution Service 3.0
RP489: 7/16/2011 12:54:05 PM - Software Distribution Service 3.0
RP490: 7/16/2011 1:07:57 PM - Software Distribution Service 3.0
RP491: 7/16/2011 1:27:08 PM - Software Distribution Service 3.0
RP492: 7/16/2011 2:59:15 PM - Software Distribution Service 3.0
RP493: 7/16/2011 4:37:10 PM - NMEA Port
RP494: 7/16/2011 4:37:39 PM - Removed Sprint SmartView.
RP495: 8/7/2011 11:32:40 AM - ComboFix created restore point
.
==== Installed Programs ======================
.
2007 Microsoft Office Suite Service Pack 2 (SP2)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.3.0
Amazon MP3 Downloader 1.0.3
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Archive Manager V.10.3
ASX to MP3 Converter 3.0.0.7 2008.11.17
Broadcom Management Programs
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MX700 series
Canon My Printer
Canon Utilities Solution Menu
CDDRV_Installer
CheckPC V.2.1
Clue
Cobian Backup 10
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
CutePDF Writer 2.7
Dell Network Assistant
Dell Support Center (Support Software)
Dell Touchpad
Dell Wireless WLAN Card
Digital Line Detect
DYMO Label Software
erLT
FastCheck (remove only)
Garmin ANT Agent
Garmin Communicator Plugin
Garmin Training Center
Garmin USB Drivers
Garmin WebUpdater
Gartrip 209a
GIMP 2.4.4
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Image Resizer Powertoy for Windows XP
Intel® Graphics Media Accelerator Driver
IntelliSonic Speech Enhancement
iTunes
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java™ 6 Update 20
KhalInstallWrapper
Layout Manager V.10.3
Logitech SetPoint
Malwarebytes' Anti-Malware version 1.51.1.1800
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Meeting 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Outlook Hotmail Connector 32-bit
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 1.0
MobileMe Control Panel
Modem Diagnostic Tool
Mozilla Firefox 5.0 (x86 en-US)
Mozilla Thunderbird (2.0.0.18)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
MultiSport V.10.1
NetWaiting
Novacomd
OE2003 V.10.3
OEScore2003 V.10.3
Office Animation Runtime
OpenOffice.org 2.3
OutlookAddinSetup
OverDrive Media Console
Palm
Picasa 3
PL-2303 USB-to-Serial
Quicken 2010
QuickRoute
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
ScanSoft OmniPage SE 4
SearchAssist
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Skype Toolbars
Skype™ 5.0
Sonic Activation Module
SportTracks 2.1
SportTracks 3.0
Spybot - Search & Destroy
SpywareBlaster 4.4
SUPERAntiSpyware
TextPad 5
TextPad Lexicons
TrainingPeaks Device Agent
Trend Micro RUBotted 2.0 Beta
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb970012)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Verizon Mobile Broadband Drivers
Verizon Wireless PC770 Firmware Updates
VZAccess Manager
WebFldrs XP
Webroot Software
Windows Driver Package - Dynastream Innovations (libusb0) LibUsbDevices (07/07/2009 1.12.2)
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Driver Package - Microsoft Corporation (usbvideo) Image (05/25/2007 1.0.3656.0)
Windows Driver Package - Palm (WinUSB) Palm Devices (11/30/2008 1.0.0)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinPcap 4.1.1
.
==== Event Viewer Messages From Past Week ========
.
8/8/2011 12:12:31 PM, error: Service Control Manager [7034] - The Trend Micro RUBotted Service service terminated unexpectedly. It has done this 1 time(s).
8/7/2011 12:07:05 PM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The dependency service or group failed to start.
8/7/2011 11:54:46 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Cdrom Imapi IPSec MRxSmb NetBT redbook Tcpip
8/7/2011 11:54:46 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
8/7/2011 11:50:44 AM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
8/7/2011 11:32:25 AM, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The service has returned a service-specific error code.
8/7/2011 11:26:25 AM, error: Service Control Manager [7034] - The Webroot Client Service service terminated unexpectedly. It has done this 1 time(s).
8/6/2011 12:03:29 AM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the AFD service which failed to start because of the following error: The specified driver is invalid.
8/6/2011 12:03:29 AM, error: Service Control Manager [7000] - The AFD service failed to start due to the following error: The specified driver is invalid.
8/6/2011 1:34:47 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV Cdrom Fips Imapi intelppm IPSec MRxSmb NetBT redbook SASDIFSV SASKUTIL Tcpip
8/6/2011 1:32:07 PM, error: Service Control Manager [7034] - The Palm Novacom service terminated unexpectedly. It has done this 1 time(s).
8/6/2011 1:32:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Cdrom Imapi IPSec MRxSmb NetBT redbook Tcpip
8/6/2011 1:32:07 PM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952450 (0x80072742).
8/6/2011 1:32:07 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952450
8/6/2011 1:32:07 PM, error: Service Control Manager [7001] - The TCP/IP Protocol Driver service depends on the IPSEC driver service which failed to start because of the following error: The specified driver is invalid.
8/6/2011 1:32:07 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/6/2011 1:32:07 PM, error: Service Control Manager [7000] - The IPSEC driver service failed to start due to the following error: The specified driver is invalid.
8/5/2011 11:40:40 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV Cdrom Fips Imapi intelppm MRxSmb NetBT redbook SASDIFSV SASKUTIL
8/5/2011 11:40:40 PM, error: Service Control Manager [7024] - The Workstation service terminated with service-specific error 2250 (0x8CA).
8/5/2011 11:40:40 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: A socket operation encountered a dead network.
8/5/2011 11:40:40 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/5/2011 11:39:11 PM, error: Workstation [5727] - Could not load RDR device driver.
8/5/2011 11:39:11 PM, error: Workstation [5727] - Could not load MRxSmb device driver.
8/4/2011 12:36:59 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV Fips iaStor intelppm ohci1394 SASDIFSV SASKUTIL
8/4/2011 12:32:39 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV Fips intelppm SASDIFSV SASKUTIL Tcpip
8/4/2011 12:32:39 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
8/4/2011 12:32:39 AM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The system cannot find the file specified.
8/4/2011 12:32:39 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/4/2011 12:32:39 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/4/2011 12:32:39 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/4/2011 12:32:39 AM, error: Service Control Manager [7000] - The TCP/IP Protocol Driver service failed to start due to the following error: The system cannot find the file specified.
8/4/2011 12:30:23 AM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
8/4/2011 12:27:15 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor
8/4/2011 12:26:14 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
8/4/2011 12:26:14 AM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk0\D.
8/4/2011 12:16:18 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/4/2011 12:09:46 AM, error: PlugPlayManager [11] - The device Root\LEGACY_SASKUTIL\0000 disappeared from the system without first being prepared for removal.
8/4/2011 1:36:17 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV Fips intelppm NetBT SASDIFSV SASKUTIL
8/4/2011 1:36:17 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/4/2011 1:36:17 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/3/2011 11:58:20 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV Fips intelppm
8/3/2011 11:57:26 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/3/2011 11:23:26 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
8/3/2011 10:55:30 PM, error: Service Control Manager [7000] - The Webroot Spy Sweeper Engine service failed to start due to the following error: Access is denied.
8/3/2011 10:55:27 PM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service WebrootSpySweeperService with arguments "" in order to run the server: {2302C9AF-7F45-4A95-94F8-575F962090AC}
8/3/2011 10:18:48 AM, error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================

