Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ping.exe Virus or Malware Issue


  • This topic is locked This topic is locked
14 replies to this topic

#1 mhay

mhay

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 05 December 2011 - 09:21 PM

My computer is infected by a virus or malware that continuously launches the ping.exe file which, if kept running, eats up all available system memory and eventually crashes the computer. I have to end the process via the Task Manager every 30 seconds or so. I installed Malware Bytes Anti-Malware and the program keeps successfully blocking outgoing attempts to connect to malicious websites. I would greatly appreciate any help you could provide me in trying to diagnose and fix the problem. I followed all the steps in the "Preparation Guide for Use Before Using Malware Removal Tools and Requesting Help" and my logs are posted below. Thanks.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by The Haymakers at 14:39:07 on 2011-12-04
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1014 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\VERIZONDM\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\VERIZONDM\bin\tgsrvc.exe
G:\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
uDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-36&installtype=force&dtag=dq6ft61&systempopup=true
uInternet Settings,ProxyServer = http=127.0.0.1:4185
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Akamai NetSession Interface] c:\documents and settings\the haymakers\local settings\application data\akamai\netsession_win.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [AWMON] "c:\program files\lavasoft\ad-aware se professional\Ad-Watch.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BuildBU] c:\dell\bldbubg.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [EPSON Stylus Photo RX500] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\thehay~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\the haymakers\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\thehay~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\thehay~1\startm~1\programs\startup\screen~1.lnk - c:\program files\wisdom-soft screenhunter 5 free\ScreenHunter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: csplans.com\lmco
Trusted Zone: ebay.com\signin
Trusted Zone: gmail.com\www
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: msb.edu\storage
Trusted Zone: turbotax.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab?1270997665000
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://www.mindshift.com/tsweb/msrdp.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://sslvpn.mindshift.com/sre/ICSScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://sslvpn.mindshift.com/SNX/CSHELL/extender.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{79844A62-339B-4192-9352-C25132DB8C85} : DhcpNameServer = 192.168.1.1
Filter: text/html - {b70a468f-d321-4fbf-a5de-08d31d22b2cf} -
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\the haymakers\application data\mozilla\firefox\profiles\vzk8qt4n.default\
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\the haymakers\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\the haymakers\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\the haymakers\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\the haymakers\application data\mozilla\firefox\profiles\vzk8qt4n.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\the haymakers\application data\Move Networks
.
============= SERVICES / DRIVERS ===============
.
R0 CLBStor;CyberLink InstantBurn UDF Reader Help Driver;c:\windows\system32\drivers\CLBStor.sys [2011-3-28 10368]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2011/03/28 22:30:38];c:\program files\cyberlink\powerdvd8\000.fcl [2009-8-28 87536]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
R2 CLBUDFR;CyberLink UDF Filesystem;c:\windows\system32\drivers\CLBUDFR.sys [2011-3-28 154368]
R2 cpextender;Check Point SSL Network Extender;c:\program files\checkpoint\ssl network extender\slimsvc.exe [2007-6-10 331870]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-1 366152]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2005-2-17 106586]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2003-9-29 237657]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\verizondm\bin\sprtsvc.exe [2010-9-2 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\verizondm\bin\tgsrvc.exe [2010-9-2 185640]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [2011-3-30 66944]
R2 TomTomHOMEService;TomTomHOMEService;g:\tomtom home 2\TomTomHOMEService.exe [2010-12-10 92008]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-15 24652]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-8-25 466880]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-1 22216]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-9-29 83008]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2006-9-12 110160]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-29 136176]
S2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2003-9-29 69706]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-29 136176]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2009-2-8 2385896]
.
=============== Created Last 30 ================
.
2011-12-01 19:17:31 -------- d-----w- c:\documents and settings\the haymakers\application data\Malwarebytes
2011-12-01 19:17:26 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-01 19:17:22 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-01 19:17:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-23 14:39:30 508928 ----a-w- c:\windows\svcs.exe
2011-11-17 03:36:14 388096 ----a-r- c:\documents and settings\the haymakers\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-11-17 03:36:11 -------- d-----w- c:\program files\Trend Micro
2011-11-17 02:31:09 -------- d-----w- c:\windows\system32\LogFiles
.
==================== Find3M ====================
.
2011-10-10 14:22:41 692736 ------w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20:51 1858944 ------w- c:\windows\system32\win32k.sys
.
============= FINISH: 14:40:53.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:44 AM

Posted 05 December 2011 - 10:28 PM

Hi,

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT



Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 mhay

mhay
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 06 December 2011 - 12:27 AM

Thanks Cat. I did as requested and here are the log files. Both programs found rootkits.


