Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit Activity - need assistance


  • This topic is locked This topic is locked
12 replies to this topic

#1 Silas18

Silas18

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 14 December 2011 - 08:04 PM

Hello,

I did a scan with Rootkit Unhooker on my cousin's PC, and I received a possible rootkit activity alert. Seeking assistance as I do not want to inadvertently do anything wrong.

DDS.TXT
-------------------------------------
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180
Run by Ryan at 16:50:59 on 2011-12-14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.120 [GMT -8:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [iqii] c:\progra~1\common~1\iqii\iqiim.exe
uRun: [RealPlayer] "c:\program files\real\realplayer\realplay.exe" /RunUPGToolCommandReBoot
uRun: [Otpa] "c:\windows\system32\wnsxs~1\iexplore.exe" -vt yazb
uRun: [Uzuzbr] c:\program files\common files\??mbols\r?gedit.exe
uRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quiet
mRun: [VTTimer] VTTimer.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_06\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [keyboard]
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\ryan\startm~1\programs\startup\palmon~1.lnk - c:\program files\palmone\register.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\npjpi150_06.dll
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{2DEF9C9C-E423-4015-A73D-136C545B37D0} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{7A7CA7F4-468D-449B-BA4C-7D6F6E128D0A} : DhcpNameServer = 192.168.0.1
Notify: WRNotifier - WRLogonNTF.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ryan\application data\mozilla\firefox\profiles\t6eungkr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-29 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-9-29 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-9-29 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-18 44768]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-9-29 24652]
S2 Ca533av;Polaroid Digital Cam Video;c:\windows\system32\drivers\ca533av.sys --> c:\windows\system32\drivers\Ca533av.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\windows\system32\drivers\dump_wmimmc.sys --> c:\windows\system32\drivers\dump_wmimmc.sys [?]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2011-12-11 00:01:32 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-12-11 00:01:30 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-12-08 02:33:40 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlcC0.tmp
2011-11-18 00:51:07 -------- d-----w- c:\documents and settings\ryan\Tracing
.
==================== Find3M ====================
.
2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 17:53:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-24 22:19:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 16:52:36.25 ===============
-------------------------------------

ATTACH.TXT logs:

-------------------------------------

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/26/2006 2:34:28 PM
System Uptime: 12/14/2011 4:44:20 PM (0 hours ago)
.
Motherboard: | | P4VM800
Processor: Intel® Celeron® CPU 2.66GHz | CPUSocket | 2666/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 56.413 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP913: 9/8/2011 9:00:22 PM - Removed Microsoft Office Professional Edition 2003
RP914: 9/8/2011 11:23:37 PM - Removed Microsoft Office FrontPage 2003
RP915: 9/11/2011 9:09:07 PM - System Checkpoint
RP916: 9/12/2011 12:36:42 AM - Software Distribution Service 3.0
RP917: 9/14/2011 8:06:04 PM - System Checkpoint
RP918: 9/14/2011 11:56:25 PM - Software Distribution Service 3.0
RP919: 9/16/2011 12:09:23 AM - System Checkpoint
RP920: 9/28/2011 10:46:18 PM - System Checkpoint
RP921: 10/31/2011 4:18:17 AM - System Checkpoint
RP922: 11/2/2011 12:45:55 AM - System Checkpoint
RP923: 11/9/2011 5:57:00 PM - System Checkpoint
RP924: 11/10/2011 6:32:26 PM - System Checkpoint
RP925: 11/12/2011 10:25:15 AM - System Checkpoint
RP926: 11/13/2011 3:19:01 PM - System Checkpoint
RP927: 11/15/2011 4:12:05 PM - System Checkpoint
RP928: 11/27/2011 1:36:51 PM - System Checkpoint
RP929: 12/1/2011 7:27:21 PM - System Checkpoint
RP930: 12/5/2011 5:17:39 PM - System Checkpoint
RP931: 12/8/2011 12:07:01 PM - System Checkpoint
RP932: 12/14/2011 3:37:15 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
ABBYY FineReader 6.0 Sprint
ACDSee 8
Adobe Acrobat 7.0 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Shockwave Player
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Free Antivirus
Azureus
Bonjour
C-Media 3D Audio
CloneDVD 3.5
Colour@Home II
Compatibility Pack for the 2007 Office system
Conduit Engine
Creative MediaSource
DivX Content Uploader
DivX Web Player
DJ_AIO_05_F4400_Software_Min
Guitar Pro 4
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB981793)
HP Deskjet F4400 Printer Driver 14.0 Rel. 5
InterActual Player
InterVideo WinDVD 7
iTunes
J2SE Runtime Environment 5.0 Update 6
Junk Mail filter update
Malwarebytes' Anti-Malware
Mavis Beacon Teaches Typing Platinum 20
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft LifeCam
Microsoft Managed DirectX (1126)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 8.0 (x86 en-US)
MSN
MSN Music Assistant
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB973686)
Nero 7 Ultra Edition
palmOne
Power CD+G Player Pro
PowerISO
QuickTax 2003 Standard
QuickTax 2005
QuickTax 2006
QuickTime
S3GSetup
Scan
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
Segoe UI
Sibelius Scorch
Sony DVD Architect 3.0
Toolbox
TuneUp Companion 1.9.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Video Converter 3
Viewpoint Media Player
VLC media player 1.1.10
Vuze
Vuze Remote Toolbar
WebFldrs XP
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
12/8/2011 12:10:47 PM, error: DCOM [10000] - Unable to start a DCOM Server: {121BC3CF-7F8A-4CFF-80DB-3853231BE619}. The error: "%2" Happened while starting this command: "C:\Program Files\Common Files\Ahead\lib\NMIndexStoreSvr.exe" -Embedding
12/11/2011 9:25:41 AM, error: Service Control Manager [7000] - The Vstor2 Virtual Storage Driver service failed to start due to the following error: The system cannot find the path specified.
12/11/2011 9:25:41 AM, error: Service Control Manager [7000] - The Polaroid Digital Cam Video service failed to start due to the following error: The system cannot find the file specified.
12/10/2011 4:05:53 PM, error: DCOM [10000] - Unable to start a DCOM Server: {2692A9D5-61DF-46D5-A5A1-A6CCA921D578}. The error: "%2" Happened while starting this command: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe" -Embedding
.
==== End Of File ===========================

