Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

was told i have a rootkit and to post this here.


  • This topic is locked This topic is locked
12 replies to this topic

#1 CDpippen

CDpippen

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 22 October 2011 - 12:13 AM

was told i have a rootkit and to post this here.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 0:10:42 on 2011-10-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1631 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\1533741301:183997604.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Zune\ZuneBusEnum.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Belkin Storage Manager\StorageManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
"C:\WINDOWS\system32\svchost.exe"
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=Z030&form=ZGAPHP
mWinlogon: SfcDisable=-99 (0xffffff9d)
uWinlogon: Shell=c:\documents and settings\owner\local settings\application data\f5086b5b\X
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Belkin Storage Manager] "c:\program files\belkin storage manager\StorageManager.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: MaxRecentDocs = 18 (0x12)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{351AA089-D4D7-470B-8C2E-E0E994954C3E} : DhcpNameServer = 192.168.2.1 192.168.2.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: schannel.dll, credssp.dll, digest.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2011-7-13 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2011-7-13 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2011-7-13 13616]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-8-12 91496]
S0 kvei;kvei;c:\windows\system32\drivers\rabpkklb.sys --> c:\windows\system32\drivers\rabpkklb.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2011-8-5 268512]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
.
=============== Created Last 30 ================
.
2011-10-21 00:17:47 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-10-21 00:17:12 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-10-20 02:09:40 -------- d-sh--w- c:\documents and settings\owner\local settings\application data\f5086b5b
2011-10-17 01:21:53 -------- d-----w- c:\windows\system32\drivers\umdf\en-US
2011-10-12 00:34:15 -------- d-----w- c:\documents and settings\owner\local settings\application data\Temp
2011-10-11 23:49:06 -------- d-----w- c:\documents and settings\owner\local settings\application data\Adobe
2011-10-11 23:31:20 1867904 ------w- c:\windows\system32\dllcache\win32k.sys
2011-10-11 23:30:29 138496 ------w- c:\windows\system32\dllcache\afd.sys
2011-10-08 05:22:19 -------- d--h--w- c:\windows\PIF
2011-09-30 22:47:28 152848 ----a-w- c:\windows\system32\COMDLG32.OCX
2011-09-30 22:47:28 1081616 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2011-09-30 22:47:15 -------- d-----w- c:\program files\Webcam Video Capture
2011-09-30 22:30:42 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-09-30 22:30:42 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer
2011-09-30 22:30:40 -------- d-----w- c:\program files\FoxTabFLVPlayer
2011-09-30 01:41:47 -------- d-----w- c:\program files\World of Warcraft
2011-09-30 01:41:47 -------- d-----w- c:\program files\common files\Blizzard Entertainment
2011-09-30 01:41:38 -------- d-----w- c:\documents and settings\all users\application data\Blizzard Entertainment
2011-09-26 16:41:20 220160 ------w- c:\windows\system32\dllcache\oleacc.dll
2011-09-26 16:41:14 20480 ------w- c:\windows\system32\dllcache\oleaccrc.dll
2011-09-26 01:27:41 -------- d-----w- c:\program files\Windows Media Connect 2
.
==================== Find3M ====================
.
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:11:14 599552 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:25:11 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:47:42 919552 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:47:42 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:47:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:52:07 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:41:46 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-12 13:04:33 234112 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-08-12 13:04:33 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-08-12 13:04:32 234112 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-08-05 17:40:58 3584 ----a-w- c:\windows\system32\drivers\umdf\zh-tw\ZuneDriver.dll.mui
2011-08-05 17:40:54 3584 ----a-w- c:\windows\system32\drivers\umdf\zh-cn\ZuneDriver.dll.mui
2011-08-05 17:40:48 6144 ----a-w- c:\windows\system32\drivers\umdf\sv-se\ZuneDriver.dll.mui
2011-08-05 17:40:42 6144 ----a-w- c:\windows\system32\drivers\umdf\ru-ru\ZuneDriver.dll.mui
2011-08-05 17:40:36 6144 ----a-w- c:\windows\system32\drivers\umdf\pt-pt\ZuneDriver.dll.mui
2011-08-05 17:40:30 6144 ----a-w- c:\windows\system32\drivers\umdf\pt-br\ZuneDriver.dll.mui
2011-08-05 17:40:26 6144 ----a-w- c:\windows\system32\drivers\umdf\pl-pl\ZuneDriver.dll.mui
2011-08-05 17:40:18 6656 ----a-w- c:\windows\system32\drivers\umdf\nl-nl\ZuneDriver.dll.mui
2011-08-05 17:40:12 5632 ----a-w- c:\windows\system32\drivers\umdf\nb-no\ZuneDriver.dll.mui
2011-08-05 17:40:08 6144 ----a-w- c:\windows\system32\drivers\umdf\ms-my\ZuneDriver.dll.mui
2011-08-05 17:40:02 4096 ----a-w- c:\windows\system32\drivers\umdf\ko-kr\ZuneDriver.dll.mui
2011-08-05 17:39:56 4608 ----a-w- c:\windows\system32\drivers\umdf\ja-jp\ZuneDriver.dll.mui
2011-08-05 17:39:52 6656 ----a-w- c:\windows\system32\drivers\umdf\it-it\ZuneDriver.dll.mui
2011-08-05 17:39:46 6144 ----a-w- c:\windows\system32\drivers\umdf\id-id\ZuneDriver.dll.mui
2011-08-05 17:39:40 6656 ----a-w- c:\windows\system32\drivers\umdf\hu-hu\ZuneDriver.dll.mui
2011-08-05 17:39:36 6144 ----a-w- c:\windows\system32\drivers\umdf\fr-fr\ZuneDriver.dll.mui
2011-08-05 17:39:30 6144 ----a-w- c:\windows\system32\drivers\umdf\fi-fi\ZuneDriver.dll.mui
2011-08-05 17:39:24 6656 ----a-w- c:\windows\system32\drivers\umdf\es-es\ZuneDriver.dll.mui
2011-08-05 17:39:18 6656 ----a-w- c:\windows\system32\drivers\umdf\el-gr\ZuneDriver.dll.mui
2011-08-05 17:39:12 6144 ----a-w- c:\windows\system32\drivers\umdf\de-de\ZuneDriver.dll.mui
2011-08-05 17:39:06 6144 ----a-w- c:\windows\system32\drivers\umdf\da-dk\ZuneDriver.dll.mui
2011-08-05 17:39:00 5632 ----a-w- c:\windows\system32\drivers\umdf\cs-cz\ZuneDriver.dll.mui
2011-08-05 17:26:34 6144 ----a-w- c:\windows\system32\drivers\umdf\en-us\ZuneDriver.dll.mui
2011-08-05 17:12:32 41472 ----a-w- c:\windows\system32\drivers\zumbus.sys
.
============= FINISH: 0:11:56.20 ===============