23:09:52.0125 2776 TDSS rootkit removing tool 2.6.21.0 Nov 24 2011 12:32:44
23:09:52.0296 2776 ============================================================
23:09:52.0296 2776 Current date / time: 2011/12/05 23:09:52.0296
23:09:52.0296 2776 SystemInfo:
23:09:52.0296 2776
23:09:52.0296 2776 OS Version: 5.1.2600 ServicePack: 3.0
23:09:52.0296 2776 Product type: Workstation
23:09:52.0296 2776 ComputerName: DDQ6FT61
23:09:52.0296 2776 UserName: The Haymakers
23:09:52.0296 2776 Windows directory: C:\WINDOWS
23:09:52.0296 2776 System windows directory: C:\WINDOWS
23:09:52.0296 2776 Processor architecture: Intel x86
23:09:52.0296 2776 Number of processors: 2
23:09:52.0296 2776 Page size: 0x1000
23:09:52.0296 2776 Boot type: Normal boot
23:09:52.0296 2776 ============================================================
23:09:54.0046 2776 Initialize success
23:09:56.0375 3872 ============================================================
23:09:56.0375 3872 Scan started
23:09:56.0375 3872 Mode: Manual;
23:09:56.0375 3872 ============================================================
23:09:57.0546 3872 A3AB (886a8a267b39bf510ddd1838fda9756e) C:\WINDOWS\system32\DRIVERS\A3AB.sys
23:09:57.0562 3872 A3AB - ok
23:09:57.0562 3872 Abiosdsk - ok
23:09:57.0640 3872 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
23:09:57.0640 3872 abp480n5 - ok
23:09:57.0687 3872 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:09:57.0687 3872 ACPI - ok
23:09:57.0718 3872 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
23:09:57.0718 3872 ACPIEC - ok
23:09:57.0843 3872 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
23:09:57.0843 3872 adpu160m - ok
23:09:57.0859 3872 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
23:09:57.0890 3872 aeaudio - ok
23:09:57.0921 3872 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
23:09:57.0921 3872 aec - ok
23:09:57.0968 3872 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
23:09:57.0984 3872 AFD - ok
23:09:58.0015 3872 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
23:09:58.0015 3872 agp440 - ok
23:09:58.0093 3872 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
23:09:58.0093 3872 agpCPQ - ok
23:09:58.0140 3872 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
23:09:58.0140 3872 Aha154x - ok
23:09:58.0187 3872 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
23:09:58.0187 3872 aic78u2 - ok
23:09:58.0234 3872 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
23:09:58.0234 3872 aic78xx - ok
23:09:58.0265 3872 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
23:09:58.0265 3872 AliIde - ok
23:09:58.0281 3872 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
23:09:58.0281 3872 alim1541 - ok
23:09:58.0296 3872 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
23:09:58.0296 3872 amdagp - ok
23:09:58.0296 3872 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
23:09:58.0312 3872 amsint - ok
23:09:58.0343 3872 ANIO (920298c7aef97d8168d219d35975d295) C:\WINDOWS\system32\ANIO.SYS
23:09:58.0390 3872 ANIO - ok
23:09:58.0437 3872 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
23:09:58.0437 3872 asc - ok
23:09:58.0453 3872 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
23:09:58.0453 3872 asc3350p - ok
23:09:58.0468 3872 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
23:09:58.0484 3872 asc3550 - ok
23:09:58.0531 3872 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:09:58.0546 3872 AsyncMac - ok
23:09:58.0562 3872 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
23:09:58.0562 3872 atapi - ok
23:09:58.0578 3872 Atdisk - ok
23:09:58.0609 3872 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:09:58.0609 3872 Atmarpc - ok
23:09:58.0671 3872 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
23:09:58.0671 3872 audstub - ok
23:09:58.0687 3872 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
23:09:58.0687 3872 Beep - ok
23:09:58.0703 3872 BLKWGU(Belkin) - ok
23:09:58.0718 3872 bvrp_pci - ok
23:09:58.0890 3872 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
23:09:58.0953 3872 cbidf - ok
23:09:59.0125 3872 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
23:09:59.0125 3872 cbidf2k - ok
23:09:59.0218 3872 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
23:09:59.0218 3872 CCDECODE - ok
23:09:59.0281 3872 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
23:09:59.0281 3872 cd20xrnt - ok
23:09:59.0296 3872 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
23:09:59.0296 3872 Cdaudio - ok
23:09:59.0343 3872 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
23:09:59.0343 3872 Cdfs - ok
23:09:59.0375 3872 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:09:59.0375 3872 Cdrom - ok
23:09:59.0421 3872 Changer - ok
23:09:59.0453 3872 CLBStor (cc82215750723d839dbc5d2d625fc130) C:\WINDOWS\system32\drivers\CLBStor.sys
23:09:59.0500 3872 CLBStor - ok
23:09:59.0562 3872 CLBUDFR (c002f79e6ee9bdf442514435c3d2bcb6) C:\WINDOWS\system32\drivers\CLBUDFR.sys
23:09:59.0609 3872 CLBUDFR - ok
23:09:59.0625 3872 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
23:09:59.0625 3872 CmdIde - ok
23:09:59.0687 3872 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
23:09:59.0687 3872 Cpqarray - ok
23:09:59.0734 3872 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
23:09:59.0734 3872 dac2w2k - ok
23:09:59.0750 3872 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
23:09:59.0750 3872 dac960nt - ok
23:09:59.0765 3872 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
23:09:59.0781 3872 Disk - ok
23:09:59.0843 3872 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
23:09:59.0859 3872 dmboot - ok
23:09:59.0953 3872 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
23:09:59.0953 3872 dmio - ok
23:10:00.0046 3872 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
23:10:00.0046 3872 dmload - ok
23:10:00.0093 3872 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
23:10:00.0093 3872 DMusic - ok
23:10:00.0125 3872 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
23:10:00.0125 3872 dpti2o - ok
23:10:00.0171 3872 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
23:10:00.0171 3872 drmkaud - ok
23:10:00.0265 3872 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys
23:10:00.0328 3872 drvmcdb - ok
23:10:00.0453 3872 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
23:10:00.0500 3872 drvnddm - ok
23:10:00.0625 3872 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
23:10:00.0671 3872 DSproct - ok
23:10:00.0765 3872 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
23:10:00.0765 3872 dsunidrv - ok
23:10:00.0812 3872 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
23:10:00.0828 3872 E100B - ok
23:10:00.0875 3872 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
23:10:00.0875 3872 Fastfat - ok
23:10:00.0921 3872 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
23:10:00.0921 3872 Fdc - ok
23:10:00.0937 3872 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
23:10:00.0953 3872 Fips - ok
23:10:01.0031 3872 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
23:10:01.0031 3872 Flpydisk - ok
23:10:01.0046 3872 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
23:10:01.0046 3872 FltMgr - ok
23:10:01.0109 3872 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
23:10:01.0109 3872 Fs_Rec - ok
23:10:01.0156 3872 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
23:10:01.0171 3872 Ftdisk - ok
23:10:01.0187 3872 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
23:10:01.0250 3872 GEARAspiWDM - ok
23:10:01.0281 3872 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
23:10:01.0281 3872 Gpc - ok
23:10:01.0375 3872 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
23:10:01.0375 3872 HidUsb - ok
23:10:01.0453 3872 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
23:10:01.0453 3872 hpn - ok
23:10:01.0484 3872 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
23:10:01.0531 3872 HSFHWBS2 - ok
23:10:01.0578 3872 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
23:10:01.0625 3872 HSF_DP - ok
23:10:01.0671 3872 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
23:10:01.0671 3872 HTTP - ok
23:10:01.0765 3872 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
23:10:01.0765 3872 i2omgmt - ok
23:10:01.0859 3872 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
23:10:01.0859 3872 i2omp - ok
23:10:01.0906 3872 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
23:10:01.0906 3872 i8042prt - ok
23:10:02.0000 3872 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
23:10:02.0078 3872 ialm - ok
23:10:02.0171 3872 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
23:10:02.0171 3872 Imapi - ok