-------------------------------------

Logs from RKUnhooker:

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #1
==============================================
>SSDT State
==============================================
ntoskrnl.exe-->NtAddBootEntry, Type: Address change 0x806475F7-->F5D23FC4 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtAllocateVirtualMemory, Type: Address change 0x80568024-->F5D88510 [C:\WINDOWS\System32\Drivers\aswSP.SYS]
ntoskrnl.exe-->NtClose, Type: Address change 0x80566DB9-->F5D476A9 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtCreateEvent, Type: Address change 0x8056AEF0-->F5D26456 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtCreateEventPair, Type: Address change 0x80647C48-->F5D264AE [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtCreateIoCompletion, Type: Address change 0x8058D5E0-->F5D265C4 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtCreateKey, Type: Address change 0x8056EA01-->F5D4705D [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtCreateMutant, Type: Address change 0x8057B469-->F5D263AC [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtCreateSection, Type: Address change 0x8056469B-->F5D264FE [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtCreateSemaphore, Type: Address change 0x80573AA7-->F5D26400 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtCreateTimer, Type: Address change 0x8059DFE5-->F5D26572 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtDeleteBootEntry, Type: Address change 0x806475E3-->F5D23FE8 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtDeleteKey, Type: Address change 0x80594F21-->F5D47D6F [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtDeleteValueKey, Type: Address change 0x8059295F-->F5D48025 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtDuplicateObject, Type: Address change 0x80572D8E-->F5D26848 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtEnumerateKey, Type: Address change 0x8056F10F-->F5D47BDA [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtEnumerateValueKey, Type: Address change 0x8057FDEC-->F5D47A45 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtFreeVirtualMemory, Type: Address change 0x8056894F-->F5D885C0 [C:\WINDOWS\System32\Drivers\aswSP.SYS]
ntoskrnl.exe-->NtLoadDriver, Type: Address change 0x805A5972-->F5D23DB2 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtModifyBootEntry, Type: Address change 0x806475E3-->F5D2400C [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtNotifyChangeKey, Type: Address change 0x805908B8-->F5D269BC [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtNotifyChangeMultipleKeys, Type: Address change 0x80590981-->F5D24AA4 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtOpenEvent, Type: Address change 0x80580706-->F5D26486 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtOpenEventPair, Type: Address change 0x80647D3B-->F5D264D6 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtOpenIoCompletion, Type: Address change 0x80615483-->F5D265EE [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtOpenKey, Type: Address change 0x80567D6A-->F5D473B9 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtOpenMutant, Type: Address change 0x8057B517-->F5D263D8 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtOpenProcess, Type: Address change 0x80572F6E-->F5D26680 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtOpenSection, Type: Address change 0x80576973-->F5D2653E [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtOpenSemaphore, Type: Address change 0x805DC98A-->F5D2642E [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtOpenThread, Type: Address change 0x8058FCDD-->F5D26764 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtOpenTimer, Type: Address change 0x80647B71-->F5D2659C [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtProtectVirtualMemory, Type: Address change 0x8057331D-->F5D88658 [C:\WINDOWS\System32\Drivers\aswSP.SYS]
ntoskrnl.exe-->NtQueryKey, Type: Address change 0x8056EE18-->F5D478C0 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtQueryObject, Type: Address change 0x80581938-->F5D2496A [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtQueryValueKey, Type: Address change 0x8056B343-->F5D47712 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtRenameKey, Type: Address change 0x8064D48B-->F5D909E6 [C:\WINDOWS\System32\Drivers\aswSP.SYS]
ntoskrnl.exe-->NtRestoreKey, Type: Address change 0x8064C488-->F5D466D0 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtSetBootEntryOrder, Type: Address change 0x806475F7-->F5D24030 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtSetBootOptions, Type: Address change 0x806475F7-->F5D24054 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtSetSystemInformation, Type: Address change 0x805A3F5D-->F5D23E0C [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtSetSystemPowerState, Type: Address change 0x80665C27-->F5D23F48 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtSetValueKey, Type: Address change 0x80573EF5-->F5D47E76 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtShutdownSystem, Type: Address change 0x80645C67-->F5D23F24 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtSystemDebugControl, Type: Address change 0x806487DF-->F5D23F6C [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