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:53 PM

Posted 22 October 2011 - 12:22 PM

Hi,

Please do the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CDpippen

CDpippen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 22 October 2011 - 02:46 PM

avast log


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-22 14:01:50
-----------------------------
14:01:50.812 OS Version: Windows 5.1.2600 Service Pack 3
14:01:50.812 Number of processors: 1 586 0x2F02
14:01:50.812 ComputerName: COMPUTER-3561 UserName: Owner
14:01:53.390 Initialize success
14:02:04.156 AVAST engine defs: 11102201
14:02:08.765 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-e
14:02:08.781 Disk 0 Vendor: ST3160212A 3.AAE Size: 152627MB BusType: 3
14:02:08.812 Disk 0 MBR read successfully
14:02:08.843 Disk 0 MBR scan
14:02:08.968 Disk 0 Windows XP default MBR code
14:02:09.015 Disk 0 scanning sectors +312560640
14:02:09.171 Disk 0 scanning C:\WINDOWS\system32\drivers
14:02:17.984 File: C:\WINDOWS\system32\drivers\mrxsmb.sys **INFECTED** Win32:Rootkit-gen [Rtk]
14:02:33.468 Service scanning
14:02:36.625 Modules scanning
14:02:56.046 Disk 0 trace - called modules:
14:02:56.125 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
14:02:56.156 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89d1f030]
14:03:00.703 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000060[0x89d2d980]
14:03:00.984 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T1L0-e[0x89e4b940]
14:03:03.453 AVAST engine scan C:\WINDOWS
14:03:04.359 File: C:\WINDOWS\1533741301:183997604.exe **INFECTED** Win32:Tiny-AMB [Rtk]
14:03:15.484 AVAST engine scan C:\WINDOWS\system32
14:08:18.937 File: C:\WINDOWS\system32\nvsvc32.exe **INFECTED** Win32:Patched-WQ [Trj]
14:10:26.312 File: C:\WINDOWS\system32\wuauclt.exe **INFECTED** Win32:Patched-WQ [Trj]
14:10:59.218 AVAST engine scan C:\WINDOWS\system32\drivers
14:11:10.265 File: C:\WINDOWS\system32\drivers\mrxsmb.sys **INFECTED** Win32:Rootkit-gen [Rtk]
14:11:38.687 AVAST engine scan C:\Documents and Settings\Owner
14:14:36.359 File: C:\Documents and Settings\Owner\Local Settings\Application Data\f5086b5b\U\80000000.@ **INFECTED** Win32:Malware-gen
14:14:36.890 File: C:\Documents and Settings\Owner\Local Settings\Application Data\f5086b5b\U\800000cb.@ **INFECTED** Win32:Sirefef-AO [Rtk]
14:14:37.453 File: C:\Documents and Settings\Owner\Local Settings\Application Data\f5086b5b\X **INFECTED** Win32:Sirefef-CD [Trj]
14:18:52.671 AVAST engine scan C:\Documents and Settings\All Users
14:19:13.515 Scan finished successfully
14:21:48.687 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
14:21:48.734 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   531bytes   0 downloads


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:53 PM

Posted 22 October 2011 - 03:02 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 CDpippen

CDpippen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 22 October 2011 - 06:34 PM

ComboFix 11-10-21.06 - Owner 10/22/2011 17:57:42.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2144 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\documents and settings\logitech_eyetoy_drivers\AMCAP.EXE
c:\documents and settings\Owner\Local Settings\Application Data\f5086b5b
c:\documents and settings\Owner\Local Settings\Application Data\f5086b5b\@
c:\documents and settings\Owner\Local Settings\Application Data\f5086b5b\U\80000000.@
c:\documents and settings\Owner\Local Settings\Application Data\f5086b5b\U\800000cb.@
c:\documents and settings\Owner\Local Settings\Application Data\f5086b5b\X
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\$NtUninstallKB25004$
c:\windows\$NtUninstallKB25004$\2741875793
c:\windows\$NtUninstallKB25004$\4110969691\@
c:\windows\$NtUninstallKB25004$\4110969691\L\ijhcrexr
c:\windows\$NtUninstallKB25004$\4110969691\loader.tlb
c:\windows\$NtUninstallKB25004$\4110969691\U\@00000001
c:\windows\$NtUninstallKB25004$\4110969691\U\@000000c0
c:\windows\$NtUninstallKB25004$\4110969691\U\@000000cb
c:\windows\$NtUninstallKB25004$\4110969691\U\@000000cf
c:\windows\$NtUninstallKB25004$\4110969691\U\@80000000
c:\windows\$NtUninstallKB25004$\4110969691\U\@800000c0
c:\windows\$NtUninstallKB25004$\4110969691\U\@800000cb
c:\windows\$NtUninstallKB25004$\4110969691\U\@800000cf
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\system\VB40032.DLL
c:\windows\system32\
c:\windows\system32\c_21064.nls
c:\windows\system32\d3d9caps.dat
.
Infected copy of c:\windows\system32\drivers\mrxsmb.sys was found and disinfected
Restored copy from - The cat found it :)
c:\windows\system32\wuauclt.exe . . . is infected!!
.
Infected copy of c:\program files\Java\jre6\bin\jqs.exe was found and disinfected
Restored copy from - c:\program files\Java\jre6\bin\
.
c:\windows\system32\nvsvc32.exe . . . is infected!!
c:\windows\system32\nvsvc32.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\program files\Zune\ZuneBusEnum.exe was found and disinfected
Restored copy from - c:\program files\Zune\
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_f5086b5b
.
.
((((((((((((((((((((((((( Files Created from 2011-09-22 to 2011-10-22 )))))))))))))))))))))))))))))))
.
.
2011-10-22 23:05 . 2011-10-22 23:05 -------- d-----w- c:\windows\system32\xircom
2011-10-22 23:05 . 2011-10-22 23:05 -------- d-----w- c:\windows\system32\wbem\snmp
2011-10-22 23:05 . 2011-10-22 23:05 -------- d-----w- c:\windows\system32\oobe
2011-10-22 23:05 . 2011-10-22 23:05 -------- d-----w- c:\program files\microsoft frontpage
2011-10-22 22:53 . 2011-07-15 13:29 457856 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-10-22 19:44 . 2011-10-22 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2011-10-22 18:06 . 2011-10-22 18:06 -------- d-----w- c:\windows\system32\LogFiles
2011-10-21 00:17 . 2011-10-21 00:17 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-10-21 00:17 . 2011-10-21 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-10-17 01:21 . 2011-10-17 01:21 -------- d-----w- c:\windows\system32\drivers\UMDF\en-US
2011-10-16 23:17 . 2011-10-16 23:23 -------- d-----w- c:\documents and settings\Default User\Quantum.Of.Solace.2008.1080p.x264.DTS-WAFHD
2011-10-15 05:51 . 2011-10-15 05:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2011-10-12 00:34 . 2011-10-12 00:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2011-10-11 23:51 . 2011-10-11 23:51 -------- d-----w- c:\program files\Common Files\Adobe
2011-10-11 23:49 . 2011-10-11 23:49 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-10-11 23:49 . 2011-10-12 00:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2011-10-11 23:48 . 2011-10-11 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-10-11 23:31 . 2011-09-06 13:25 1867904 ------w- c:\windows\system32\dllcache\win32k.sys
2011-10-11 23:30 . 2011-08-17 13:41 138496 ------w- c:\windows\system32\dllcache\afd.sys
2011-10-08 05:22 . 2011-10-08 05:22 -------- d--h--w- c:\windows\PIF
2011-09-30 22:47 . 2004-03-09 05:00 152848 ----a-w- c:\windows\system32\COMDLG32.OCX
2011-09-30 22:47 . 2004-03-09 04:00 1081616 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2011-09-30 22:47 . 2011-09-30 22:47 -------- d-----w- c:\program files\Webcam Video Capture
2011-09-30 22:30 . 2011-09-30 22:30 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-09-30 22:30 . 2011-09-30 23:09 -------- d-----w- c:\program files\FoxTabFLVPlayer
2011-09-30 01:41 . 2011-10-18 02:55 -------- d-----w- c:\program files\World of Warcraft
2011-09-30 01:41 . 2011-09-30 01:42 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2011-09-30 01:41 . 2011-09-30 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2011-09-26 16:41 . 2011-09-26 16:41 220160 ------w- c:\windows\system32\dllcache\oleacc.dll
2011-09-26 16:41 . 2011-09-26 16:41 20480 ------w- c:\windows\system32\dllcache\oleaccrc.dll
2011-09-26 01:27 . 2011-09-26 01:27 -------- d-----w- c:\program files\Windows Media Connect 2
2011-09-23 20:41 . 2011-09-23 20:41 -------- d-----w- c:\windows\Sun
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 16:41 . 2009-10-08 18:57 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2009-10-08 18:57 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2009-10-08 18:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:11 . 2010-03-13 00:44 599552 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:25 . 2011-06-02 14:07 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-09-04 13:53 . 2011-09-02 02:07 250400 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCSExpress\9.0\1033\ResourceCache.dll
2011-09-04 13:52 . 2011-09-02 02:06 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-08-31 22:00 . 2011-08-13 05:33 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:47 . 2011-04-25 16:09 919552 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:47 . 2011-04-25 16:09 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:47 . 2006-01-03 01:10 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:52 . 2011-04-25 11:28 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:41 . 2011-02-16 13:25 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-12 13:55 . 2011-08-12 13:55 65536 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{C12D7D54-7DE8-4DF7-AB2D-8A5ECFB2F89B}\StorageManager.exe_C12D7D547DE84DF7AB2D8A5ECFB2F89B.exe
2011-08-05 17:40 . 2011-08-05 17:40 3584 ----a-w- c:\windows\system32\drivers\UMDF\zh-TW\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 3584 ----a-w- c:\windows\system32\drivers\UMDF\zh-CN\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 6144 ----a-w- c:\windows\system32\drivers\UMDF\sv-SE\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 6144 ----a-w- c:\windows\system32\drivers\UMDF\ru-RU\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-PT\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-BR\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 6144 ----a-w- c:\windows\system32\drivers\UMDF\pl-PL\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 6656 ----a-w- c:\windows\system32\drivers\UMDF\nl-NL\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 5632 ----a-w- c:\windows\system32\drivers\UMDF\nb-NO\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 6144 ----a-w- c:\windows\system32\drivers\UMDF\ms-MY\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 4096 ----a-w- c:\windows\system32\drivers\UMDF\ko-KR\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 4608 ----a-w- c:\windows\system32\drivers\UMDF\ja-JP\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6656 ----a-w- c:\windows\system32\drivers\UMDF\it-IT\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6144 ----a-w- c:\windows\system32\drivers\UMDF\id-ID\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6656 ----a-w- c:\windows\system32\drivers\UMDF\hu-HU\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6144 ----a-w- c:\windows\system32\drivers\UMDF\fr-FR\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6144 ----a-w- c:\windows\system32\drivers\UMDF\fi-FI\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6656 ----a-w- c:\windows\system32\drivers\UMDF\es-ES\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6656 ----a-w- c:\windows\system32\drivers\UMDF\el-GR\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6144 ----a-w- c:\windows\system32\drivers\UMDF\de-DE\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6144 ----a-w- c:\windows\system32\drivers\UMDF\da-DK\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 5632 ----a-w- c:\windows\system32\drivers\UMDF\cs-CZ\ZuneDriver.dll.mui
2011-08-05 17:26 . 2011-08-05 17:26 6144 ----a-w- c:\windows\system32\drivers\UMDF\en-US\ZuneDriver.dll.mui
2011-08-05 17:12 . 2011-08-05 17:12 41472 ----a-w- c:\windows\system32\drivers\zumbus.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-07-14 . F738697D2AA60AC4BA9B9DED1412D4B2 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2010-05-06 . 1F70C4A8B0BF10D83F01E3C19F22AE1C . 53240 . . [7.4.7600.229] . . c:\windows\system32\wuauclt.exe
.
.
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-07-22 23:53 787744 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2011-09-29 2647872]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-09-04 3077528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-05-21 1501064]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-08-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-08-09 13925480]
"Belkin Storage Manager"="c:\program files\Belkin Storage Manager\StorageManager.exe" [2009-02-03 858624]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Belkin Storage Manager\\StorageManager.exe"=
"c:\\Program Files\\Runes of Magic\\Client.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\aswMBR.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\WinZip\\WINZIP32.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9238:TCP"= 9238:TCP:BitComet 9238 TCP
"9238:UDP"= 9238:UDP:BitComet 9238 UDP
"56282:TCP"= 56282:TCP:Pando Media Booster
"56282:UDP"= 56282:UDP:Pando Media Booster
.
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [7/13/2011 7:56 PM 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [7/13/2011 7:56 PM 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [7/13/2011 7:56 PM 13616]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [8/12/2011 8:05 AM 91496]
S0 kvei;kvei;c:\windows\system32\drivers\rabpkklb.sys --> c:\windows\system32\drivers\rabpkklb.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [8/5/2011 12:30 PM 268512]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 7:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 7:28 PM 369688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1580818891-1177238915-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-12 04:27]
.
2011-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1580818891-1177238915-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-12 04:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z030&form=ZGAPHP
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-22 18:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3628)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\msi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Zune\ZuneBusEnum.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-10-22 18:11:49 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-22 23:11
.
Pre-Run: 54,749,392,896 bytes free
Post-Run: 54,793,961,472 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 99AE56E5904D55C58AD7C2545AD9384F