#8 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 09 August 2011 - 12:13 PM

(Last night I rebooted, tried to repair network connections in the control panel, and re-ran ComboFix -- still no internet access.

Let's see.
If I understood this correctly you lost the internet connection after the first run of ComboFix. You tried to repair the connection and then rerun ComboFix.
After you did that you ran my CFScript.

If this is the case please post the content of this log.

C:\Qoobox\ComboFix2.txt


Else if you've ran Combofix after you ran the CFScript with ComboFix as well I'd like you to post the content of these two logs


C:\ComboFix.txt
C:\Qoobox\ComboFix3.txt


Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#9 bbrooke

bbrooke
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:17 PM

Posted 09 August 2011 - 12:51 PM

I have to admit -- I don't remember the exact sequence of events. I started the process while I was at work yesterday, until I realized I'd need internet access for some of the steps (and I didn't want to connect my infected laptop to the network at my office...).

So I started over when I got home last night. I'm 99% certain that both of the CF runs I did yesterday were done with the CF script from your previous message. C:\ComboFix.txt is the one with the latest timestamp. Sorry for the mix-up! I'm going to go ahead and post all three, in case my answer isn't making sense.


C:\ComboFix.txt 8/8/2011 22:33
C:\Qoobox\ComboFix2.txt 8/8/2011 12:32
C:\Qoobox\ComboFix3.txt 8/7/2011 12:11