ntoskrnl.exe-->NtVdmControl, Type: Address change 0x805B8A80-->F5D24078 [C:\WINDOWS\System32\Drivers\aswSnx.SYS]
==============================================
>Shadow
==============================================
==============================================
>Processes
==============================================
0x84170DA0 [676] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x83DC5128 [1076] C:\WINDOWS\system32\VTTimer.exe (S3 Graphics, Inc., -)
0x841642E8 [1092] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc., Java™ 2 Platform Standard Edition binary)
0x84240B28 [1192] C:\WINDOWS\vVX3000.exe (Microsoft Corporation, Microsoft LifeCam Device Application)
0x83DCC338 [1200] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software, avast! Antivirus)
0x83DC3020 [1216] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc., iTunesHelper)
0x83DC3610 [1224] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)
0x8414EDA0 [1232] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG, Nero Home)
0x84169DA0 [2860] C:\Documents and Settings\Ryan\Desktop\RKUnhookerLE.EXE (UG North, RKULE, SR2 Overlord)
0x842A0DA0 [2976] C:\Program Files\Mozilla Firefox\plugin-container.exe (Mozilla Corporation, Plugin Container for Firefox)
0x84196020 [3992] C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation, Firefox)
0x84FCAA00 [4] System
0x8424E1C8 [248] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x83D3D638 [296] C:\Program Files\Microsoft LifeCam\MSCamSvc.exe (Microsoft Corporation, MsCamSvc.exe)
0x83D3A020 [348] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc., MobileDeviceService)
0x84EA8500 [760] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x84CE6DA0 [840] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x840EE308 [844] C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc., Bonjour Service)
0x84CD24D8 [864] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x84D86B30 [908] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x84D86638 [920] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x84CD02E8 [1084] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x84D6A6C8 [1132] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x83D3AB28 [1188] C:\WINDOWS\system32\CTSVCCDA.EXE (Creative Technology Ltd, Creative Service for CDROM Access)
0x84DA0660 [1276] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x84D76868 [1380] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8411B638 [1416] C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation, Machine Debug Manager)
0x84293020 [1520] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x840EEDA0 [1532] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8411C020 [1704] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x840A87C8 [1808] C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software, avast! Service)
0x83D4F9F0 [2176] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8413F540 [2292] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x840E0B98 [2336] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x84291020 [2484] C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation, Windows User Mode Driver Manager)
0x840BFDA0 [2524] C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation, ViewMgr)
0x840E2DA0 [2548] C:\WINDOWS\system32\vmnat.exe (VMware, Inc., VMware NAT Service)
0x840C2BC8 [2572] C:\WINDOWS\system32\MsPMSPSv.exe (Microsoft Corporation, WMDM PMSP Service)
0x83DFC020 [2668] C:\WINDOWS\system32\vmnetdhcp.exe (VMware, Inc., VMware VMnet DHCP service)
0x844D68B8 [3032] C:\Program Files\iPod\bin\iPodService.exe (Apple Inc., iPodService Module (32-bit))
0x84176500 [3548] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B75C, Type: Inline - RelativeJump 0x804E275C-->804E2737 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B790, Type: Inline - RelativeJump 0x804E2790-->804E27FB [ntoskrnl.exe]
ntoskrnl.exe+0x0000B7B4, Type: Inline - RelativeJump 0x804E27B4-->804E278F [ntoskrnl.exe]
ntoskrnl.exe+0x0000B7DC, Type: Inline - RelativeJump 0x804E27DC-->804E27B7 [ntoskrnl.exe]
ntoskrnl.exe+0x0000BA94, Type: Inline - RelativeJump 0x804E2A94-->804E2B18 [ntoskrnl.exe]
ntoskrnl.exe+0x0000BAE8, Type: Inline - RelativeJump 0x804E2AE8-->804E2B2E [ntoskrnl.exe]
ntoskrnl.exe+0x00092FBB, Type: Inline - RelativeJump 0x80569FBB-->80569F86 [ntoskrnl.exe]
ntoskrnl.exe-->NtCreateProcessEx, Type: Inline - RelativeJump 0x805820F6-->F5D9C7A6 [aswSP.SYS]
ntoskrnl.exe-->ObInsertObject, Type: Inline - RelativeJump 0x80564423-->F5D9B15C [aswSP.SYS]
ntoskrnl.exe-->ObMakeTemporaryObject, Type: Inline - RelativeJump 0x805A29A4-->F5D9969C [aswSP.SYS]
[1076]VTTimer.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E36FA9-->00380C0C [unknown_code_page]
[1076]VTTimer.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37031-->00380E10 [unknown_code_page]
[1076]VTTimer.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36D11-->00380804 [unknown_code_page]
[1076]VTTimer.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E36EA9-->00380A08 [unknown_code_page]
[1076]VTTimer.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E370B9-->003801F8 [unknown_code_page]
[1076]VTTimer.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E37251-->003803FC [unknown_code_page]
[1076]VTTimer.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E37359-->00380600 [unknown_code_page]