23:10:02.0250 3872 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
23:10:02.0250 3872 ini910u - ok
23:10:02.0265 3872 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
23:10:02.0265 3872 IntelIde - ok
23:10:02.0281 3872 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
23:10:02.0281 3872 intelppm - ok
23:10:02.0328 3872 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
23:10:02.0328 3872 Ip6Fw - ok
23:10:02.0343 3872 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
23:10:02.0343 3872 IpFilterDriver - ok
23:10:02.0421 3872 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
23:10:02.0421 3872 IpInIp - ok
23:10:02.0468 3872 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
23:10:02.0468 3872 IpNat - ok
23:10:02.0484 3872 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
23:10:02.0500 3872 IPSec - ok
23:10:02.0531 3872 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
23:10:02.0546 3872 IRENUM - ok
23:10:02.0593 3872 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
23:10:02.0593 3872 isapnp - ok
23:10:02.0609 3872 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
23:10:02.0609 3872 Kbdclass - ok
23:10:02.0687 3872 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
23:10:02.0687 3872 kmixer - ok
23:10:02.0750 3872 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
23:10:02.0765 3872 KSecDD - ok
23:10:02.0812 3872 L8042Kbd (5a11400ea1f0a106fe7edb28c270f7b8) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
23:10:02.0859 3872 L8042Kbd - ok
23:10:02.0906 3872 L8042mou (20c919b52897b72ebcb2ad2fc29d8ef0) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
23:10:02.0953 3872 L8042mou - ok
23:10:02.0968 3872 lbrtfdc - ok
23:10:03.0015 3872 LMouKE (90a794d0a0bf3531c4ba1c0510449629) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
23:10:03.0078 3872 LMouKE - ok
23:10:03.0109 3872 MASPINT (a2ae666cee860babe7fa6f1662b71737) C:\WINDOWS\system32\drivers\MASPINT.sys
23:10:03.0156 3872 MASPINT - ok
23:10:03.0234 3872 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
23:10:03.0312 3872 MBAMProtector - ok
23:10:03.0359 3872 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
23:10:03.0421 3872 mdmxsdk - ok
23:10:03.0484 3872 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
23:10:03.0484 3872 mnmdd - ok
23:10:03.0531 3872 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
23:10:03.0531 3872 Modem - ok
23:10:03.0546 3872 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
23:10:03.0546 3872 MODEMCSA - ok
23:10:03.0593 3872 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
23:10:03.0593 3872 Mouclass - ok
23:10:03.0609 3872 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
23:10:03.0609 3872 MountMgr - ok
23:10:03.0656 3872 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
23:10:03.0656 3872 mraid35x - ok
23:10:03.0703 3872 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
23:10:03.0703 3872 MRxDAV - ok
23:10:03.0765 3872 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
23:10:03.0765 3872 MRxSmb - ok
23:10:03.0828 3872 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
23:10:03.0828 3872 Msfs - ok
23:10:03.0875 3872 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
23:10:03.0875 3872 MSKSSRV - ok
23:10:03.0890 3872 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
23:10:03.0890 3872 MSPCLOCK - ok
23:10:03.0937 3872 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
23:10:03.0937 3872 MSPQM - ok
23:10:03.0984 3872 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
23:10:04.0000 3872 mssmbios - ok
23:10:04.0046 3872 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
23:10:04.0046 3872 MSTEE - ok
23:10:04.0093 3872 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
23:10:04.0109 3872 Mup - ok
23:10:04.0156 3872 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
23:10:04.0156 3872 NABTSFEC - ok
23:10:04.0203 3872 NaiAvFilter1 (93941b922810f9dfa68dfffc6ad67a77) C:\WINDOWS\system32\drivers\naiavf5x.sys
23:10:04.0234 3872 NaiAvFilter1 - ok
23:10:04.0343 3872 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
23:10:04.0343 3872 NDIS - ok
23:10:04.0390 3872 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
23:10:04.0390 3872 NdisIP - ok
23:10:04.0453 3872 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
23:10:04.0453 3872 NdisTapi - ok
23:10:04.0453 3872 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
23:10:04.0468 3872 Ndisuio - ok
23:10:04.0484 3872 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
23:10:04.0484 3872 NdisWan - ok
23:10:04.0546 3872 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
23:10:04.0546 3872 NDProxy - ok
23:10:04.0609 3872 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
23:10:04.0609 3872 NetBIOS - ok
23:10:04.0640 3872 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
23:10:04.0640 3872 NetBT - ok
23:10:04.0734 3872 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
23:10:04.0734 3872 Npfs - ok
23:10:04.0812 3872 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
23:10:04.0828 3872 Ntfs - ok
23:10:04.0875 3872 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
23:10:04.0875 3872 Null - ok
23:10:04.0968 3872 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
23:10:05.0000 3872 nv - ok
23:10:05.0171 3872 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
23:10:05.0171 3872 NwlnkFlt - ok
23:10:05.0203 3872 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
23:10:05.0203 3872 NwlnkFwd - ok
23:10:05.0265 3872 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
23:10:05.0296 3872 omci - ok
23:10:05.0312 3872 PalmUSBD - ok
23:10:05.0359 3872 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
23:10:05.0359 3872 Parport - ok
23:10:05.0406 3872 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
23:10:05.0406 3872 PartMgr - ok
23:10:05.0453 3872 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
23:10:05.0453 3872 ParVdm - ok
23:10:05.0500 3872 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
23:10:05.0500 3872 PCI - ok
23:10:05.0531 3872 PCIDump - ok
23:10:05.0546 3872 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
23:10:05.0546 3872 PCIIde - ok
23:10:05.0593 3872 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
23:10:05.0593 3872 Pcmcia - ok
23:10:05.0703 3872 PDCOMP - ok
23:10:05.0718 3872 PDFRAME - ok
23:10:05.0718 3872 PDRELI - ok
23:10:05.0734 3872 PDRFRAME - ok
23:10:05.0781 3872 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
23:10:05.0781 3872 perc2 - ok
23:10:05.0796 3872 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
23:10:05.0796 3872 perc2hib - ok
23:10:05.0875 3872 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
23:10:05.0875 3872 PptpMiniport - ok
23:10:05.0906 3872 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
23:10:05.0906 3872 PSched - ok
23:10:05.0921 3872 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
23:10:05.0921 3872 Ptilink - ok
23:10:05.0953 3872 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
23:10:06.0000 3872 PxHelp20 - ok
23:10:06.0046 3872 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
23:10:06.0062 3872 ql1080 - ok
23:10:06.0093 3872 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
23:10:06.0109 3872 Ql10wnt - ok
23:10:06.0109 3872 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
23:10:06.0125 3872 ql12160 - ok
23:10:06.0140 3872 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
23:10:06.0140 3872 ql1240 - ok
23:10:06.0171 3872 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
23:10:06.0171 3872 ql1280 - ok
23:10:06.0187 3872 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
23:10:06.0187 3872 RasAcd - ok
23:10:06.0234 3872 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
23:10:06.0234 3872 Rasl2tp - ok
23:10:06.0359 3872 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
23:10:06.0359 3872 RasPppoe - ok
23:10:06.0359 3872 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
23:10:06.0375 3872 Raspti - ok
23:10:06.0390 3872 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
23:10:06.0390 3872 Rdbss - ok
23:10:06.0406 3872 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
23:10:06.0421 3872 RDPCDD - ok
23:10:06.0468 3872 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
23:10:06.0468 3872 rdpdr - ok
23:10:06.0640 3872 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
23:10:06.0640 3872 RDPWD - ok
23:10:06.0671 3872 redbook (08fbe0b348a3ab907b250e9dc89550e3) C:\WINDOWS\system32\DRIVERS\redbook.sys
23:10:06.0687 3872 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\redbook.sys. Real md5: 08fbe0b348a3ab907b250e9dc89550e3, Fake md5: f828dd7e1419b6653894a8f97a0094c5