no more problems as far as i can tell. is it fixed?

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:53 PM

Posted 22 October 2011 - 07:08 PM

Hi,

It's looking much better, but there are still some infected files on the system, so we havew a little moe work todo, stick will me till i give you the all clear,

please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic424529.html/page__pid__2451044#entry2451044

Collect::
c:\windows\system32\drivers\rabpkklb.sys

Driver::
kvei

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 CDpippen

CDpippen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 23 October 2011 - 02:49 PM

14:15:06.0546 2168 TDSS rootkit removing tool 2.6.12.0 Oct 21 2011 11:23:48
14:15:06.0984 2168 ============================================================
14:15:06.0984 2168 Current date / time: 2011/10/23 14:15:06.0984
14:15:06.0984 2168 SystemInfo:
14:15:06.0984 2168
14:15:06.0984 2168 OS Version: 5.1.2600 ServicePack: 3.0
14:15:06.0984 2168 Product type: Workstation
14:15:06.0984 2168 ComputerName: COMPUTER-3561
14:15:06.0984 2168 UserName: Owner
14:15:06.0984 2168 Windows directory: C:\WINDOWS
14:15:06.0984 2168 System windows directory: C:\WINDOWS
14:15:06.0984 2168 Processor architecture: Intel x86
14:15:06.0984 2168 Number of processors: 1
14:15:06.0984 2168 Page size: 0x1000
14:15:06.0984 2168 Boot type: Normal boot
14:15:06.0984 2168 ============================================================
14:15:07.0593 2168 Initialize success
14:15:08.0500 1760 ============================================================
14:15:08.0500 1760 Scan started
14:15:08.0500 1760 Mode: Manual;
14:15:08.0500 1760 ============================================================
14:15:09.0734 1760 Abiosdsk - ok
14:15:10.0531 1760 abp480n5 - ok
14:15:11.0375 1760 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:15:11.0375 1760 ACPI - ok
14:15:12.0218 1760 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:15:12.0218 1760 ACPIEC - ok
14:15:13.0390 1760 adpu160m - ok
14:15:14.0328 1760 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:15:14.0328 1760 aec - ok
14:15:15.0234 1760 AFD (f6b7b1ecd7b41736bdb6ff4b092bcb79) C:\WINDOWS\System32\drivers\afd.sys
14:15:15.0250 1760 AFD - ok
14:15:16.0062 1760 Aha154x - ok
14:15:16.0843 1760 aic78u2 - ok
14:15:17.0640 1760 aic78xx - ok
14:15:18.0468 1760 AliIde - ok
14:15:19.0265 1760 amsint - ok
14:15:20.0390 1760 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
14:15:20.0390 1760 Arp1394 - ok
14:15:21.0187 1760 asc - ok
14:15:22.0015 1760 asc3350p - ok
14:15:22.0812 1760 asc3550 - ok
14:15:23.0656 1760 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:15:23.0656 1760 AsyncMac - ok
14:15:24.0468 1760 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:15:24.0468 1760 atapi - ok
14:15:25.0296 1760 Atdisk - ok
14:15:26.0171 1760 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:15:26.0171 1760 Atmarpc - ok
14:15:27.0109 1760 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:15:27.0109 1760 audstub - ok
14:15:27.0953 1760 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:15:27.0953 1760 Beep - ok
14:15:28.0843 1760 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
14:15:28.0843 1760 Bridge - ok
14:15:28.0843 1760 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
14:15:28.0859 1760 BridgeMP - ok
14:15:28.0859 1760 catchme - ok
14:15:29.0890 1760 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:15:29.0890 1760 cbidf2k - ok
14:15:30.0828 1760 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
14:15:30.0828 1760 CCDECODE - ok
14:15:31.0671 1760 cd20xrnt - ok
14:15:32.0531 1760 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:15:32.0531 1760 Cdaudio - ok
14:15:33.0375 1760 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:15:33.0375 1760 Cdfs - ok
14:15:34.0203 1760 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:15:34.0203 1760 Cdrom - ok
14:15:34.0984 1760 Changer - ok
14:15:36.0093 1760 CmdIde - ok
14:15:36.0906 1760 Cpqarray - ok
14:15:37.0937 1760 dac2w2k - ok
14:15:38.0765 1760 dac960nt - ok
14:15:39.0625 1760 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
14:15:39.0625 1760 Disk - ok
14:15:40.0500 1760 dmboot (aee02de337d8e038d31630ea26286c8e) C:\WINDOWS\system32\drivers\dmboot.sys
14:15:40.0500 1760 dmboot - ok
14:15:41.0500 1760 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:15:41.0500 1760 dmio - ok
14:15:42.0328 1760 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:15:42.0328 1760 dmload - ok
14:15:43.0718 1760 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:15:43.0718 1760 DMusic - ok
14:15:44.0562 1760 dpti2o - ok
14:15:45.0390 1760 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:15:45.0390 1760 drmkaud - ok
14:15:46.0390 1760 exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys
14:15:46.0390 1760 exFat - ok
14:15:47.0218 1760 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:15:47.0218 1760 Fastfat - ok
14:15:48.0093 1760 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
14:15:48.0093 1760 Fdc - ok
14:15:48.0921 1760 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:15:48.0921 1760 Fips - ok
14:15:49.0921 1760 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
14:15:49.0921 1760 Flpydisk - ok
14:15:50.0796 1760 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
14:15:50.0796 1760 FltMgr - ok
14:15:51.0703 1760 Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:15:51.0703 1760 Fs_Rec - ok
14:15:52.0546 1760 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:15:52.0546 1760 Ftdisk - ok
14:15:53.0375 1760 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
14:15:53.0390 1760 gameenum - ok
14:15:54.0453 1760 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:15:54.0453 1760 Gpc - ok
14:15:55.0546 1760 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
14:15:55.0546 1760 HDAudBus - ok
14:15:56.0453 1760 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:15:56.0453 1760 hidusb - ok
14:15:57.0328 1760 hpn - ok
14:15:58.0187 1760 HTTP (937031c085718c1c04a9c0864625ec6b) C:\WINDOWS\system32\Drivers\HTTP.sys
14:15:58.0187 1760 HTTP - ok
14:15:59.0109 1760 i2omgmt - ok
14:16:00.0015 1760 i2omp - ok
14:16:00.0953 1760 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:16:00.0953 1760 i8042prt - ok
14:16:01.0828 1760 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:16:01.0828 1760 Imapi - ok
14:16:02.0656 1760 ini910u - ok
14:16:03.0468 1760 IntelIde - ok
14:16:04.0312 1760 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
14:16:04.0312 1760 Ip6Fw - ok
14:16:05.0125 1760 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:16:05.0125 1760 IpFilterDriver - ok
14:16:05.0953 1760 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:16:05.0953 1760 IpInIp - ok
14:16:06.0812 1760 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:16:06.0812 1760 IpNat - ok
14:16:07.0703 1760 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:16:07.0703 1760 IPSec - ok
14:16:08.0546 1760 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:16:08.0546 1760 IRENUM - ok
14:16:09.0453 1760 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:16:09.0453 1760 isapnp - ok
14:16:10.0468 1760 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:16:10.0468 1760 Kbdclass - ok
14:16:11.0312 1760 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:16:11.0312 1760 kbdhid - ok
14:16:12.0140 1760 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:16:12.0140 1760 kmixer - ok
14:16:13.0000 1760 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
14:16:13.0000 1760 KSecDD - ok
14:16:14.0125 1760 kvei - ok
14:16:14.0937 1760 lbrtfdc - ok
14:16:15.0765 1760 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:16:15.0765 1760 Modem - ok
14:16:16.0578 1760 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:16:16.0578 1760 Mouclass - ok
14:16:17.0390 1760 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:16:17.0390 1760 mouhid - ok
14:16:18.0203 1760 MountMgr (1a1faa5102466f418494e94ff9b0b091) C:\WINDOWS\system32\drivers\MountMgr.sys
14:16:18.0203 1760 MountMgr - ok
14:16:19.0015 1760 mraid35x - ok
14:16:19.0828 1760 MRxDAV (4fefd389d71126ee581b9f9cb2918be4) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:16:19.0828 1760 MRxDAV - ok
14:16:20.0656 1760 MRxSmb (fb2fccc70f7174c7bf64f48e96d3adf4) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:16:20.0656 1760 MRxSmb - ok
14:16:21.0515 1760 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:16:21.0515 1760 Msfs - ok
14:16:22.0343 1760 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:16:22.0359 1760 MSKSSRV - ok
14:16:23.0218 1760 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:16:23.0218 1760 MSPCLOCK - ok
14:16:24.0203 1760 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:16:24.0203 1760 MSPQM - ok
14:16:25.0046 1760 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:16:25.0062 1760 mssmbios - ok
14:16:25.0875 1760 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
14:16:25.0875 1760 MSTEE - ok
14:16:26.0781 1760 Mup (f7b1ad991491f02af6da70b00b8bf114) C:\WINDOWS\system32\drivers\Mup.sys
14:16:26.0781 1760 Mup - ok
14:16:27.0625 1760 mv61xxmm (75b85f6a5cdccb602ec98e0d37ccc072) C:\WINDOWS\system32\drivers\mv61xxmm.sys
14:16:27.0625 1760 mv61xxmm - ok
14:16:28.0421 1760 mv64xxmm (6090786daa545a3ec7d34a46a8cd1661) C:\WINDOWS\system32\drivers\mv64xxmm.sys
14:16:28.0421 1760 mv64xxmm - ok
14:16:29.0343 1760 mvxxmm (76e142ad8eca91493467d5a17ef53b53) C:\WINDOWS\system32\drivers\mvxxmm.sys
14:16:29.0343 1760 mvxxmm - ok
14:16:30.0265 1760 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
14:16:30.0265 1760 NABTSFEC - ok
14:16:31.0093 1760 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:16:31.0093 1760 NDIS - ok
14:16:31.0906 1760 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