[1076]VTTimer.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36C29-->00381014 [unknown_code_page]
[1076]VTTimer.exe-->kernel32.dll+0x00067E3C, Type: Code Mismatch 0x7C867E3C + 425532 [62]
[1076]VTTimer.exe-->ntdll.dll+0x00016AC2, Type: Code Mismatch 0x7C916AC2 + 92866 [62]
[1076]VTTimer.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CBB-->001501F8 [unknown_code_page]
[1076]VTTimer.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C916C83-->001503FC [unknown_code_page]
[1076]VTTimer.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E4311D1-->00370600 [unknown_code_page]
[1076]VTTimer.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42DDB5-->00370804 [unknown_code_page]
[1076]VTTimer.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317B7-->003701F8 [unknown_code_page]
[1076]VTTimer.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E41F21E-->00370A08 [unknown_code_page]
[1076]VTTimer.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E43186C-->003703FC [unknown_code_page]
[1092]jusched.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E36FA9-->00370C0C [unknown_code_page]
[1092]jusched.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37031-->00370E10 [unknown_code_page]
[1092]jusched.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36D11-->00370804 [unknown_code_page]
[1092]jusched.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E36EA9-->00370A08 [unknown_code_page]
[1092]jusched.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E370B9-->003701F8 [unknown_code_page]
[1092]jusched.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E37251-->003703FC [unknown_code_page]
[1092]jusched.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E37359-->00370600 [unknown_code_page]
[1092]jusched.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36C29-->00371014 [unknown_code_page]
[1092]jusched.exe-->kernel32.dll+0x00067E3C, Type: Code Mismatch 0x7C867E3C + 425532 [62]
[1092]jusched.exe-->ntdll.dll+0x00016AC2, Type: Code Mismatch 0x7C916AC2 + 92866 [62]
[1092]jusched.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CBB-->001501F8 [unknown_code_page]
[1092]jusched.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C916C83-->001503FC [unknown_code_page]
[1092]jusched.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E4311D1-->00380600 [unknown_code_page]
[1092]jusched.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42DDB5-->00380804 [unknown_code_page]
[1092]jusched.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317B7-->003801F8 [unknown_code_page]
[1092]jusched.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E41F21E-->00380A08 [unknown_code_page]
[1092]jusched.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E43186C-->003803FC [unknown_code_page]
[1192]vVX3000.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E36FA9-->00390C0C [unknown_code_page]
[1192]vVX3000.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37031-->00390E10 [unknown_code_page]
[1192]vVX3000.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36D11-->00390804 [unknown_code_page]
[1192]vVX3000.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E36EA9-->00390A08 [unknown_code_page]
[1192]vVX3000.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E370B9-->003901F8 [unknown_code_page]
[1192]vVX3000.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E37251-->003903FC [unknown_code_page]
[1192]vVX3000.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E37359-->00390600 [unknown_code_page]
[1192]vVX3000.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36C29-->00391014 [unknown_code_page]
[1192]vVX3000.exe-->kernel32.dll+0x00067E3C, Type: Code Mismatch 0x7C867E3C + 425532 [62]
[1192]vVX3000.exe-->ntdll.dll+0x00016AC2, Type: Code Mismatch 0x7C916AC2 + 92866 [62]
[1192]vVX3000.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CBB-->001601F8 [unknown_code_page]
[1192]vVX3000.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C916C83-->001603FC [unknown_code_page]
[1192]vVX3000.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E4311D1-->00380600 [unknown_code_page]
[1192]vVX3000.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42DDB5-->00380804 [unknown_code_page]
[1192]vVX3000.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317B7-->003801F8 [unknown_code_page]
[1192]vVX3000.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E41F21E-->00380A08 [unknown_code_page]
[1192]vVX3000.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E43186C-->003803FC [unknown_code_page]
[1200]AvastUI.exe-->kernel32.dll+0x00067E3C, Type: Code Mismatch 0x7C867E3C + 425532 [62]
[1200]AvastUI.exe-->ntdll.dll+0x00016AC2, Type: Code Mismatch 0x7C916AC2 + 92866 [62]
[1216]iTunesHelper.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E36FA9-->00380C0C [unknown_code_page]
[1216]iTunesHelper.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37031-->00380E10 [unknown_code_page]
[1216]iTunesHelper.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36D11-->00380804 [unknown_code_page]
[1216]iTunesHelper.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E36EA9-->00380A08 [unknown_code_page]
[1216]iTunesHelper.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E370B9-->003801F8 [unknown_code_page]