#1 -- C:\ComboFix.txt 8/8/2011 22:33

ComboFix 11-08-07.03 - Brooke 08/08/2011 22:26:44.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1463 [GMT -6:00]
Running from: c:\documents and settings\Brooke\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brooke\Desktop\CFScript.txt
AV: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.
FILE ::
"c:\windows\system32\drivers\fehgq.sys"
"c:\windows\system32\HFX342.tmp"
.
.
((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 )))))))))))))))))))))))))))))))
.
.
2011-08-07 17:52 . 2011-02-16 13:25 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-07 17:52 . 2011-02-16 13:25 138496 ----a-w- c:\windows\system32\dllcache\afd.sys
2011-08-06 06:52 . 2011-08-06 07:41 -------- d-----w- C:\BBM
2011-08-06 06:33 . 2011-08-06 06:34 -------- d-----w- c:\program files\Cobian Backup 10
2011-08-04 06:26 . 2011-08-07 17:24 44560 --sha-w- c:\windows\system32\c_79242.nl_
2011-08-04 06:09 . 2011-08-04 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
2011-08-04 06:09 . 2011-08-04 06:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-04 06:08 . 2011-08-04 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-04 05:34 . 2011-08-04 05:34 -------- d--h--w- c:\windows\PIF
2011-07-16 22:38 . 2011-07-16 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint
2011-07-16 21:42 . 2011-07-16 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-07-16 21:42 . 2011-07-16 21:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-16 18:08 . 2011-04-25 15:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-07-16 17:53 . 2011-07-16 18:38 -------- d-----w- C:\ba4ea83105f811f4f89547
2011-07-16 17:41 . 2011-04-29 16:19 456320 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2011-07-16 17:41 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-07-16 17:41 . 2011-05-02 15:31 692736 ------w- c:\windows\system32\dllcache\inetcomm.dll
2011-07-16 17:36 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-07-16 17:36 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-07-16 17:35 . 2010-08-16 08:45 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2011-07-16 17:34 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2011-07-16 17:34 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-07-16 17:34 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-07-16 17:33 . 2010-06-18 13:36 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2011-07-16 17:32 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-07-16 17:29 . 2010-08-27 08:02 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2011-07-16 17:29 . 2009-10-15 16:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2011-07-16 17:28 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2011-07-16 17:28 . 2010-06-14 07:41 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2011-07-16 17:27 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2011-07-16 17:23 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2011-07-16 17:23 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2011-07-16 17:22 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2011-07-16 17:22 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2011-07-16 17:05 . 2011-07-16 17:05 -------- d-----w- c:\windows\system32\XPSViewer
2011-07-16 17:05 . 2011-07-16 17:05 -------- d-----w- c:\program files\Reference Assemblies
2011-07-16 17:05 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-07-16 17:04 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-07-16 17:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-07-16 17:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-07-16 17:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-07-16 17:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-07-16 17:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-07-16 17:04 . 2011-07-16 17:05 -------- d-----w- C:\b0298d37f2cddf0dd2
2011-07-16 17:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-07-16 17:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2011-07-16 03:12 . 2011-07-16 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-07-16 03:02 . 2011-07-16 03:02 -------- d-----w- c:\program files\WinPcap
2011-07-16 02:56 . 2011-05-16 01:04 200464 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-07-16 01:44 . 2011-07-11 16:07 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-07-16 01:44 . 2011-07-11 16:07 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-07-16 01:44 . 2011-07-11 16:07 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-07-16 01:41 . 2011-07-16 01:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}
2011-07-16 01:40 . 2011-07-16 01:40 -------- d-----w- c:\program files\Webroot
2011-07-16 01:34 . 2011-08-03 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2011-07-16 01:32 . 2011-08-06 19:39 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-06 06:28 . 2004-08-10 18:51 301056 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-06 05:37 . 2004-08-10 18:51 912640 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-04 07:34 . 2004-08-10 18:59 115200 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-04 06:35 . 2004-08-10 18:51 325632 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-07-08 13:55 . 2010-10-02 18:06 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-08 13:55 . 2010-10-02 18:06 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02 . 2004-08-10 18:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-18 07:05 . 2011-05-18 07:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-25 01:13 . 2011-05-11 15:51 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\system32\c_79242.nl_ ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 44560
Created time: 2011-08-04 06:26
Modified time: 2011-08-07 17:24