14:16:31.0906 1760 NdisIP - ok
14:16:32.0765 1760 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:16:32.0765 1760 NdisTapi - ok
14:16:33.0609 1760 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:16:33.0609 1760 Ndisuio - ok
14:16:34.0453 1760 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:16:34.0453 1760 NdisWan - ok
14:16:35.0312 1760 NDProxy (816460bd4b4acd27937d1d0813e2e9e9) C:\WINDOWS\system32\drivers\NDProxy.sys
14:16:35.0312 1760 NDProxy - ok
14:16:36.0140 1760 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:16:36.0140 1760 NetBIOS - ok
14:16:37.0000 1760 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:16:37.0000 1760 NetBT - ok
14:16:38.0156 1760 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
14:16:38.0156 1760 NIC1394 - ok
14:16:39.0000 1760 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:16:39.0000 1760 Npfs - ok
14:16:39.0859 1760 Ntfs (4c51d5275ae8a16999edfe7e647d00de) C:\WINDOWS\system32\drivers\Ntfs.sys
14:16:39.0875 1760 Ntfs - ok
14:16:41.0078 1760 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
14:16:41.0078 1760 NuidFltr - ok
14:16:41.0921 1760 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:16:41.0921 1760 Null - ok
14:16:43.0109 1760 nv (9f30a816039fd2167918e33263e54fe9) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
14:16:43.0187 1760 nv - ok
14:16:44.0062 1760 NVENETFD (c61927d27b75ed56723f2508f1a6b1be) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
14:16:44.0062 1760 NVENETFD - ok
14:16:44.0906 1760 nvgts (52dce3b30c9d61c8e20fe3c6da4bdfb7) C:\WINDOWS\system32\DRIVERS\nvgts.sys
14:16:44.0906 1760 nvgts - ok
14:16:45.0734 1760 NVHDA (049aa7021e5406e77f3535be66635b74) C:\WINDOWS\system32\drivers\nvhda32.sys
14:16:45.0734 1760 NVHDA - ok
14:16:46.0546 1760 nvnetbus (c529b614ef88be0f62b886c67b516550) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
14:16:46.0546 1760 nvnetbus - ok
14:16:47.0359 1760 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:16:47.0359 1760 NwlnkFlt - ok
14:16:48.0171 1760 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:16:48.0187 1760 NwlnkFwd - ok
14:16:49.0000 1760 ohci1394 (2553f7c60b8d291b5a812245e6d4da6e) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
14:16:49.0000 1760 ohci1394 - ok
14:16:49.0828 1760 ovt519 (4cdadec3dc1300ee1d313ea5494e6472) C:\WINDOWS\system32\Drivers\ov519vid.sys
14:16:49.0828 1760 ovt519 - ok
14:16:50.0671 1760 P16X (e433c553d00d76fbc616294b60a7a530) C:\WINDOWS\system32\drivers\P16X.sys
14:16:50.0671 1760 P16X - ok
14:16:51.0515 1760 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
14:16:51.0515 1760 Parport - ok
14:16:52.0375 1760 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:16:52.0375 1760 PartMgr - ok
14:16:53.0187 1760 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:16:53.0187 1760 ParVdm - ok
14:16:54.0000 1760 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:16:54.0000 1760 PCI - ok
14:16:54.0843 1760 PCIDump - ok
14:16:55.0671 1760 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:16:55.0671 1760 PCIIde - ok
14:16:56.0515 1760 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
14:16:56.0515 1760 Pcmcia - ok
14:16:57.0375 1760 PDCOMP - ok
14:16:58.0203 1760 PDFRAME - ok
14:16:59.0015 1760 PDRELI - ok
14:16:59.0828 1760 PDRFRAME - ok
14:17:00.0640 1760 perc2 - ok
14:17:01.0453 1760 perc2hib - ok
14:17:02.0312 1760 Point32 (e5582e43e167cf367757d81e9727da2a) C:\WINDOWS\system32\DRIVERS\point32.sys
14:17:02.0312 1760 Point32 - ok
14:17:03.0140 1760 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:17:03.0140 1760 PptpMiniport - ok
14:17:03.0953 1760 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
14:17:03.0953 1760 Processor - ok
14:17:04.0781 1760 PSched (d8e11d311785f89f1d70a28b0e879127) C:\WINDOWS\system32\DRIVERS\psched.sys
14:17:04.0781 1760 PSched - ok
14:17:05.0578 1760 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:17:05.0578 1760 Ptilink - ok
14:17:06.0421 1760 ql1080 - ok
14:17:07.0250 1760 Ql10wnt - ok
14:17:08.0062 1760 ql12160 - ok
14:17:08.0890 1760 ql1240 - ok
14:17:09.0703 1760 ql1280 - ok
14:17:10.0531 1760 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:17:10.0531 1760 RasAcd - ok
14:17:11.0328 1760 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:17:11.0328 1760 Rasl2tp - ok
14:17:12.0171 1760 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:17:12.0171 1760 RasPppoe - ok
14:17:13.0000 1760 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:17:13.0000 1760 Raspti - ok
14:17:13.0828 1760 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:17:13.0828 1760 Rdbss - ok
14:17:14.0656 1760 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:17:14.0656 1760 RDPCDD - ok
14:17:15.0484 1760 rdpdr (47ea20320e3d6fdc7b7bb22b2b881ca6) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:17:15.0500 1760 rdpdr - ok
14:17:16.0328 1760 RDPWD (3348e61a78ba4f79c795aad6565d3b6f) C:\WINDOWS\system32\drivers\RDPWD.sys
14:17:16.0328 1760 RDPWD - ok
14:17:17.0156 1760 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:17:17.0156 1760 redbook - ok
14:17:18.0000 1760 RsFx0102 (fedd2710b75be3ecf078adace790c423) C:\WINDOWS\system32\DRIVERS\RsFx0102.sys
14:17:18.0000 1760 RsFx0102 - ok
14:17:18.0812 1760 rspndr (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys
14:17:18.0812 1760 rspndr - ok
14:17:19.0640 1760 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:17:19.0640 1760 Secdrv - ok
14:17:20.0484 1760 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
14:17:20.0484 1760 Serial - ok
14:17:21.0343 1760 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:17:21.0343 1760 Sfloppy - ok
14:17:22.0156 1760 Simbad - ok
14:17:22.0984 1760 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
14:17:22.0984 1760 SLIP - ok
14:17:23.0796 1760 Sparrow - ok
14:17:24.0625 1760 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:17:24.0625 1760 splitter - ok
14:17:25.0484 1760 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:17:25.0484 1760 sr - ok
14:17:26.0328 1760 Srv (9b390283569ea58d43d2586032b892f5) C:\WINDOWS\system32\DRIVERS\srv.sys
14:17:26.0328 1760 Srv - ok
14:17:27.0171 1760 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
14:17:27.0171 1760 streamip - ok
14:17:28.0000 1760 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:17:28.0000 1760 swenum - ok
14:17:28.0828 1760 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:17:28.0828 1760 swmidi - ok
14:17:29.0671 1760 symc810 - ok
14:17:30.0484 1760 symc8xx - ok
14:17:31.0328 1760 sym_hi - ok
14:17:32.0125 1760 sym_u3 - ok
14:17:32.0953 1760 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:17:32.0953 1760 sysaudio - ok
14:17:33.0796 1760 Tcpip (f738697d2aa60ac4ba9b9ded1412d4b2) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:17:33.0796 1760 Tcpip - ok
14:17:34.0640 1760 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:17:34.0640 1760 TDPIPE - ok
14:17:35.0484 1760 TDTCP (c0578456f29e5f26285f81b7b71fe57d) C:\WINDOWS\system32\drivers\TDTCP.sys
14:17:35.0484 1760 TDTCP - ok
14:17:36.0296 1760 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:17:36.0296 1760 TermDD - ok
14:17:37.0125 1760 TosIde - ok
14:17:37.0968 1760 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:17:37.0968 1760 Udfs - ok
14:17:38.0781 1760 ultra - ok
14:17:39.0640 1760 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:17:39.0640 1760 Update - ok
14:17:40.0484 1760 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
14:17:40.0484 1760 usbaudio - ok
14:17:41.0296 1760 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:17:41.0296 1760 usbccgp - ok
14:17:42.0109 1760 usbehci (52674b5dbee499342a599c7771abecaa) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:17:42.0109 1760 usbehci - ok
14:17:42.0968 1760 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:17:42.0968 1760 usbhub - ok
14:17:43.0796 1760 usbohci (c5e11cd822adf0019a5a862d9c4e2222) C:\WINDOWS\system32\DRIVERS\usbohci.sys
14:17:43.0796 1760 usbohci - ok
14:17:44.0625 1760 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:17:44.0625 1760 usbstor - ok
14:17:45.0453 1760 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:17:45.0453 1760 VgaSave - ok
14:17:46.0250 1760 ViaIde - ok
14:17:47.0093 1760 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:17:47.0093 1760 VolSnap - ok
14:17:47.0937 1760 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:17:47.0937 1760 Wanarp - ok
14:17:48.0750 1760 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
14:17:48.0765 1760 Wdf01000 - ok
14:17:49.0578 1760 WDICA - ok
14:17:50.0406 1760 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:17:50.0406 1760 wdmaud - ok
14:17:51.0281 1760 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
14:17:51.0281 1760 WinUSB - ok
14:17:52.0156 1760 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
14:17:52.0156 1760 WSTCODEC - ok
14:17:53.0000 1760 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:17:53.0000 1760 WudfPf - ok
14:17:53.0828 1760 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:17:53.0843 1760 WudfRd - ok
14:17:54.0734 1760 zumbus (ae279cd76b38fc079eec3ca6d65a5926) C:\WINDOWS\system32\DRIVERS\zumbus.sys
14:17:54.0734 1760 zumbus - ok
14:17:54.0796 1760 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
14:17:54.0906 1760 \Device\Harddisk0\DR0 - ok
14:17:54.0921 1760 Boot (0x1200) (560b1613cc22c3ea487aa1b310185670) \Device\Harddisk0\DR0\Partition0
14:17:54.0921 1760 \Device\Harddisk0\DR0\Partition0 - ok
14:17:54.0921 1760 ============================================================
14:17:54.0921 1760 Scan finished
14:17:54.0937 1760 ============================================================
14:17:54.0953 2280 Detected object count: 0
14:17:54.0953 2280 Actual detected object count: 0