[1216]iTunesHelper.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E37251-->003803FC [unknown_code_page]
[1216]iTunesHelper.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E37359-->00380600 [unknown_code_page]
[1216]iTunesHelper.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36C29-->00381014 [unknown_code_page]
[1216]iTunesHelper.exe-->kernel32.dll+0x00067E3C, Type: Code Mismatch 0x7C867E3C + 425532 [62]
[1216]iTunesHelper.exe-->ntdll.dll+0x00016AC2, Type: Code Mismatch 0x7C916AC2 + 92866 [62]
[1216]iTunesHelper.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CBB-->001601F8 [unknown_code_page]
[1216]iTunesHelper.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C916C83-->001603FC [unknown_code_page]
[1216]iTunesHelper.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E4311D1-->00390600 [unknown_code_page]
[1216]iTunesHelper.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42DDB5-->00390804 [unknown_code_page]
[1216]iTunesHelper.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317B7-->003901F8 [unknown_code_page]
[1216]iTunesHelper.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E41F21E-->00390A08 [unknown_code_page]
[1216]iTunesHelper.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E43186C-->003903FC [unknown_code_page]
[1224]ctfmon.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E36FA9-->002B0C0C [unknown_code_page]
[1224]ctfmon.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37031-->002B0E10 [unknown_code_page]
[1224]ctfmon.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36D11-->002B0804 [unknown_code_page]
[1224]ctfmon.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E36EA9-->002B0A08 [unknown_code_page]
[1224]ctfmon.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E370B9-->002B01F8 [unknown_code_page]
[1224]ctfmon.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E37251-->002B03FC [unknown_code_page]
[1224]ctfmon.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E37359-->002B0600 [unknown_code_page]
[1224]ctfmon.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36C29-->002B1014 [unknown_code_page]
[1224]ctfmon.exe-->kernel32.dll+0x00067E3C, Type: Code Mismatch 0x7C867E3C + 425532 [62]
[1224]ctfmon.exe-->ntdll.dll+0x00016AC2, Type: Code Mismatch 0x7C916AC2 + 92866 [62]
[1224]ctfmon.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CBB-->000A01F8 [unknown_code_page]
[1224]ctfmon.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C916C83-->000A03FC [unknown_code_page]
[1224]ctfmon.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E4311D1-->002C0600 [unknown_code_page]
[1224]ctfmon.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42DDB5-->002C0804 [unknown_code_page]
[1224]ctfmon.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317B7-->002C01F8 [unknown_code_page]
[1224]ctfmon.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E41F21E-->002C0A08 [unknown_code_page]
[1224]ctfmon.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E43186C-->002C03FC [unknown_code_page]
[1232]NMBgMonitor.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E36FA9-->00380C0C [unknown_code_page]
[1232]NMBgMonitor.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37031-->00380E10 [unknown_code_page]
[1232]NMBgMonitor.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36D11-->00380804 [unknown_code_page]
[1232]NMBgMonitor.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E36EA9-->00380A08 [unknown_code_page]
[1232]NMBgMonitor.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E370B9-->003801F8 [unknown_code_page]
[1232]NMBgMonitor.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E37251-->003803FC [unknown_code_page]
[1232]NMBgMonitor.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E37359-->00380600 [unknown_code_page]
[1232]NMBgMonitor.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36C29-->00381014 [unknown_code_page]
[1232]NMBgMonitor.exe-->kernel32.dll+0x00067E3C, Type: Code Mismatch 0x7C867E3C + 425532 [62]
[1232]NMBgMonitor.exe-->ntdll.dll+0x00016AC2, Type: Code Mismatch 0x7C916AC2 + 92866 [62]
[1232]NMBgMonitor.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CBB-->001501F8 [unknown_code_page]
[1232]NMBgMonitor.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C916C83-->001503FC [unknown_code_page]
[1232]NMBgMonitor.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E4311D1-->00370600 [unknown_code_page]
[1232]NMBgMonitor.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42DDB5-->00370804 [unknown_code_page]
[1232]NMBgMonitor.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317B7-->003701F8 [unknown_code_page]
[1232]NMBgMonitor.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E41F21E-->00370A08 [unknown_code_page]
[1232]NMBgMonitor.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E43186C-->003703FC [unknown_code_page]
[2976]plugin-container.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E36FA9-->00700C0C [unknown_code_page]
[2976]plugin-container.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37031-->00700E10 [unknown_code_page]
[2976]plugin-container.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36D11-->00700804 [unknown_code_page]
[2976]plugin-container.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E36EA9-->00700A08 [unknown_code_page]
[2976]plugin-container.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E370B9-->007001F8 [unknown_code_page]