MD5: 5259CB265C95F8609B53523794C37A57
SHA1: A584239B92DA4B7CA9F5AE75BA5194E4A5FF2CD1
.
---- Directory of C:\b0298d37f2cddf0dd2 ----
.
2011-07-16 17:04 . 2008-06-19 05:33 72 ------w- c:\b0298d37f2cddf0dd2\i386\msxpsinc.ppd
2011-07-16 17:04 . 2008-06-19 05:33 72 ------w- c:\b0298d37f2cddf0dd2\amd64\msxpsinc.ppd
2011-07-16 17:04 . 2008-06-19 05:33 2204 ------w- c:\b0298d37f2cddf0dd2\i386\msxpsdrv.inf
2011-07-16 17:04 . 2008-06-19 17:03 73 ------w- c:\b0298d37f2cddf0dd2\i386\msxpsinc.gpd
2011-07-16 17:04 . 2008-06-19 05:33 2204 ------w- c:\b0298d37f2cddf0dd2\amd64\msxpsdrv.inf
2011-07-16 17:04 . 2008-07-06 12:06 10929 ------w- c:\b0298d37f2cddf0dd2\amd64\msxpsdrv.cat
2011-07-16 17:04 . 2008-07-06 12:06 10929 ------w- c:\b0298d37f2cddf0dd2\i386\msxpsdrv.cat
2011-07-16 17:04 . 2008-07-06 12:06 147456 ------w- c:\b0298d37f2cddf0dd2\amd64\filterpipelineprintproc.dll
2011-07-16 17:04 . 2008-07-06 12:06 89088 ------w- c:\b0298d37f2cddf0dd2\i386\filterpipelineprintproc.dll
2011-07-16 17:04 . 2008-07-06 12:06 765440 ------w- c:\b0298d37f2cddf0dd2\i386\mxdwdrv.dll
2011-07-16 17:04 . 2008-07-06 12:06 1676288 ------w- c:\b0298d37f2cddf0dd2\i386\xpssvcs.dll
2011-07-16 17:04 . 2008-07-06 12:06 748032 ------w- c:\b0298d37f2cddf0dd2\amd64\mxdwdrv.dll
2008-07-06 23:36 . 2008-07-06 23:36 2936832 ------w- c:\b0298d37f2cddf0dd2\amd64\xpssvcs.dll
2008-06-19 17:03 . 2008-06-19 17:03 73 ------w- c:\b0298d37f2cddf0dd2\amd64\msxpsinc.gpd
.
---- Directory of C:\ba4ea83105f811f4f89547 ----
.
2009-03-08 20:23 . 2009-03-08 20:23 58464 ----a-w- c:\ba4ea83105f811f4f89547\update\iecustom.dll
2009-03-08 20:21 . 2009-03-08 20:21 4096 ----a-w- c:\ba4ea83105f811f4f89547\ie4uinit.exe.mui
2009-01-08 00:21 . 2009-01-08 00:21 755744 ----a-w- c:\ba4ea83105f811f4f89547\update\update.exe
2009-01-08 00:21 . 2009-01-08 00:21 382496 ----a-w- c:\ba4ea83105f811f4f89547\update\updspapi.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2011-04-21 . B6E13F9C120C776A89D783E26D6C15C5 . 634648 . . [7.00.6000.17098] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2011-04-21 . 3E23DBEBE1020D52C63235E4189FAC03 . 634648 . . [7.00.6000.21300] . . c:\windows\$hf_mig$\KB2530548-IE7\SP3QFE\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2007-08-14 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB2530548-IE7\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-08-07_18.05.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-08 18:28 . 2011-08-08 18:28 16384 c:\windows\Temp\Perflib_Perfdata_808.dat
+ 2008-01-30 03:20 . 2011-08-08 18:27 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-30 03:20 . 2011-08-07 18:05 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-30 03:20 . 2011-08-08 18:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-30 03:20 . 2011-08-07 18:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-30 03:20 . 2011-08-08 18:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-01-30 03:20 . 2011-08-07 18:05 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 138008]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-05-14 1191936]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2011-08-03 1382984]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-08 449584]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-8-3 813584]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 03:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-05-27 20:52 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-07-13 21:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-11 07:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 17:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SprintRcAppSvc"=3 (0x3)
"RoxWatch9"=3 (0x3)
"RoxMediaDB9"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Zone Five Software\\SportTracks 2.1\\SportTracks.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Trend Micro\\RUBotted\\RUBottedGUI.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\FastCheck\\FastCheck.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/18/2011 6:02 PM 123264]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [8/6/2011 12:34 AM 67584]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [8/3/2010 10:12 PM 10384]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 12:19 PM 50704]
R2 ssfmonm;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [7/15/2011 7:44 PM 45584]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacom\x86\novacomd.exe [8/14/2009 10:44 AM 33280]
S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [7/15/2011 9:01 PM 439632]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [8/3/2011 10:17 AM 3381184]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [4/14/2010 8:29 PM 32408]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080122
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080122
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com
TCP: DhcpNameServer = 68.87.85.102 68.87.69.150
FF - ProfilePath - c:\documents and settings\Brooke\Application Data\Mozilla\Firefox\Profiles\w1w9f3ba.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-08 22:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.afd]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.ipsec]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.netbt]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.redbook]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(504)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2156)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-08 22:33:23
ComboFix-quarantined-files.txt 2011-08-09 04:33
ComboFix2.txt 2011-08-08 18:32
ComboFix3.txt 2011-08-07 18:11
.
Pre-Run: 64,106,979,328 bytes free
Post-Run: 64,091,430,912 bytes free
.
- - End Of File - - 536462084DC2419E613E2F39810D28D8