ComboFix 11-10-23.01 - Owner 10/23/2011 14:21:52.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2000 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\wuauclt.exe . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_kvei
.
.
((((((((((((((((((((((((( Files Created from 2011-09-23 to 2011-10-23 )))))))))))))))))))))))))))))))
.
.
2011-10-23 19:11 . 2011-10-23 19:11 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WinZip
2011-10-22 23:05 . 2011-10-22 23:05 -------- d-----w- c:\windows\system32\xircom
2011-10-22 23:05 . 2011-10-22 23:05 -------- d-----w- c:\windows\system32\wbem\snmp
2011-10-22 23:05 . 2011-10-22 23:05 -------- d-----w- c:\windows\system32\oobe
2011-10-22 23:05 . 2011-10-22 23:05 -------- d-----w- c:\program files\microsoft frontpage
2011-10-22 22:53 . 2011-07-15 13:29 457856 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-10-22 19:44 . 2011-10-22 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2011-10-22 18:06 . 2011-10-22 18:06 -------- d-----w- c:\windows\system32\LogFiles
2011-10-21 00:17 . 2011-10-21 00:17 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-10-21 00:17 . 2011-10-21 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-10-17 01:21 . 2011-10-17 01:21 -------- d-----w- c:\windows\system32\drivers\UMDF\en-US
2011-10-16 23:17 . 2011-10-16 23:23 -------- d-----w- c:\documents and settings\Default User\Quantum.Of.Solace.2008.1080p.x264.DTS-WAFHD
2011-10-15 05:51 . 2011-10-15 05:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2011-10-12 00:34 . 2011-10-12 00:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2011-10-11 23:51 . 2011-10-11 23:51 -------- d-----w- c:\program files\Common Files\Adobe
2011-10-11 23:49 . 2011-10-11 23:49 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-10-11 23:49 . 2011-10-12 00:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2011-10-11 23:48 . 2011-10-11 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-10-11 23:31 . 2011-09-06 13:25 1867904 ------w- c:\windows\system32\dllcache\win32k.sys
2011-10-11 23:30 . 2011-08-17 13:41 138496 ------w- c:\windows\system32\dllcache\afd.sys
2011-10-08 05:22 . 2011-10-08 05:22 -------- d--h--w- c:\windows\PIF
2011-09-30 22:47 . 2004-03-09 05:00 152848 ----a-w- c:\windows\system32\COMDLG32.OCX
2011-09-30 22:47 . 2004-03-09 04:00 1081616 ----a-w- c:\windows\system32\MSCOMCTL.OCX