[2976]plugin-container.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E37251-->007003FC [unknown_code_page]
[2976]plugin-container.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E37359-->00700600 [unknown_code_page]
[2976]plugin-container.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36C29-->00701014 [unknown_code_page]
[2976]plugin-container.exe-->kernel32.dll+0x00067E3C, Type: Code Mismatch 0x7C867E3C + 425532 [62]
[2976]plugin-container.exe-->ntdll.dll+0x00016AC2, Type: Code Mismatch 0x7C916AC2 + 92866 [62]
[2976]plugin-container.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CBB-->001601F8 [unknown_code_page]
[2976]plugin-container.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C916C83-->001603FC [unknown_code_page]
[2976]plugin-container.exe-->user32.dll-->GetWindowInfo, Type: Inline - RelativeJump 0x7E41E77C-->1045E363 [xul.dll]
[2976]plugin-container.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E4311D1-->00710600 [unknown_code_page]
[2976]plugin-container.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42DDB5-->00710804 [unknown_code_page]
[2976]plugin-container.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317B7-->007101F8 [unknown_code_page]
[2976]plugin-container.exe-->user32.dll-->TrackPopupMenu, Type: Inline - RelativeJump 0x7E4650EE-->1045E91C [xul.dll]
[2976]plugin-container.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E41F21E-->00710A08 [unknown_code_page]
[2976]plugin-container.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E43186C-->007103FC [unknown_code_page]
[3856]jucheck.exe-->kernel32.dll+0x00067E3C, Type: Code Mismatch 0x7C867E3C + 425532 [62]
[3856]jucheck.exe-->ntdll.dll+0x00016AC2, Type: Code Mismatch 0x7C916AC2 + 92866 [62]
[3992]firefox.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E36FA9-->02F60C0C [unknown_code_page]
[3992]firefox.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37031-->02F60E10 [unknown_code_page]
[3992]firefox.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36D11-->02F60804 [unknown_code_page]
[3992]firefox.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E36EA9-->02F60A08 [unknown_code_page]
[3992]firefox.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E370B9-->02F601F8 [unknown_code_page]
[3992]firefox.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E37251-->02F603FC [unknown_code_page]
[3992]firefox.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E37359-->02F60600 [unknown_code_page]
[3992]firefox.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36C29-->02F61014 [unknown_code_page]
[3992]firefox.exe-->kernel32.dll+0x00067E3C, Type: Code Mismatch 0x7C867E3C + 425532 [62]
[3992]firefox.exe-->ntdll.dll+0x00016AC2, Type: Code Mismatch 0x7C916AC2 + 92866 [62]
[3992]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CBB-->001601F8 [unknown_code_page]
[3992]firefox.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C916C83-->001603FC [unknown_code_page]
[3992]firefox.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E4311D1-->002C0600 [unknown_code_page]
[3992]firefox.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42DDB5-->002C0804 [unknown_code_page]
[3992]firefox.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317B7-->002C01F8 [unknown_code_page]
[3992]firefox.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E41F21E-->002C0A08 [unknown_code_page]
[3992]firefox.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E43186C-->002C03FC [unknown_code_page]
[676]explorer.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E36FA9-->002B0C0C [unknown_code_page]
[676]explorer.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37031-->002B0E10 [unknown_code_page]
[676]explorer.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36D11-->002B0804 [unknown_code_page]
[676]explorer.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E36EA9-->002B0A08 [unknown_code_page]
[676]explorer.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E370B9-->002B01F8 [unknown_code_page]
[676]explorer.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E37251-->002B03FC [unknown_code_page]
[676]explorer.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E37359-->002B0600 [unknown_code_page]
[676]explorer.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36C29-->002B1014 [unknown_code_page]
[676]explorer.exe-->kernel32.dll+0x00067E3C, Type: Code Mismatch 0x7C867E3C + 425532 [62]
[676]explorer.exe-->ntdll.dll+0x00016AC2, Type: Code Mismatch 0x7C916AC2 + 92866 [62]
[676]explorer.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CBB-->000901F8 [unknown_code_page]
[676]explorer.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C916C83-->000903FC [unknown_code_page]
[676]explorer.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E4311D1-->002C0600 [unknown_code_page]
[676]explorer.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42DDB5-->002C0804 [unknown_code_page]
[676]explorer.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317B7-->002C01F8 [unknown_code_page]
[676]explorer.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E41F21E-->002C0A08 [unknown_code_page]
[676]explorer.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E43186C-->002C03FC [unknown_code_page]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:30 AM