#2 -- C:\Qoobox\ComboFix2.txt 8/8/2011 12:32

ComboFix 11-08-03.03 - Brooke 08/08/2011 12:20:37.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1490 [GMT -6:00]
Running from: c:\documents and settings\Brooke\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brooke\Desktop\CFScript.txt
AV: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.
FILE ::
"c:\windows\system32\drivers\fehgq.sys"
"c:\windows\system32\HFX342.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\HFX342.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_txbsro
.
.
((((((((((((((((((((((((( Files Created from 2011-07-08 to 2011-08-08 )))))))))))))))))))))))))))))))
.
.
2011-08-07 17:52 . 2011-02-16 13:25 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-07 17:52 . 2011-02-16 13:25 138496 ----a-w- c:\windows\system32\dllcache\afd.sys
2011-08-06 06:52 . 2011-08-06 07:41 -------- d-----w- C:\BBM
2011-08-06 06:33 . 2011-08-06 06:34 -------- d-----w- c:\program files\Cobian Backup 10
2011-08-04 06:26 . 2011-08-07 17:24 44560 --sha-w- c:\windows\system32\c_79242.nl_
2011-08-04 06:09 . 2011-08-04 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
2011-08-04 06:09 . 2011-08-04 06:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-04 06:08 . 2011-08-04 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-04 05:34 . 2011-08-04 05:34 -------- d--h--w- c:\windows\PIF
2011-07-16 22:38 . 2011-07-16 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint
2011-07-16 21:42 . 2011-07-16 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-07-16 21:42 . 2011-07-16 21:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-16 18:08 . 2011-04-25 15:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-07-16 17:53 . 2011-07-16 18:38 -------- d-----w- C:\ba4ea83105f811f4f89547
2011-07-16 17:41 . 2011-04-29 16:19 456320 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2011-07-16 17:41 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-07-16 17:41 . 2011-05-02 15:31 692736 ------w- c:\windows\system32\dllcache\inetcomm.dll
2011-07-16 17:36 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-07-16 17:36 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-07-16 17:35 . 2010-08-16 08:45 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2011-07-16 17:34 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2011-07-16 17:34 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-07-16 17:34 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-07-16 17:33 . 2010-06-18 13:36 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2011-07-16 17:32 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-07-16 17:29 . 2010-08-27 08:02 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2011-07-16 17:29 . 2009-10-15 16:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2011-07-16 17:28 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2011-07-16 17:28 . 2010-06-14 07:41 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2011-07-16 17:27 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2011-07-16 17:23 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2011-07-16 17:23 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2011-07-16 17:22 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2011-07-16 17:22 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2011-07-16 17:05 . 2011-07-16 17:05 -------- d-----w- c:\windows\system32\XPSViewer
2011-07-16 17:05 . 2011-07-16 17:05 -------- d-----w- c:\program files\Reference Assemblies
2011-07-16 17:05 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-07-16 17:04 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-07-16 17:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-07-16 17:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-07-16 17:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-07-16 17:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-07-16 17:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-07-16 17:04 . 2011-07-16 17:05 -------- d-----w- C:\b0298d37f2cddf0dd2
2011-07-16 17:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-07-16 17:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2011-07-16 03:12 . 2011-07-16 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-07-16 03:02 . 2011-07-16 03:02 -------- d-----w- c:\program files\WinPcap
2011-07-16 02:56 . 2011-05-16 01:04 200464 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-07-16 01:44 . 2011-07-11 16:07 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-07-16 01:44 . 2011-07-11 16:07 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-07-16 01:44 . 2011-07-11 16:07 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-07-16 01:41 . 2011-07-16 01:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}
2011-07-16 01:40 . 2011-07-16 01:40 -------- d-----w- c:\program files\Webroot
2011-07-16 01:34 . 2011-08-03 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2011-07-16 01:32 . 2011-08-06 19:39 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-06 06:28 . 2004-08-10 18:51 301056 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-06 05:37 . 2004-08-10 18:51 912640 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-04 07:34 . 2004-08-10 18:59 115200 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-04 06:35 . 2004-08-10 18:51 325632 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-07-07 01:52 . 2010-10-02 18:06 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 01:52 . 2010-10-02 18:06 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02 . 2004-08-10 18:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-18 07:05 . 2011-05-18 07:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-25 01:13 . 2011-05-11 15:51 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\system32\c_79242.nl_ ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 44560