23:10:06.0687 3872 redbook ( Rootkit.Win32.ZAccess.k ) - infected
23:10:06.0687 3872 redbook - detected Rootkit.Win32.ZAccess.k (0)
23:10:06.0921 3872 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
23:10:07.0062 3872 RimUsb - ok
23:10:07.0171 3872 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
23:10:07.0187 3872 Secdrv - ok
23:10:07.0484 3872 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
23:10:07.0484 3872 serenum - ok
23:10:07.0593 3872 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
23:10:07.0609 3872 Serial - ok
23:10:07.0640 3872 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
23:10:07.0640 3872 Sfloppy - ok
23:10:07.0781 3872 Simbad - ok
23:10:07.0828 3872 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
23:10:07.0828 3872 sisagp - ok
23:10:07.0890 3872 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
23:10:07.0890 3872 SLIP - ok
23:10:07.0968 3872 smwdm (4aa922332433cdeb8b82c072c212e32e) C:\WINDOWS\system32\drivers\smwdm.sys
23:10:08.0015 3872 smwdm - ok
23:10:08.0062 3872 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
23:10:08.0062 3872 SONYPVU1 - ok
23:10:08.0171 3872 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
23:10:08.0171 3872 Sparrow - ok
23:10:08.0265 3872 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
23:10:08.0265 3872 splitter - ok
23:10:08.0328 3872 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
23:10:08.0328 3872 sr - ok
23:10:08.0406 3872 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
23:10:08.0421 3872 Srv - ok
23:10:08.0484 3872 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
23:10:08.0531 3872 sscdbhk5 - ok
23:10:08.0546 3872 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
23:10:08.0578 3872 ssrtln - ok
23:10:08.0625 3872 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
23:10:08.0625 3872 streamip - ok
23:10:08.0718 3872 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
23:10:08.0718 3872 swenum - ok
23:10:08.0734 3872 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
23:10:08.0734 3872 swmidi - ok
23:10:08.0765 3872 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
23:10:08.0765 3872 symc810 - ok
23:10:08.0781 3872 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
23:10:08.0781 3872 symc8xx - ok
23:10:08.0796 3872 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
23:10:08.0796 3872 sym_hi - ok
23:10:08.0812 3872 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
23:10:08.0812 3872 sym_u3 - ok
23:10:08.0828 3872 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
23:10:08.0828 3872 sysaudio - ok
23:10:08.0890 3872 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
23:10:08.0890 3872 Tcpip - ok
23:10:09.0031 3872 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
23:10:09.0031 3872 TDPIPE - ok
23:10:09.0046 3872 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
23:10:09.0046 3872 TDTCP - ok
23:10:09.0093 3872 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
23:10:09.0093 3872 TermDD - ok
23:10:09.0187 3872 tfsnboio (75b30b9ea32fe7d8bbc332d3b944ad46) C:\WINDOWS\system32\dla\tfsnboio.sys
23:10:09.0234 3872 tfsnboio - ok
23:10:09.0343 3872 tfsncofs (b811a431b14694d88eb5befaa55b4501) C:\WINDOWS\system32\dla\tfsncofs.sys
23:10:09.0375 3872 tfsncofs - ok
23:10:09.0406 3872 tfsndrct (f5e2cf2144f1fe51dadd6e9063d311eb) C:\WINDOWS\system32\dla\tfsndrct.sys
23:10:09.0437 3872 tfsndrct - ok
23:10:09.0453 3872 tfsndres (e32b32045b6b914fd4caae8be6ca7e8a) C:\WINDOWS\system32\dla\tfsndres.sys
23:10:09.0500 3872 tfsndres - ok
23:10:09.0515 3872 tfsnifs (43034b10a94d1c6f13a1a0e848f51226) C:\WINDOWS\system32\dla\tfsnifs.sys
23:10:09.0562 3872 tfsnifs - ok
23:10:09.0656 3872 tfsnopio (f5ee0faafde37326ea35acbfa5defd3d) C:\WINDOWS\system32\dla\tfsnopio.sys
23:10:09.0687 3872 tfsnopio - ok
23:10:09.0781 3872 tfsnpool (597348eb65b3e19709e9a45ca2b30b61) C:\WINDOWS\system32\dla\tfsnpool.sys
23:10:09.0812 3872 tfsnpool - ok
23:10:09.0828 3872 tfsnudf (767affd52432a0f7e7d39f6ff64401f4) C:\WINDOWS\system32\dla\tfsnudf.sys
23:10:09.0890 3872 tfsnudf - ok
23:10:09.0937 3872 tfsnudfa (2806b2fd00263ccd90cc0638c6139eb0) C:\WINDOWS\system32\dla\tfsnudfa.sys
23:10:09.0984 3872 tfsnudfa - ok
23:10:10.0078 3872 thdudf (9d4bbd6e27b5562aea8295de7134e386) C:\WINDOWS\system32\DRIVERS\thdudf.sys
23:10:10.0125 3872 thdudf - ok
23:10:10.0187 3872 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
23:10:10.0187 3872 TosIde - ok
23:10:10.0234 3872 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
23:10:10.0234 3872 Udfs - ok
23:10:10.0265 3872 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
23:10:10.0265 3872 ultra - ok
23:10:10.0343 3872 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
23:10:10.0343 3872 Update - ok
23:10:10.0406 3872 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
23:10:10.0500 3872 USBAAPL - ok
23:10:10.0578 3872 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
23:10:10.0578 3872 usbaudio - ok
23:10:10.0656 3872 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
23:10:10.0656 3872 usbccgp - ok
23:10:10.0703 3872 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
23:10:10.0703 3872 usbehci - ok
23:10:10.0718 3872 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
23:10:10.0718 3872 usbhub - ok
23:10:10.0734 3872 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
23:10:10.0734 3872 usbprint - ok
23:10:10.0750 3872 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
23:10:10.0750 3872 usbscan - ok
23:10:10.0765 3872 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
23:10:10.0765 3872 USBSTOR - ok
23:10:10.0781 3872 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
23:10:10.0781 3872 usbuhci - ok
23:10:10.0828 3872 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
23:10:10.0828 3872 VgaSave - ok
23:10:10.0875 3872 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
23:10:10.0875 3872 viaagp - ok
23:10:10.0890 3872 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
23:10:10.0890 3872 ViaIde - ok
23:10:10.0968 3872 VNA (6588080a0872c772df85689df18cfe42) C:\WINDOWS\system32\DRIVERS\vna.sys
23:10:11.0015 3872 VNA - ok
23:10:11.0046 3872 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
23:10:11.0046 3872 VolSnap - ok
23:10:11.0218 3872 VX6000 (3c296e30c519e2f71e47820d8f4dd1e7) C:\WINDOWS\system32\DRIVERS\VX6000Xp.sys
23:10:11.0265 3872 VX6000 - ok
23:10:11.0406 3872 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
23:10:11.0421 3872 Wanarp - ok
23:10:11.0437 3872 wanatw - ok
23:10:11.0453 3872 WDICA - ok
23:10:11.0484 3872 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
23:10:11.0484 3872 wdmaud - ok
23:10:11.0578 3872 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
23:10:11.0578 3872 winachsf - ok
23:10:11.0718 3872 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
23:10:11.0718 3872 WS2IFSL - ok
23:10:11.0781 3872 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
23:10:11.0781 3872 WSTCODEC - ok
23:10:11.0812 3872 ZDPSp50 - ok
23:10:12.0046 3872 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} (74ec37b9eaf9fca015b933a526825c7a) C:\Program Files\CyberLink\PowerDVD8\000.fcl
23:10:13.0406 3872 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} - ok
23:10:13.0421 3872 MBR (0x1B8) (b16a2359f4962b0c622d81a1c1f4b703) \Device\Harddisk0\DR0
23:10:13.0421 3872 \Device\Harddisk0\DR0 - ok
23:10:13.0437 3872 MBR (0x1B8) (35c6b2fcde68facbefe0a4a7200bae58) \Device\Harddisk1\DR1
23:10:14.0281 3872 \Device\Harddisk1\DR1 - ok
23:10:14.0296 3872 MBR (0x1B8) (bbb0a0725ad66f38b1a32135f3cb55d6) \Device\Harddisk2\DR6
23:10:14.0656 3872 \Device\Harddisk2\DR6 - ok
23:10:14.0671 3872 Boot (0x1200) (32ffde642bb0ec5faa7555806e2838b0) \Device\Harddisk0\DR0\Partition0
23:10:14.0671 3872 \Device\Harddisk0\DR0\Partition0 - ok
23:10:14.0671 3872 Boot (0x1200) (ca672faf37e17143fa21fc19eb67bca4) \Device\Harddisk1\DR1\Partition0
23:10:14.0671 3872 \Device\Harddisk1\DR1\Partition0 - ok
23:10:14.0687 3872 Boot (0x1200) (20e9e897ce5418a919dfabebc40d2ff7) \Device\Harddisk2\DR6\Partition0
23:10:14.0687 3872 \Device\Harddisk2\DR6\Partition0 - ok
23:10:14.0687 3872 ============================================================
23:10:14.0687 3872 Scan finished
23:10:14.0687 3872 ============================================================
23:10:14.0703 0172 Detected object count: 1
23:10:14.0703 0172 Actual detected object count: 1
23:11:52.0656 0172 Backup copy found, using it..
23:11:52.0843 0172 C:\WINDOWS\system32\DRIVERS\redbook.sys - will be cured on reboot
23:11:55.0687 0172 redbook ( Rootkit.Win32.ZAccess.k ) - User select action: Cure
23:12:04.0546 2888 Deinitialize success