Posted 14 December 2011 - 08:36 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Silas18

Silas18
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 18 December 2011 - 03:48 AM

From the Combo Fix logs:

-------------------
ComboFix 11-12-17.05 - Ryan 12/17/2011 23:52:27.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.4 [GMT -8:00]
Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Ayette\Local Settings\Temporary Internet Files\Ssk.log
c:\documents and settings\Ryan\Local Settings\Temporary Internet Files\Ssk.log
c:\documents and settings\Ryan\WINDOWS
c:\progra~1\COMMON~1\{B4FBA~1
c:\progra~1\COMMON~1\{B4FBA~2
c:\program files\Common Files\mbols~1
c:\windows\AutoRun.ini
c:\windows\EventSystem.log
c:\windows\iun6002.exe
c:\windows\system32\FFECE7AA.exe
c:\windows\system32\wnsxs~1
c:\windows\system32\wtstr.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_FFECE7AA
-------\Service_FFECE7AA
.
.
((((((((((((((((((((((((( Files Created from 2011-11-18 to 2011-12-18 )))))))))))))))))))))))))))))))
.
.
2011-12-16 03:41 . 2011-12-16 03:41 -------- d-----w- c:\documents and settings\Ryan\Application Data\Rovio
2011-12-16 03:37 . 2011-12-16 03:53 -------- d-----w- c:\documents and settings\Ryan\Application Data\U3
2011-12-11 00:01 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-12-11 00:01 . 2004-08-04 08:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-12-08 02:33 . 2011-12-08 02:34 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlcC0.tmp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 18:01 . 2011-01-18 12:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 18:01 . 2008-09-29 18:40 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-28 17:53 . 2011-06-30 04:28 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-28 17:53 . 2008-09-29 18:41 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-28 17:52 . 2008-09-29 18:41 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-28 17:52 . 2008-09-29 18:41 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-28 17:52 . 2008-09-29 18:41 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-28 17:51 . 2008-09-29 18:41 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-28 17:51 . 2008-09-29 18:41 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-28 17:48 . 2008-09-29 18:41 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-24 22:19 . 2011-05-18 22:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-13 20:28 . 2011-11-10 19:41 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2011-03-02 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-03-02 07:37 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngin0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-03-02 07:37 3911776 ----a-w- c:\program files\Vuze_Remote\tbVuz1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2011-03-02 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin0.dll" [2011-03-02 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2011-03-02 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uzuzbr"="c:\program files\Common Files\??mbols\r?gedit.exe" [?]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-26 94208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2005-09-26 155648]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-06-29 269104]
"VX3000"="c:\windows\vVX3000.exe" [2006-06-29 707376]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
.
c:\documents and settings\Ryan\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-6-21 2355200]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-2-26 25214]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/29/2011 8:28 PM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/29/2008 10:41 AM 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/29/2008 10:41 AM 20568]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/29/2008 11:06 PM 24652]
S2 Ca533av;Polaroid Digital Cam Video;c:\windows\system32\Drivers\Ca533av.sys --> c:\windows\system32\Drivers\Ca533av.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\windows\system32\drivers\dump_wmimmc.sys --> c:\windows\system32\drivers\dump_wmimmc.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2009-11-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-11-01 06:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\t6eungkr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-iqii - c:\progra~1\COMMON~1\iqii\iqiim.exe
HKCU-Run-RealPlayer - c:\program files\Real\RealPlayer\realplay.exe
HKCU-Run-Otpa - c:\windows\system32\WNSXS~1\iexplore.exe
HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
Notify-= - (no file)
AddRemove-Color@Home_II_2.0 - c:\windows\iun6002.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-18 00:21
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-12-18 00:43:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-18 08:43
.
Pre-Run: 60,980,080,640 bytes free
Post-Run: 63,115,919,360 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - C23B27F1BA3584BA0CBCD12E3A63BE1B