Created time: 2011-08-04 06:26
Modified time: 2011-08-07 17:24
MD5: 5259CB265C95F8609B53523794C37A57
SHA1: A584239B92DA4B7CA9F5AE75BA5194E4A5FF2CD1
.
---- Directory of C:\b0298d37f2cddf0dd2 ----
.
2011-07-16 17:04 . 2008-06-19 05:33 72 ------w- c:\b0298d37f2cddf0dd2\i386\msxpsinc.ppd
2011-07-16 17:04 . 2008-06-19 05:33 72 ------w- c:\b0298d37f2cddf0dd2\amd64\msxpsinc.ppd
2011-07-16 17:04 . 2008-06-19 05:33 2204 ------w- c:\b0298d37f2cddf0dd2\i386\msxpsdrv.inf
2011-07-16 17:04 . 2008-06-19 17:03 73 ------w- c:\b0298d37f2cddf0dd2\i386\msxpsinc.gpd
2011-07-16 17:04 . 2008-06-19 05:33 2204 ------w- c:\b0298d37f2cddf0dd2\amd64\msxpsdrv.inf
2011-07-16 17:04 . 2008-07-06 12:06 10929 ------w- c:\b0298d37f2cddf0dd2\amd64\msxpsdrv.cat
2011-07-16 17:04 . 2008-07-06 12:06 10929 ------w- c:\b0298d37f2cddf0dd2\i386\msxpsdrv.cat
2011-07-16 17:04 . 2008-07-06 12:06 147456 ------w- c:\b0298d37f2cddf0dd2\amd64\filterpipelineprintproc.dll
2011-07-16 17:04 . 2008-07-06 12:06 89088 ------w- c:\b0298d37f2cddf0dd2\i386\filterpipelineprintproc.dll
2011-07-16 17:04 . 2008-07-06 12:06 765440 ------w- c:\b0298d37f2cddf0dd2\i386\mxdwdrv.dll
2011-07-16 17:04 . 2008-07-06 12:06 1676288 ------w- c:\b0298d37f2cddf0dd2\i386\xpssvcs.dll
2011-07-16 17:04 . 2008-07-06 12:06 748032 ------w- c:\b0298d37f2cddf0dd2\amd64\mxdwdrv.dll
2008-07-06 23:36 . 2008-07-06 23:36 2936832 ------w- c:\b0298d37f2cddf0dd2\amd64\xpssvcs.dll
2008-06-19 17:03 . 2008-06-19 17:03 73 ------w- c:\b0298d37f2cddf0dd2\amd64\msxpsinc.gpd
.
---- Directory of C:\ba4ea83105f811f4f89547 ----
.
2009-03-08 20:23 . 2009-03-08 20:23 58464 ----a-w- c:\ba4ea83105f811f4f89547\update\iecustom.dll
2009-03-08 20:21 . 2009-03-08 20:21 4096 ----a-w- c:\ba4ea83105f811f4f89547\ie4uinit.exe.mui
2009-01-08 00:21 . 2009-01-08 00:21 755744 ----a-w- c:\ba4ea83105f811f4f89547\update\update.exe
2009-01-08 00:21 . 2009-01-08 00:21 382496 ----a-w- c:\ba4ea83105f811f4f89547\update\updspapi.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2011-04-21 . B6E13F9C120C776A89D783E26D6C15C5 . 634648 . . [7.00.6000.17098] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2011-04-21 . 3E23DBEBE1020D52C63235E4189FAC03 . 634648 . . [7.00.6000.21300] . . c:\windows\$hf_mig$\KB2530548-IE7\SP3QFE\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2007-08-14 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB2530548-IE7\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-08-07_18.05.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-08 18:28 . 2011-08-08 18:28 16384 c:\windows\Temp\Perflib_Perfdata_808.dat
+ 2008-01-30 03:20 . 2011-08-08 18:27 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-30 03:20 . 2011-08-07 18:05 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-30 03:20 . 2011-08-08 18:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-30 03:20 . 2011-08-07 18:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-30 03:20 . 2011-08-08 18:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-01-30 03:20 . 2011-08-07 18:05 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 138008]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-05-14 1191936]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2011-08-03 1382984]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-8-3 813584]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 03:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-05-27 20:52 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-07-13 21:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-11 07:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 17:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SprintRcAppSvc"=3 (0x3)
"RoxWatch9"=3 (0x3)
"RoxMediaDB9"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Zone Five Software\\SportTracks 2.1\\SportTracks.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Trend Micro\\RUBotted\\RUBottedGUI.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\FastCheck\\FastCheck.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/18/2011 6:02 PM 123264]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [8/6/2011 12:34 AM 67584]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [8/3/2010 10:12 PM 10384]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 12:19 PM 50704]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [7/15/2011 9:01 PM 439632]
R2 ssfmonm;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [7/15/2011 7:44 PM 45584]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [8/3/2011 10:17 AM 3381184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacom\x86\novacomd.exe [8/14/2009 10:44 AM 33280]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [4/14/2010 8:29 PM 32408]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080122
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080122
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com
TCP: DhcpNameServer = 68.87.85.102 68.87.69.150
FF - ProfilePath - c:\documents and settings\Brooke\Application Data\Mozilla\Firefox\Profiles\w1w9f3ba.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-08 12:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.afd]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.ipsec]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.netbt]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.redbook]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(504)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2504)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-08-08 12:32:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-08 18:32
ComboFix2.txt 2011-08-07 18:11
.
Pre-Run: 64,132,915,200 bytes free
Post-Run: 64,119,062,528 bytes free
.
- - End Of File - - 6CC67626EA674B61962A4DB0EA9BD971