ComboFix 11-12-05.04 - The Haymakers 12/05/2011 23:49:39.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1478 [GMT -5:00]
Running from: c:\documents and settings\The Haymakers\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\PostBuild.exe
c:\documents and settings\The Haymakers\g2mdlhlpx.exe
c:\documents and settings\The Haymakers\Local Settings\Application Data\asam.exe
c:\documents and settings\The Haymakers\Local Settings\Application Data\syssvc.exe
c:\documents and settings\The Haymakers\Recent\Thumbs.db
c:\documents and settings\The Haymakers\WINDOWS
C:\Documents
c:\program files\MyWaySA
c:\program files\Shared
c:\program files\Shared\lib.sig
c:\windows\$NtUninstallKB13844$
c:\windows\$NtUninstallKB13844$\4197895202\@
c:\windows\$NtUninstallKB13844$\4197895202\bckfg.tmp
c:\windows\$NtUninstallKB13844$\4197895202\cfg.ini
c:\windows\$NtUninstallKB13844$\4197895202\Desktop.ini
c:\windows\$NtUninstallKB13844$\4197895202\keywords
c:\windows\$NtUninstallKB13844$\4197895202\kwrd.dll
c:\windows\$NtUninstallKB13844$\4197895202\L\odetmngk
c:\windows\$NtUninstallKB13844$\4197895202\lsflt7.ver
c:\windows\$NtUninstallKB13844$\4197895202\U\00000001.@
c:\windows\$NtUninstallKB13844$\4197895202\U\00000002.@
c:\windows\$NtUninstallKB13844$\4197895202\U\00000004.@
c:\windows\$NtUninstallKB13844$\4197895202\U\80000000.@
c:\windows\$NtUninstallKB13844$\4197895202\U\80000004.@
c:\windows\$NtUninstallKB13844$\4197895202\U\80000032.@
c:\windows\$NtUninstallKB13844$\4209842385
c:\windows\bwUnin-7.2.0.137-8876480SL.exe
c:\windows\dasetup.log
c:\windows\herjek.config
c:\windows\svcs.exe
c:\windows\system32\ie.ico
c:\windows\system32\open.ico
c:\windows\system32\regobj.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-11-06 to 2011-12-06 )))))))))))))))))))))))))))))))
.
.
2011-12-01 19:17 . 2011-12-01 19:17 -------- d-----w- c:\documents and settings\The Haymakers\Application Data\Malwarebytes
2011-12-01 19:17 . 2011-12-01 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-01 19:17 . 2011-12-01 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-01 19:17 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-17 03:36 . 2011-11-17 03:36 388096 ----a-r- c:\documents and settings\The Haymakers\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-17 03:36 . 2011-11-17 03:36 -------- d-----w- c:\program files\Trend Micro
2011-11-17 02:31 . 2011-11-17 02:31 -------- d-----w- c:\windows\system32\LogFiles
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-06 04:12 . 2004-08-04 04:59 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-10-10 14:22 . 2004-08-04 11:00 692736 ------w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-04 11:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-04 11:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-04 11:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2005-04-21 12:51 . 2005-04-21 12:51 278528 -c--a-w- c:\program files\internet explorer\plugins\PanoViewer.dll
2005-04-21 12:52 . 2005-04-21 12:52 98304 -c--a-w- c:\program files\internet explorer\plugins\UPjpeg.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]
"AWMON"="c:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2004-09-16 538112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\The Haymakers\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\Dropbox.exe [2011-1-27 23361424]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-2-22 385024]
ScreenHunter 5.1 Free.lnk - c:\program files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe [2009-7-14 5689344]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2010-5-30 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-22 734872]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-2-13 24576]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-6-2 450560]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Documents and Settings\\The Haymakers\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\The Haymakers\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R0 CLBStor;CyberLink InstantBurn UDF Reader Help Driver;c:\windows\SYSTEM32\DRIVERS\CLBStor.sys [3/28/2011 9:25 PM 10368]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2011/03/28 22:30];c:\program files\CyberLink\PowerDVD8\000.fcl [8/28/2009 5:36 PM 87536]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 6:00 AM 14336]
R2 CLBUDFR;CyberLink UDF Filesystem;c:\windows\SYSTEM32\DRIVERS\CLBUDFR.sys [3/28/2011 9:25 PM 154368]
R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [6/10/2007 3:48 PM 331870]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/1/2011 2:17 PM 366152]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [9/2/2010 4:46 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [9/2/2010 4:46 AM 185640]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\SYSTEM32\DRIVERS\thdudf.sys [3/30/2011 8:21 PM 66944]
R2 TomTomHOMEService;TomTomHOMEService;g:\tomtom home 2\TomTomHOMEService.exe [12/10/2010 7:29 AM 92008]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/15/2007 4:33 PM 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [12/1/2011 2:17 PM 22216]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\SYSTEM32\DRIVERS\vna.sys [9/12/2006 5:14 PM 110160]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/29/2011 10:07 AM 136176]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\SYSTEM32\DRIVERS\A3AB.sys [8/25/2005 2:00 PM 466880]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/29/2011 10:07 AM 136176]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\SYSTEM32\DRIVERS\VX6000Xp.sys [2/8/2009 5:53 PM 2385896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
2011-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-29 15:07]
.
2011-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-29 15:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-36&installtype=force&dtag=dq6ft61&systempopup=true
uInternet Settings,ProxyServer = http=127.0.0.1:4185
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: csplans.com\lmco
Trusted Zone: ebay.com\signin
Trusted Zone: gmail.com\www
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: msb.edu\storage
Trusted Zone: turbotax.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://sslvpn.mindshift.com/sre/ICSScanner.cab
FF - ProfilePath - c:\documents and settings\The Haymakers\Application Data\Mozilla\Firefox\Profiles\vzk8qt4n.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\The Haymakers\Application Data\Move Networks
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-DellSupport - c:\program files\Dell Support\DSAgnt.exe
HKCU-Run-Akamai NetSession Interface - c:\documents and settings\The Haymakers\Local Settings\Application Data\Akamai\netsession_win.exe
HKLM-Run-BuildBU - c:\dell\bldbubg.exe
HKLM-Run-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
HKLM-Run-mmtask - c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe
HKLM-Run-MMTray - c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\j2re1.4.2_03\bin\jusched.exe
HKLM-Run-EPSON Stylus Photo RX500 - c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
Notify-WgaLogon - (no file)
SafeBoot-42480066.sys
SafeBoot-klmdb.sys
MSConfigStartUp-mmtask - c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe
MSConfigStartUp-MMTray - c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
AddRemove-HijackThis - c:\docume~1\THEHAY~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-06 00:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_d768ebc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2276)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2011-12-06 00:22:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-06 05:22
.
Pre-Run: 13,982,339,072 bytes free
Post-Run: 17,058,381,824 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 69E50F0E6A45663B4269557B7B6113E3