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:53 PM

Posted 23 October 2011 - 03:11 PM

Hi,

That looks like a portion of the log was cut off.

That's OK,we need to look for a file right now

one of your core files is still infected so let's find a replacement.


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *wuauclt*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 CDpippen

CDpippen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 27 October 2011 - 06:37 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 18:35 on 27/10/2011 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "*wuauclt*"
C:\WINDOWS\system32\wuauclt.exe --a---- 53240 bytes [01:10 03/01/2006] [16:17 06/05/2010] 1F70C4A8B0BF10D83F01E3C19F22AE1C
C:\WINDOWS\system32\wuauclt1.exe --a---- 172504 bytes [01:10 03/01/2006] [00:28 30/10/2006] 09201D6BAEF7984633270D347B5C215E

-= EOF =-

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:53 PM

Posted 27 October 2011 - 07:01 PM

Hi,

You don't have an alternative on your system so we need to download a new one

Download and save the latest version of the Windows Update Agent (wuauclt.exe)

http://download.windowsupdate.com/WindowsUpdate/redist/standalone/7.4.7600.226/WindowsUpdateAgent30-x86.exe

Now navigate to C:\WINDOWS\system32\wuauclt.exe which is the infected file > right click it and choose "rename" > rename it to

wuauclt.exe.vir

Now navigate back to the file you just downloaded > double click the icon to install it

Now please reboot your computer then re-run comboFix (allow it to update if it asks to do so)

post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 CDpippen

CDpippen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 28 October 2011 - 12:26 AM