#3 -- C:\Qoobox\ComboFix3.txt 8/7/2011 12:11

ComboFix 11-08-03.03 - Brooke 08/07/2011 11:55:53.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1660 [GMT -6:00]
Running from: c:\documents and settings\Brooke\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brooke\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Internet Explorer\SET21B.tmp
c:\program files\Internet Explorer\SET21F.tmp
c:\program files\Internet Explorer\SET220.tmp
c:\windows\$NtUninstallKB25508$
c:\windows\$NtUninstallKB25508$\3440034359
c:\windows\$NtUninstallKB25508$\3785260485\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB25508$\3785260485\click.tlb
c:\windows\$NtUninstallKB25508$\3785260485\L\odetmngk
c:\windows\$NtUninstallKB25508$\3785260485\loader.tlb
c:\windows\$NtUninstallKB25508$\3785260485\U\@00000001
c:\windows\$NtUninstallKB25508$\3785260485\U\@000000c0
c:\windows\$NtUninstallKB25508$\3785260485\U\@000000cb
c:\windows\$NtUninstallKB25508$\3785260485\U\@000000cf
c:\windows\$NtUninstallKB25508$\3785260485\U\@80000000
c:\windows\$NtUninstallKB25508$\3785260485\U\@800000c0
c:\windows\$NtUninstallKB25508$\3785260485\U\@800000cb
c:\windows\$NtUninstallKB25508$\3785260485\U\@800000cf
c:\windows\system32\c_79242.nls
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2011-07-07 to 2011-08-07 )))))))))))))))))))))))))))))))
.
.
2011-08-07 17:52 . 2011-02-16 13:25 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-06 06:52 . 2011-08-06 07:41 -------- d-----w- C:\BBM
2011-08-06 06:33 . 2011-08-06 06:34 -------- d-----w- c:\program files\Cobian Backup 10
2011-08-04 06:26 . 2011-08-07 17:24 44560 --sha-w- c:\windows\system32\c_79242.nl_
2011-08-04 06:09 . 2011-08-04 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
2011-08-04 06:09 . 2011-08-04 06:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-04 06:08 . 2011-08-04 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-04 05:34 . 2011-08-04 05:34 -------- d--h--w- c:\windows\PIF
2011-07-16 22:38 . 2011-07-16 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint
2011-07-16 21:42 . 2011-07-16 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-07-16 21:42 . 2011-07-16 21:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-16 19:06 . 2011-07-16 19:06 0 ------w- c:\windows\system32\HFX342.tmp
2011-07-16 18:08 . 2011-04-25 15:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-07-16 17:53 . 2011-07-16 18:38 -------- d-----w- C:\ba4ea83105f811f4f89547
2011-07-16 17:41 . 2011-04-29 16:19 456320 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2011-07-16 17:41 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-07-16 17:41 . 2011-05-02 15:31 692736 ------w- c:\windows\system32\dllcache\inetcomm.dll
2011-07-16 17:36 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-07-16 17:36 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-07-16 17:35 . 2010-08-16 08:45 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2011-07-16 17:34 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2011-07-16 17:34 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-07-16 17:34 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-07-16 17:33 . 2010-06-18 13:36 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2011-07-16 17:32 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-07-16 17:29 . 2010-08-27 08:02 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2011-07-16 17:29 . 2009-10-15 16:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2011-07-16 17:28 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2011-07-16 17:28 . 2010-06-14 07:41 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2011-07-16 17:27 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2011-07-16 17:23 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2011-07-16 17:23 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2011-07-16 17:22 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2011-07-16 17:22 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2011-07-16 17:05 . 2011-07-16 17:05 -------- d-----w- c:\windows\system32\XPSViewer
2011-07-16 17:05 . 2011-07-16 17:05 -------- d-----w- c:\program files\Reference Assemblies
2011-07-16 17:05 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-07-16 17:04 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-07-16 17:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-07-16 17:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-07-16 17:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-07-16 17:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-07-16 17:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-07-16 17:04 . 2011-07-16 17:05 -------- d-----w- C:\b0298d37f2cddf0dd2
2011-07-16 17:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-07-16 17:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2011-07-16 03:12 . 2011-07-16 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-07-16 03:02 . 2011-07-16 03:02 -------- d-----w- c:\program files\WinPcap
2011-07-16 02:56 . 2011-05-16 01:04 200464 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-07-16 01:44 . 2011-07-11 16:07 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-07-16 01:44 . 2011-07-11 16:07 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-07-16 01:44 . 2011-07-11 16:07 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-07-16 01:41 . 2011-07-16 01:41 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}
2011-07-16 01:40 . 2011-07-16 01:40 -------- d-----w- c:\program files\Webroot
2011-07-16 01:34 . 2011-08-03 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2011-07-16 01:32 . 2011-08-06 19:39 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-06 06:28 . 2004-08-10 18:51 301056 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-06 05:37 . 2004-08-10 18:51 912640 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-04 07:34 . 2004-08-10 18:59 115200 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-04 06:35 . 2004-08-10 18:51 325632 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-07-07 01:52 . 2010-10-02 18:06 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 01:52 . 2010-10-02 18:06 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02 . 2004-08-10 18:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-18 07:05 . 2011-05-18 07:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-25 01:13 . 2011-05-11 15:51 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2011-04-21 . B6E13F9C120C776A89D783E26D6C15C5 . 634648 . . [7.00.6000.17098] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2011-04-21 . 3E23DBEBE1020D52C63235E4189FAC03 . 634648 . . [7.00.6000.21300] . . c:\windows\$hf_mig$\KB2530548-IE7\SP3QFE\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2007-08-14 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB2530548-IE7\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 138008]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-05-14 1191936]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2011-08-03 1382984]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-8-3 813584]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 03:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-05-27 20:52 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-07-13 21:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-11 07:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 17:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SprintRcAppSvc"=3 (0x3)
"RoxWatch9"=3 (0x3)
"RoxMediaDB9"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Zone Five Software\\SportTracks 2.1\\SportTracks.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Trend Micro\\RUBotted\\RUBottedGUI.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\FastCheck\\FastCheck.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/18/2011 6:02 PM 123264]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [8/6/2011 12:34 AM 67584]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [8/3/2010 10:12 PM 10384]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 12:19 PM 50704]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [7/15/2011 9:01 PM 439632]
R2 ssfmonm;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [7/15/2011 7:44 PM 45584]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [8/3/2011 10:17 AM 3381184]
S0 txbsro;txbsro;c:\windows\system32\drivers\fehgq.sys --> c:\windows\system32\drivers\fehgq.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacom\x86\novacomd.exe [8/14/2009 10:44 AM 33280]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [4/14/2010 8:29 PM 32408]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080122
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080122
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com
TCP: DhcpNameServer = 68.87.85.102 68.87.69.150
FF - ProfilePath - c:\documents and settings\Brooke\Application Data\Mozilla\Firefox\Profiles\w1w9f3ba.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - user.js: yahoo.homepage.dontask - true
.
.
------- File Associations -------
.
.txt=TextPad.txt
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-43826423.sys
SafeBoot-82102642.sys
MSConfigStartUp-RDVCHG - c:\program files\Sprint\Sprint SmartView\RDVCHG.exe
MSConfigStartUp-Sprint SmartView - c:\program files\Sprint\Sprint SmartView\SprintSV.exe
AddRemove-GPSBabel Plugin_is1 - c:\program files\Zone Five Software\SportTracks 2.1\Plugins\GPSBabel Plugin\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-07 12:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.afd]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.ipsec]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.netbt]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.redbook]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(512)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(1088)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\stsystra.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\wscript.exe
.
**************************************************************************
.
Completion time: 2011-08-07 12:11:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-07 18:11
.
Pre-Run: 63,907,971,072 bytes free
Post-Run: 64,126,193,664 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - CBB2833CC2B6EDCC4B5A45F606341213