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:44 AM

Posted 06 December 2011 - 10:30 AM

Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:4185
Trusted Zone: csplans.com\lmco
Trusted Zone: ebay.com\signin
Trusted Zone: gmail.com\www
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 mhay

mhay
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 06 December 2011 - 01:29 PM

Thanks again Cat. Does this mean that my computer is still infected? After I ran Combofix and TDSSKiller last night it seemed to fix things. Ping.exe was no longer running. I'll complete the additional steps tonight and let you know the results.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:44 AM

Posted 06 December 2011 - 03:29 PM

we're just taking care of any leftovers

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 mhay

mhay
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 07 December 2011 - 08:15 AM

Thanks - the first two seemed clean, but the last scan found a bunch of issues. I'm glad I ran it! Please let me know the next steps. Thanks.

ComboFix 11-12-05.04 - The Haymakers 12/06/2011 23:06:52.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1368 [GMT -5:00]
Running from: c:\documents and settings\The Haymakers\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\The Haymakers\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-11-07 to 2011-12-07 )))))))))))))))))))))))))))))))
.
.
2011-12-01 19:17 . 2011-12-01 19:17 -------- d-----w- c:\documents and settings\The Haymakers\Application Data\Malwarebytes
2011-12-01 19:17 . 2011-12-01 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-01 19:17 . 2011-12-01 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-01 19:17 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-17 03:36 . 2011-11-17 03:36 388096 ----a-r- c:\documents and settings\The Haymakers\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-17 03:36 . 2011-11-17 03:36 -------- d-----w- c:\program files\Trend Micro
2011-11-17 02:31 . 2011-11-17 02:31 -------- d-----w- c:\windows\system32\LogFiles
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-06 04:12 . 2004-08-04 04:59 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-10-10 14:22 . 2004-08-04 11:00 692736 ------w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-04 11:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-04 11:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-04 11:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2005-04-21 12:51 . 2005-04-21 12:51 278528 -c--a-w- c:\program files\internet explorer\plugins\PanoViewer.dll
2005-04-21 12:52 . 2005-04-21 12:52 98304 -c--a-w- c:\program files\internet explorer\plugins\UPjpeg.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-06_05.11.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-07 03:53 . 2011-12-07 03:53 16384 c:\windows\Temp\Perflib_Perfdata_b54.dat
+ 2011-12-07 03:52 . 2011-12-07 03:52 16384 c:\windows\Temp\Perflib_Perfdata_204.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]
"AWMON"="c:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2004-09-16 538112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\The Haymakers\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\Dropbox.exe [2011-1-27 23361424]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-2-22 385024]
ScreenHunter 5.1 Free.lnk - c:\program files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe [2009-7-14 5689344]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2010-5-30 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-22 734872]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-2-13 24576]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-6-2 450560]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Documents and Settings\\The Haymakers\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\The Haymakers\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R0 CLBStor;CyberLink InstantBurn UDF Reader Help Driver;c:\windows\SYSTEM32\DRIVERS\CLBStor.sys [3/28/2011 9:25 PM 10368]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2011/03/28 22:30];c:\program files\CyberLink\PowerDVD8\000.fcl [8/28/2009 5:36 PM 87536]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 6:00 AM 14336]
R2 CLBUDFR;CyberLink UDF Filesystem;c:\windows\SYSTEM32\DRIVERS\CLBUDFR.sys [3/28/2011 9:25 PM 154368]
R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [6/10/2007 3:48 PM 331870]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/1/2011 2:17 PM 366152]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [9/2/2010 4:46 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [9/2/2010 4:46 AM 185640]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\SYSTEM32\DRIVERS\thdudf.sys [3/30/2011 8:21 PM 66944]
R2 TomTomHOMEService;TomTomHOMEService;g:\tomtom home 2\TomTomHOMEService.exe [12/10/2010 7:29 AM 92008]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/15/2007 4:33 PM 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [12/1/2011 2:17 PM 22216]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\SYSTEM32\DRIVERS\vna.sys [9/12/2006 5:14 PM 110160]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/29/2011 10:07 AM 136176]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\SYSTEM32\DRIVERS\A3AB.sys [8/25/2005 2:00 PM 466880]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/29/2011 10:07 AM 136176]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\SYSTEM32\DRIVERS\VX6000Xp.sys [2/8/2009 5:53 PM 2385896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
2011-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-29 15:07]
.
2011-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-29 15:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-36&installtype=force&dtag=dq6ft61&systempopup=true
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: msb.edu\storage
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://sslvpn.mindshift.com/sre/ICSScanner.cab
FF - ProfilePath - c:\documents and settings\The Haymakers\Application Data\Mozilla\Firefox\Profiles\vzk8qt4n.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\The Haymakers\Application Data\Move Networks
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-06 23:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_d768ebc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\COMRes.dll
.
- - - - - - - > 'explorer.exe'(3608)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-12-06 23:22:31
ComboFix-quarantined-files.txt 2011-12-07 04:22
ComboFix2.txt 2011-12-06 05:22
.
Pre-Run: 17,093,709,824 bytes free
Post-Run: 17,173,069,824 bytes free
.
- - End Of File - - 2DCD3BAE9EFD3FE6F275967774540903




Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8326

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/6/2011 11:30:08 PM
mbam-log-2011-12-06 (23-30-08).txt

Scan type: Quick scan
Objects scanned: 196742
Time elapsed: 4 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





C:\Documents and Settings\The Haymakers\Local Settings\Application Data\icgvfmuk\ummcmu.exe Win32/Adware.SpywareProtect2009 application
C:\Documents and Settings\The Haymakers\Local Settings\Application Data\owebkxvjx\slmklejtssd.exe a variant of Win32/Kryptik.EQB trojan
C:\Documents and Settings\The Haymakers\Local Settings\Application Data\wbcxwdbbj\pcbmtgstssd.exe Win32/Adware.SpywareProtect2009 application
C:\Documents and Settings\The Haymakers\My Documents\Hijack This\backups\backup-20060122-145829-680.dll probably a variant of Win32/Adware.BHO.V application
C:\Documents and Settings\The Haymakers\My Documents\Unused Desktop Shortcuts\VundoFix\VundoFix\process.exe Win32/PrcView application
C:\Documents and Settings\The Haymakers\My Documents\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\beachfree.exe multiple threats
C:\Documents and Settings\The Haymakers\My Documents\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\marinefree.exe multiple threats
C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application
C:\Program Files\Nitro PDF\PrimoPDF\OpenCandy\OCSetupHlp.dll Win32/OpenCandy application
C:\Qoobox\Quarantine\C\Documents and Settings\The Haymakers\Local Settings\Application Data\asam.exe.vir Win32/Fuclip.BI trojan
C:\Qoobox\Quarantine\C\Documents and Settings\The Haymakers\Local Settings\Application Data\syssvc.exe.vir Win32/Fuclip.BI trojan
C:\Qoobox\Quarantine\C\WINDOWS\svcs.exe.vir probably a variant of Win32/Spy.KeyLogger.LFJNMOG trojan
C:\quarantine\Av-test.txt.Vir Eicar test file
C:\quarantine\default32.dll.Vir a variant of Win32/TrojanDownloader.Monkif.AB trojan
C:\quarantine\default32.dll.Vir.0 a variant of Win32/TrojanDownloader.Monkif.AB trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1903\A0185713.exe Win32/Fuclip.BI trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1903\A0185714.exe Win32/Fuclip.BI trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1903\A0185717.exe probably a variant of Win32/Spy.KeyLogger.LFJNMOG trojan
C:\WINDOWS\SYSTEM32\ajyugepy.dll probably a variant of Win32/Adware.BHO.V application
C:\WINDOWS\SYSTEM32\gcknceqx.dll probably a variant of Win32/Adware.BHO.V application
G:\My Documents BACKUP ONLY - DO NOT SAVE HERE\Hijack This\backups\backup-20060122-145829-680.dll probably a variant of Win32/Adware.BHO.V application
G:\My Documents BACKUP ONLY - DO NOT SAVE HERE\Unused Desktop Shortcuts\VundoFix\VundoFix\process.exe Win32/PrcView application
G:\My Documents BACKUP ONLY - DO NOT SAVE HERE\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\beachfree.exe multiple threats
G:\My Documents BACKUP ONLY - DO NOT SAVE HERE\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\marinefree.exe multiple threats