ComboFix 11-10-28.01 - Owner 10/28/2011 0:17.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1913 [GMT -5:00]
Running from: c:\downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\logitech_eyetoy_drivers\AMCAP.EXE
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-28 )))))))))))))))))))))))))))))))
.
.
2011-10-28 05:04 . 2009-08-07 00:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2011-10-25 23:28 . 2011-10-25 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\WeCareReminder
2011-10-25 23:28 . 2011-10-25 23:28 -------- d-----w- c:\documents and settings\Owner\Application Data\ProgSense
2011-10-25 23:28 . 2011-10-27 23:22 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\OpenCandy
2011-10-25 23:28 . 2011-10-25 23:28 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenCandy
2011-10-25 23:28 . 2011-10-28 05:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Orbit
2011-10-25 23:28 . 2011-10-25 23:28 -------- d-----w- c:\program files\Orbitdownloader
2011-10-25 03:35 . 2011-10-25 03:35 -------- d-----w- C:\47ce5742d8c97257c5e2a0750dfc6f01
2011-10-24 23:40 . 2011-09-02 18:03 730192 ----a-w- c:\program files\Common Files\ZugoInstaller.exe
2011-10-24 23:40 . 2011-10-24 23:40 -------- d-----w- c:\program files\Free YouTube Downloader
2011-10-24 03:33 . 2011-10-28 05:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2011-10-24 03:33 . 2011-10-24 03:34 -------- d-----r- c:\program files\Skype
2011-10-24 03:33 . 2011-10-24 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-10-23 19:11 . 2011-10-23 19:11 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WinZip
2011-10-22 23:05 . 2011-10-22 23:05 -------- d-----w- c:\windows\system32\xircom
2011-10-22 23:05 . 2011-10-22 23:05 -------- d-----w- c:\windows\system32\wbem\snmp
2011-10-22 23:05 . 2011-10-22 23:05 -------- d-----w- c:\windows\system32\oobe
2011-10-22 23:05 . 2011-10-22 23:05 -------- d-----w- c:\program files\microsoft frontpage
2011-10-22 22:53 . 2011-07-15 13:29 457856 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-10-22 19:44 . 2011-10-22 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2011-10-22 18:06 . 2011-10-22 18:06 -------- d-----w- c:\windows\system32\LogFiles
2011-10-21 00:17 . 2011-10-21 00:17 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-10-21 00:17 . 2011-10-21 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-10-17 01:21 . 2011-10-17 01:21 -------- d-----w- c:\windows\system32\drivers\UMDF\en-US
2011-10-16 23:17 . 2011-10-16 23:23 -------- d-----w- c:\documents and settings\Default User\Quantum.Of.Solace.2008.1080p.x264.DTS-WAFHD
2011-10-15 05:51 . 2011-10-15 05:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2011-10-12 00:34 . 2011-10-12 00:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2011-10-11 23:51 . 2011-10-11 23:51 -------- d-----w- c:\program files\Common Files\Adobe
2011-10-11 23:49 . 2011-10-11 23:49 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-10-11 23:49 . 2011-10-12 00:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2011-10-11 23:48 . 2011-10-11 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-10-11 23:31 . 2011-09-06 13:25 1867904 ------w- c:\windows\system32\dllcache\win32k.sys
2011-10-11 23:30 . 2011-08-17 13:41 138496 ------w- c:\windows\system32\dllcache\afd.sys
2011-10-08 05:22 . 2011-10-08 05:22 -------- d--h--w- c:\windows\PIF
2011-09-30 22:47 . 2004-03-09 05:00 152848 ----a-w- c:\windows\system32\COMDLG32.OCX
2011-09-30 22:47 . 2004-03-09 04:00 1081616 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2011-09-30 22:47 . 2011-09-30 22:47 -------- d-----w- c:\program files\Webcam Video Capture
2011-09-30 22:30 . 2011-09-30 22:30 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-09-30 22:30 . 2011-09-30 23:09 -------- d-----w- c:\program files\FoxTabFLVPlayer
2011-09-30 01:41 . 2011-10-24 08:20 -------- d-----w- c:\program files\World of Warcraft
2011-09-30 01:41 . 2011-09-30 01:42 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2011-09-30 01:41 . 2011-09-30 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 16:41 . 2009-10-08 18:57 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2009-10-08 18:57 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2009-10-08 18:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:11 . 2010-03-13 00:44 599552 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:25 . 2011-06-02 14:07 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-09-04 13:53 . 2011-09-02 02:07 250400 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCSExpress\9.0\1033\ResourceCache.dll
2011-09-04 13:52 . 2011-09-02 02:06 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-08-31 22:00 . 2011-08-13 05:33 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:47 . 2011-04-25 16:09 919552 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:47 . 2011-04-25 16:09 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:47 . 2006-01-03 01:10 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:52 . 2011-04-25 11:28 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:41 . 2011-02-16 13:25 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-12 13:55 . 2011-08-12 13:55 65536 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{C12D7D54-7DE8-4DF7-AB2D-8A5ECFB2F89B}\StorageManager.exe_C12D7D547DE84DF7AB2D8A5ECFB2F89B.exe
2011-08-05 17:40 . 2011-08-05 17:40 3584 ----a-w- c:\windows\system32\drivers\UMDF\zh-TW\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 3584 ----a-w- c:\windows\system32\drivers\UMDF\zh-CN\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 6144 ----a-w- c:\windows\system32\drivers\UMDF\sv-SE\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 6144 ----a-w- c:\windows\system32\drivers\UMDF\ru-RU\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-PT\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-BR\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 6144 ----a-w- c:\windows\system32\drivers\UMDF\pl-PL\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 6656 ----a-w- c:\windows\system32\drivers\UMDF\nl-NL\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 5632 ----a-w- c:\windows\system32\drivers\UMDF\nb-NO\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 6144 ----a-w- c:\windows\system32\drivers\UMDF\ms-MY\ZuneDriver.dll.mui
2011-08-05 17:40 . 2011-08-05 17:40 4096 ----a-w- c:\windows\system32\drivers\UMDF\ko-KR\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 4608 ----a-w- c:\windows\system32\drivers\UMDF\ja-JP\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6656 ----a-w- c:\windows\system32\drivers\UMDF\it-IT\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6144 ----a-w- c:\windows\system32\drivers\UMDF\id-ID\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6656 ----a-w- c:\windows\system32\drivers\UMDF\hu-HU\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6144 ----a-w- c:\windows\system32\drivers\UMDF\fr-FR\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6144 ----a-w- c:\windows\system32\drivers\UMDF\fi-FI\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6656 ----a-w- c:\windows\system32\drivers\UMDF\es-ES\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6656 ----a-w- c:\windows\system32\drivers\UMDF\el-GR\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6144 ----a-w- c:\windows\system32\drivers\UMDF\de-DE\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 6144 ----a-w- c:\windows\system32\drivers\UMDF\da-DK\ZuneDriver.dll.mui
2011-08-05 17:39 . 2011-08-05 17:39 5632 ----a-w- c:\windows\system32\drivers\UMDF\cs-CZ\ZuneDriver.dll.mui
2011-08-05 17:26 . 2011-08-05 17:26 6144 ----a-w- c:\windows\system32\drivers\UMDF\en-US\ZuneDriver.dll.mui
2011-08-05 17:12 . 2011-08-05 17:12 41472 ----a-w- c:\windows\system32\drivers\zumbus.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-07-14 . F738697D2AA60AC4BA9B9DED1412D4B2 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2011-10-22_23.06.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-28 05:08 . 2011-10-28 05:08 16384 c:\windows\Temp\Perflib_Perfdata_768.dat
+ 2011-08-12 15:41 . 2008-04-14 08:42 53760 c:\windows\system32\dllcache\vfwwdm32.dll
+ 2009-11-27 17:23 . 2009-11-27 22:23 17920 c:\windows\system32\dllcache\msyuv.dll
+ 2009-11-27 16:28 . 2009-11-27 21:28 48128 c:\windows\system32\dllcache\iyuv_32.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 77824 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Web.RegularExpressions.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Drawing.Design.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Configuration.Install.dll
+ 2011-10-25 03:36 . 2008-07-25 15:16 12800 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2011-10-25 03:36 . 2008-07-25 15:16 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\Microsoft.Vsa.dll
+ 2011-10-25 03:36 . 2008-07-25 15:16 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\Microsoft.VisualBasic.Vsa.dll
+ 2011-10-25 03:36 . 2008-07-25 15:16 77824 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\Microsoft.Build.Utilities.dll
+ 2011-10-25 03:36 . 2008-07-25 15:16 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\Microsoft.Build.Framework.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 72192 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\ISymWrapper.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 77824 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\IEHost.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 69120 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\CustomMarshalers.dll