Edited by bbrooke, 09 August 2011 - 12:52 PM.


#10 bbrooke

bbrooke
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:17 PM

Posted 09 August 2011 - 06:41 PM

BTW...I happened to see this in my Webroot newsfeed today -- New Tool Released: Kiss (or Kick) ZeroAccess Goodbye

I won't run that tool unless you tell me to. Just thought I'd pass it along...

Last weekend, Kaspersky TDSS Killer told me I had "Rootkit.Win32.ZAccess.c", which is the title I used in my original post. But, ComboFix tells me I have "Rootkit.ZeroAccess".

EDIT: OK, now I'm realizing that "ZAccess" and "ZeroAccess" are probably two slightly different names for the same thing... Duh. :whistle:



Edited by bbrooke, 09 August 2011 - 06:44 PM.


#11 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 10 August 2011 - 01:39 AM

Yes I know about that tool.
I need to research why the internet connection got lost
Let's see if we can get some more info.


EDIT:I replaced my previous instructions with these as it brings us more information


  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Standard Output.
  • Underneath the option Extra Registry change it to Use SafeList.
  • Underneath the option File Scans set the File Age to 90 Days
  • Underneath the option File Scans check the boxes beside Use Company Name WhiteList, Skip Microsoft Files, Use No-Company Name WhiteList, LOP Check, Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.exe
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %systemroot%\*. /mp /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    ipsec.sys
    afd.sys
    netbt.sys
    /md5stop
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.*
    HKLM\System\CurrentControlset\|Services /RS
    HKLM\System\Controlset001\|Services /RS
    Ipconfig /all /c

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please attach OTL.txt and Extras.txt in your next reply.

Edited by heir, 10 August 2011 - 08:50 AM.
changed instructions - attach instead of pasting the logs

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#12 bbrooke

bbrooke
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:17 PM

Posted 10 August 2011 - 01:07 PM

Hi,

I downloaded the OTL tool and I set the options as you specified.

I've tried running it twice and I got the same outcome both times -- the tool runs for a few minutes and then it freezes at this stage:

Scanning HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\DeviceClasses\{adb44c00-1b8d-11d4-8d5e-00a0c90d1c42}


I let it sit for a half-hour at that step both times, and it was still frozen. I eventually killed it with task manager. Since you said "the scan won't take long", I assumed this was not how it was supposed to behave.

Meanwhile, I'm leaving for work now so I started it a third time. I'll let it run all day to see if it eventually un-freezes and creates logs by the time I get home tonight...

Thanks again for your trouble-shooting work!



#13 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 10 August 2011 - 01:16 PM

Let's use an alternate custom scan. I changed a few items in the custom section.

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Standard Output.
  • Underneath the option Extra Registry change it to Use SafeList.
  • Underneath the option File Scans set the File Age to 90 Days
  • Underneath the option File Scans check the boxes beside Use Company Name WhiteList, Skip Microsoft Files, Use No-Company Name WhiteList, LOP Check, Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.exe
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %systemroot%\*. /mp /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    ipsec.sys
    afd.sys
    netbt.sys
    redbook.sys
    /md5stop
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.*
    HKLM\System\CurrentControlset\Services /S
    HKLM\System\Controlset001\Services /S
    Ipconfig /all /c

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please attach OTL.txt and Extras.txt in your next reply.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#14 bbrooke

bbrooke
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:17 PM

Posted 11 August 2011 - 03:29 PM

SUCCESS!!! I was able to run OTL with your revised set of custom scan specs.

1. Extras.txt is attached.

2. OTL.txt is too big to attach and too big to enclose in one post. I tried breaking it into smaller and smaller posts, but I was still getting the message "Your post is too long". So I gave up on that approach and posted it here: OTL-20110811.txt

Thanks again for continuing to work on this...

:thumbup2:

Attached Files



#15 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 11 August 2011 - 04:16 PM

There are some legit files that have been replaced.
I need you to run yet another scan with OTL. I will be a lot quicker this time. (and the log smaller) :wink:


  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Standard Output.
  • Click the None-button.
  • Under the Custom Scan box paste this in


    /md5start
    afd.sys
    ipsec.sys
    mrxsmb.sys
    netbt.sys
    redbook.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\drivers\*.sys

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open a notepad windows with OTL.Txt that's saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the content of that file in your next reply.

Edited by heir, 11 August 2011 - 04:18 PM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users