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:44 AM

Posted 07 December 2011 - 09:13 AM

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Documents and Settings\The Haymakers\Local Settings\Application Data\icgvfmuk\ummcmu.exe 
C:\Documents and Settings\The Haymakers\Local Settings\Application Data\owebkxvjx\slmklejtssd.exe 
C:\Documents and Settings\The Haymakers\Local Settings\Application Data\wbcxwdbbj\pcbmtgstssd.exe 
C:\Documents and Settings\The Haymakers\My Documents\Hijack This\backups\backup-20060122-145829-680.dll 
C:\Documents and Settings\The Haymakers\My Documents\Unused Desktop Shortcuts\VundoFix\VundoFix\process.exe 
C:\Documents and Settings\The Haymakers\My Documents\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\beachfree.exe 
C:\Documents and Settings\The Haymakers\My Documents\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\marinefree.exe 
C:\WINDOWS\SYSTEM32\ajyugepy.dll 
C:\WINDOWS\SYSTEM32\gcknceqx.dll 
G:\My Documents BACKUP ONLY - DO NOT SAVE HERE\Hijack This\backups\backup-20060122-145829-680.dll 
G:\My Documents BACKUP ONLY - DO NOT SAVE HERE\Unused Desktop Shortcuts\VundoFix\VundoFix\process.exe 
G:\My Documents BACKUP ONLY - DO NOT SAVE HERE\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\beachfree.exe 
G:\My Documents BACKUP ONLY - DO NOT SAVE HERE\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\marinefree.exe 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 mhay

mhay
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 07 December 2011 - 08:46 PM

When I rebooted after I ran the previous three scans, I received a message from my Ad-watch software that it detected an attempt to alter a protected object (attempt to add a registry value). Root: HKEY_CURRENT_USER; Key: Software\Microsoft\Windows\Current\Version\Policies\Explorer; Value: NoDrives; Data: (Blank); New Data: 0. Should I accept or block the registry change?

Here are the results of the latest ComboFix scan:

ComboFix 11-12-05.04 - The Haymakers 12/07/2011 19:07:54.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1360 [GMT -5:00]
Running from: c:\documents and settings\The Haymakers\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\The Haymakers\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\The Haymakers\Local Settings\Application Data\icgvfmuk\ummcmu.exe"
"c:\documents and settings\The Haymakers\Local Settings\Application Data\owebkxvjx\slmklejtssd.exe"
"c:\documents and settings\The Haymakers\Local Settings\Application Data\wbcxwdbbj\pcbmtgstssd.exe"
"c:\documents and settings\The Haymakers\My Documents\Hijack This\backups\backup-20060122-145829-680.dll"
"c:\documents and settings\The Haymakers\My Documents\Unused Desktop Shortcuts\VundoFix\VundoFix\process.exe"
"c:\documents and settings\The Haymakers\My Documents\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\beachfree.exe"
"c:\documents and settings\The Haymakers\My Documents\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\marinefree.exe"
"c:\windows\SYSTEM32\ajyugepy.dll"
"c:\windows\SYSTEM32\gcknceqx.dll"
"g:\my documents backup only - do not save here\Hijack This\backups\backup-20060122-145829-680.dll"
"g:\my documents backup only - do not save here\Unused Desktop Shortcuts\VundoFix\VundoFix\process.exe"
"g:\my documents backup only - do not save here\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\beachfree.exe"
"g:\my documents backup only - do not save here\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\marinefree.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\The Haymakers\Local Settings\Application Data\icgvfmuk\ummcmu.exe
c:\documents and settings\The Haymakers\Local Settings\Application Data\owebkxvjx\slmklejtssd.exe
c:\documents and settings\The Haymakers\Local Settings\Application Data\wbcxwdbbj\pcbmtgstssd.exe
c:\documents and settings\The Haymakers\My Documents\Hijack This\backups\backup-20060122-145829-680.dll
c:\documents and settings\The Haymakers\My Documents\Unused Desktop Shortcuts\VundoFix\VundoFix\process.exe
c:\documents and settings\The Haymakers\My Documents\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\beachfree.exe
c:\documents and settings\The Haymakers\My Documents\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\marinefree.exe
c:\windows\SYSTEM32\ajyugepy.dll
c:\windows\SYSTEM32\gcknceqx.dll
g:\my documents backup only - do not save here\Hijack This\backups\backup-20060122-145829-680.dll
g:\my documents backup only - do not save here\Unused Desktop Shortcuts\VundoFix\VundoFix\process.exe
g:\my documents backup only - do not save here\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\beachfree.exe
g:\my documents backup only - do not save here\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\marinefree.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-08 to 2011-12-08 )))))))))))))))))))))))))))))))
.
.
2011-12-07 04:33 . 2011-12-07 04:33 -------- d-----w- c:\program files\ESET
2011-12-01 19:17 . 2011-12-01 19:17 -------- d-----w- c:\documents and settings\The Haymakers\Application Data\Malwarebytes
2011-12-01 19:17 . 2011-12-01 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-01 19:17 . 2011-12-01 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-01 19:17 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-17 03:36 . 2011-11-17 03:36 388096 ----a-r- c:\documents and settings\The Haymakers\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-17 03:36 . 2011-11-17 03:36 -------- d-----w- c:\program files\Trend Micro
2011-11-17 02:31 . 2011-11-17 02:31 -------- d-----w- c:\windows\system32\LogFiles
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-06 04:12 . 2004-08-04 04:59 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-10-10 14:22 . 2004-08-04 11:00 692736 ------w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-04 11:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-04 11:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-04 11:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2005-04-21 12:51 . 2005-04-21 12:51 278528 -c--a-w- c:\program files\internet explorer\plugins\PanoViewer.dll
2005-04-21 12:52 . 2005-04-21 12:52 98304 -c--a-w- c:\program files\internet explorer\plugins\UPjpeg.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-06_05.11.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-07 23:58 . 2011-12-07 23:58 16384 c:\windows\Temp\Perflib_Perfdata_690.dat
+ 2011-12-07 23:58 . 2011-12-07 23:58 16384 c:\windows\Temp\Perflib_Perfdata_224.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\documents and settings\The Haymakers\Local Settings\Application Data\Akamai\netsession_win.exe" [2011-11-17 3303000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]
"AWMON"="c:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2004-09-16 538112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\The Haymakers\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\The Haymakers\Application Data\Dropbox\bin\Dropbox.exe [2011-1-27 23361424]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-2-22 385024]
ScreenHunter 5.1 Free.lnk - c:\program files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe [2009-7-14 5689344]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2010-5-30 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-22 734872]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-2-13 24576]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-6-2 450560]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Documents and Settings\\The Haymakers\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\The Haymakers\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE"=
"c:\\Documents and Settings\\The Haymakers\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R0 CLBStor;CyberLink InstantBurn UDF Reader Help Driver;c:\windows\SYSTEM32\DRIVERS\CLBStor.sys [3/28/2011 9:25 PM 10368]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2011/03/28 22:30];c:\program files\CyberLink\PowerDVD8\000.fcl [8/28/2009 5:36 PM 87536]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 6:00 AM 14336]
R2 CLBUDFR;CyberLink UDF Filesystem;c:\windows\SYSTEM32\DRIVERS\CLBUDFR.sys [3/28/2011 9:25 PM 154368]
R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [6/10/2007 3:48 PM 331870]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/1/2011 2:17 PM 366152]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [9/2/2010 4:46 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [9/2/2010 4:46 AM 185640]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\SYSTEM32\DRIVERS\thdudf.sys [3/30/2011 8:21 PM 66944]
R2 TomTomHOMEService;TomTomHOMEService;g:\tomtom home 2\TomTomHOMEService.exe [12/10/2010 7:29 AM 92008]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/15/2007 4:33 PM 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [12/1/2011 2:17 PM 22216]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\SYSTEM32\DRIVERS\vna.sys [9/12/2006 5:14 PM 110160]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/29/2011 10:07 AM 136176]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\SYSTEM32\DRIVERS\A3AB.sys [8/25/2005 2:00 PM 466880]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/29/2011 10:07 AM 136176]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\SYSTEM32\DRIVERS\VX6000Xp.sys [2/8/2009 5:53 PM 2385896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
2011-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-29 15:07]
.
2011-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-29 15:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-36&installtype=force&dtag=dq6ft61&systempopup=true
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: msb.edu\storage
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://sslvpn.mindshift.com/sre/ICSScanner.cab
FF - ProfilePath - c:\documents and settings\The Haymakers\Application Data\Mozilla\Firefox\Profiles\vzk8qt4n.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\The Haymakers\Application Data\Move Networks
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-07 19:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_d768ebc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
Completion time: 2011-12-07 19:24:09
ComboFix-quarantined-files.txt 2011-12-08 00:24
ComboFix2.txt 2011-12-07 04:22
ComboFix3.txt 2011-12-06 05:22
.
Pre-Run: 17,048,031,232 bytes free
Post-Run: 17,021,775,872 bytes free
.
- - End Of File - - 92A8AA1161B2187CDD9917C1582431FE