+ 2011-10-25 03:36 . 2008-07-25 15:16 13312 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\cscompmgd.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 10752 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\Accessibility.dll
+ 2011-10-25 03:35 . 2011-10-25 03:35 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
- 2011-10-17 02:17 . 2011-10-17 02:17 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
- 2011-10-17 02:19 . 2011-10-17 02:19 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2009-11-27 16:28 . 2009-11-27 21:28 8704 c:\windows\system32\dllcache\tsbyuv.dll
+ 2006-01-03 16:22 . 2008-04-14 08:41 4096 c:\windows\system32\dllcache\ksuser.dll
+ 2011-10-25 03:36 . 2008-07-25 15:16 7168 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\Microsoft_VsaVb.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 5632 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\Microsoft.VisualC.Dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 6656 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\IIEHost.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 8192 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\IEExecRemote.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2011-10-17 02:19 . 2011-10-17 02:19 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2008-04-13 22:46 . 2008-04-14 03:46 141056 c:\windows\system32\dllcache\ks.sys
+ 2011-10-25 03:36 . 2008-07-25 15:17 839680 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Web.Services.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 835584 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Web.Mobile.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 261632 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Transactions.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 114688 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.ServiceProcess.dll
+ 2011-10-25 03:36 . 2010-02-09 16:22 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Security.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 131072 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Runtime.Serialization.Formatters.Soap.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 303104 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Runtime.Remoting.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Messaging.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 372736 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Management.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 113664 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.EnterpriseServices.Wrapper.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.EnterpriseServices.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 626688 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Drawing.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 188416 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.DirectoryServices.Protocols.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 401408 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.DirectoryServices.dll
+ 2011-10-25 03:36 . 2008-07-25 15:16 970752 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Deployment.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 745472 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Data.SqlXml.dll
+ 2011-10-25 03:36 . 2008-11-25 08:59 486400 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Data.OracleClient.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 425984 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.configuration.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\sysglobl.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 659456 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\Microsoft.VisualBasic.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 372736 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\Microsoft.VisualBasic.Compatibility.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2011-10-25 03:36 . 2008-07-25 15:16 749568 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\Microsoft.JScript.dll
+ 2011-10-25 03:36 . 2008-07-25 15:16 655360 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\Microsoft.Build.Tasks.dll
+ 2011-10-25 03:36 . 2008-07-25 15:16 348160 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\Microsoft.Build.Engine.dll
+ 2011-10-25 03:36 . 2008-07-25 15:16 507904 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\AspNetMMCExt.dll
+ 2011-10-24 03:33 . 2011-10-24 03:33 371272 c:\windows\Installer\{AA59DDE4-B672-4621-A016-4C248204957A}\SkypeIcon.exe
- 2011-08-14 20:19 . 2011-08-14 20:19 325960 c:\windows\FLV Player\lua5.1.dll
+ 2011-08-14 20:19 . 2011-10-25 23:25 325960 c:\windows\FLV Player\lua5.1.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2011-10-25 03:36 . 2008-11-25 08:59 2048000 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.XML.dll
+ 2011-10-25 03:36 . 2011-03-25 10:15 5025792 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Windows.Forms.dll
+ 2011-10-25 03:36 . 2011-04-29 02:50 3182592 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 5062656 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Design.dll
+ 2011-10-25 03:36 . 2008-07-25 15:17 2933248 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\System.Data.dll
+ 2011-10-25 03:36 . 2011-07-07 10:18 4550656 c:\windows\Microsoft.NET\Framework\v2.0.50727\GAC27490\mscorlib.dll
+ 2008-12-13 14:57 . 2008-12-13 14:57 8397824 c:\windows\Installer\6e4949b.msp
+ 2009-07-27 09:31 . 2009-07-27 09:31 3738624 c:\windows\Installer\6e49499.msp
+ 2011-07-27 12:39 . 2011-07-27 12:39 9892352 c:\windows\Installer\6e49491.msp
+ 2010-11-21 04:33 . 2010-11-21 04:33 1980928 c:\windows\Installer\6e49489.msp
+ 2011-04-29 17:30 . 2011-04-29 17:30 1197056 c:\windows\Installer\6e49481.msp
+ 2011-10-25 23:28 . 2011-10-25 23:28 3569152 c:\windows\Installer\2bb0e4.msi
+ 2011-10-24 03:34 . 2011-10-24 03:34 1252864 c:\windows\Installer\1bcd403.msi
+ 2011-10-24 03:33 . 2011-10-24 03:33 1527808 c:\windows\Installer\1bcd3fe.msi
+ 2009-04-02 19:35 . 2009-04-02 19:35 1787216 c:\windows\Installer\$PatchCache$\Managed\00002159FA0090400000000000F01FEC\12.0.6425\PPCNV.DLL
+ 2009-02-05 16:36 . 2009-02-05 16:36 1640800 c:\windows\Installer\$PatchCache$\Managed\00002159FA0090400000000000F01FEC\12.0.6425\OGL.DLL
+ 2011-08-14 20:19 . 2011-10-25 23:25 1344736 c:\windows\FLV Player\uninstall.exe
- 2011-08-14 20:19 . 2011-08-14 20:19 1344736 c:\windows\FLV Player\uninstall.exe
+ 2011-10-25 03:36 . 2011-10-25 03:36 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2011-10-17 02:19 . 2011-10-17 02:19 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2011-10-25 03:36 . 2011-10-25 03:36 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2006-01-03 01:22 . 2011-10-17 02:19 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2009-04-03 23:46 . 2009-04-03 23:46 17314688 c:\windows\Installer\$PatchCache$\Managed\00002159FA0090400000000000F01FEC\12.0.6425\MSO.DLL
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-07-22 23:53 787744 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2011-09-29 2647872]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-09-04 3077528]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 19550344]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-05-21 1501064]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-08-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-08-09 13925480]
"Belkin Storage Manager"="c:\program files\Belkin Storage Manager\StorageManager.exe" [2009-02-03 858624]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2011-10-25 1843000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Belkin Storage Manager\\StorageManager.exe"=
"c:\\Program Files\\Runes of Magic\\Client.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\aswMBR.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\WinZip\\WINZIP32.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9238:TCP"= 9238:TCP:BitComet 9238 TCP
"9238:UDP"= 9238:UDP:BitComet 9238 UDP
"56282:TCP"= 56282:TCP:Pando Media Booster
"56282:UDP"= 56282:UDP:Pando Media Booster
.
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [7/13/2011 7:56 PM 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [7/13/2011 7:56 PM 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [7/13/2011 7:56 PM 13616]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [8/12/2011 8:05 AM 91496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [8/5/2011 12:30 PM 268512]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 7:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 7:28 PM 369688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1580818891-1177238915-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-12 04:27]
.
2011-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1580818891-1177238915-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-12 04:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z030&form=ZGAPHP
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-28 00:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-10-28 00:24:43
ComboFix-quarantined-files.txt 2011-10-28 05:24
ComboFix2.txt 2011-10-23 19:33
ComboFix3.txt 2011-10-22 23:11
.
Pre-Run: 53,619,904,512 bytes free
Post-Run: 53,614,788,608 bytes free
.
- - End Of File - - 854C92F110CEA7470D232ABD948E305F

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:53 PM

Posted 28 October 2011 - 07:43 AM

OK good, that's looking much better, let's run a couple more scans to see if there are any leftovers


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


NEXT


Go here to run an online scanner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:53 PM

Posted 05 November 2011 - 03:41 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users