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:44 AM

Posted 07 December 2011 - 08:58 PM

Hi

Yes, please allow the changes, we are trying to remove the malware from there

other than that message how is the computer running? Are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 mhay

mhay
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 08 December 2011 - 07:24 AM

Thanks Cat. Everything seems to be running fine, but I ran ESET again and it's still showing potential threats. The log is below. Is there any way to clean up the non-quarantined items, or should I not worry about them?

C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application
C:\Program Files\Nitro PDF\PrimoPDF\OpenCandy\OCSetupHlp.dll Win32/OpenCandy application
C:\Qoobox\Quarantine\C\Documents and Settings\The Haymakers\Local Settings\Application Data\asam.exe.vir Win32/Fuclip.BI trojan
C:\Qoobox\Quarantine\C\Documents and Settings\The Haymakers\Local Settings\Application Data\syssvc.exe.vir Win32/Fuclip.BI trojan
C:\Qoobox\Quarantine\C\Documents and Settings\The Haymakers\Local Settings\Application Data\icgvfmuk\ummcmu.exe.vir Win32/Adware.SpywareProtect2009 application
C:\Qoobox\Quarantine\C\Documents and Settings\The Haymakers\Local Settings\Application Data\owebkxvjx\slmklejtssd.exe.vir a variant of Win32/Kryptik.EQB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\The Haymakers\Local Settings\Application Data\wbcxwdbbj\pcbmtgstssd.exe.vir Win32/Adware.SpywareProtect2009 application
C:\Qoobox\Quarantine\C\Documents and Settings\The Haymakers\My Documents\Hijack This\backups\backup-20060122-145829-680.dll.vir probably a variant of Win32/Adware.BHO.V application
C:\Qoobox\Quarantine\C\Documents and Settings\The Haymakers\My Documents\Unused Desktop Shortcuts\VundoFix\VundoFix\process.exe.vir Win32/PrcView application
C:\Qoobox\Quarantine\C\Documents and Settings\The Haymakers\My Documents\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\beachfree.exe.vir multiple threats
C:\Qoobox\Quarantine\C\Documents and Settings\The Haymakers\My Documents\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\marinefree.exe.vir multiple threats
C:\Qoobox\Quarantine\C\WINDOWS\svcs.exe.vir probably a variant of Win32/Spy.KeyLogger.LFJNMOG trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ajyugepy.dll.vir probably a variant of Win32/Adware.BHO.V application
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gcknceqx.dll.vir probably a variant of Win32/Adware.BHO.V application
C:\Qoobox\Quarantine\G\av2.zip multiple threats
C:\Qoobox\Quarantine\G\My Documents BACKUP ONLY - DO NOT SAVE HERE\Hijack This\backups\backup-20060122-145829-680.dll.vir probably a variant of Win32/Adware.BHO.V application
C:\Qoobox\Quarantine\G\My Documents BACKUP ONLY - DO NOT SAVE HERE\Unused Desktop Shortcuts\VundoFix\VundoFix\process.exe.vir Win32/PrcView application
C:\Qoobox\Quarantine\G\My Documents BACKUP ONLY - DO NOT SAVE HERE\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\beachfree.exe.vir multiple threats
C:\Qoobox\Quarantine\G\My Documents BACKUP ONLY - DO NOT SAVE HERE\Wedding Stuff\NOT FOR MIKE Do not look JENN folder\marinefree.exe.vir multiple threats
C:\quarantine\Av-test.txt.Vir Eicar test file
C:\quarantine\default32.dll.Vir a variant of Win32/TrojanDownloader.Monkif.AB trojan
C:\quarantine\default32.dll.Vir.0 a variant of Win32/TrojanDownloader.Monkif.AB trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1903\A0185713.exe Win32/Fuclip.BI trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1903\A0185714.exe Win32/Fuclip.BI trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1903\A0185717.exe probably a variant of Win32/Spy.KeyLogger.LFJNMOG trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1903\A0185935.exe Win32/Adware.SpywareProtect2009 application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1903\A0185936.exe a variant of Win32/Kryptik.EQB trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1903\A0185937.exe Win32/Adware.SpywareProtect2009 application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1903\A0185938.dll probably a variant of Win32/Adware.BHO.V application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1903\A0185939.dll probably a variant of Win32/Adware.BHO.V application

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:44 AM

Posted 08 December 2011 - 09:43 AM

ESET reports on the "type" of application that it is as well as reporting on threats, such as the Open Candy application > http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=ADWARE:WIN32/OPENCANDY

It is an adware program bundled in with other downloaded applications, it's up to you if you keep it, most people are aware they have it and choose to install it. If you are not aware you have it, then uninstall it from add/remove programs.

The rest we will remove now, in the cleanup of Combofix,

please do the following:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java SE 6 Update 29
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u29-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT


You can delete the DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 mhay

mhay
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 08 December 2011 - 11:33 PM

I completed the final steps and everything seems to be running smoothly now. I can't thank you enough! Thanks for everything!

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:44 AM

Posted 08 December 2011 - 11:42 PM

you are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:44 AM

Posted 10 December 2011 - 10:09 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users