-------------------

The entire process took over 30 minutes. Am I infected?

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:30 AM

Posted 18 December 2011 - 08:57 AM

Hi,

Most of the infection has been removed but there are some left overs, so stay with me till i give you the "all clean"

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic432499.html/page__pid__2514010#entry2514010

Collect::
c:\program files\Common Files\??mbols\r?gedit.exe

File::
c:\program files\Common Files\Windows Live\.cache\wlcC0.tmp

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uzuzbr"=-

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Silas18

Silas18
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 18 December 2011 - 04:41 PM

ComboFix logs:

ComboFix 11-12-17.05 - Ryan 12/18/2011 9:57.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.103 [GMT -8:00]
Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ryan\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\program files\Common Files\Windows Live\.cache\wlcC0.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Common Files\Windows Live\.cache\wlcC0.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-11-18 to 2011-12-18 )))))))))))))))))))))))))))))))
.
.
2011-12-16 03:41 . 2011-12-16 03:41 -------- d-----w- c:\documents and settings\Ryan\Application Data\Rovio
2011-12-16 03:37 . 2011-12-16 03:53 -------- d-----w- c:\documents and settings\Ryan\Application Data\U3
2011-12-11 00:01 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-12-11 00:01 . 2004-08-04 08:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 18:01 . 2011-01-18 12:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 18:01 . 2008-09-29 18:40 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-28 17:53 . 2011-06-30 04:28 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-28 17:53 . 2008-09-29 18:41 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-28 17:52 . 2008-09-29 18:41 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-28 17:52 . 2008-09-29 18:41 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-28 17:52 . 2008-09-29 18:41 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-28 17:51 . 2008-09-29 18:41 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-28 17:51 . 2008-09-29 18:41 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-28 17:48 . 2008-09-29 18:41 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-24 22:19 . 2011-05-18 22:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-13 20:28 . 2011-11-10 19:41 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2011-03-02 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-03-02 07:37 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngin0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-03-02 07:37 3911776 ----a-w- c:\program files\Vuze_Remote\tbVuz1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2011-03-02 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin0.dll" [2011-03-02 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2011-03-02 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-26 94208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2005-09-26 155648]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-06-29 269104]
"VX3000"="c:\windows\vVX3000.exe" [2006-06-29 707376]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
.
c:\documents and settings\Ryan\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-6-21 2355200]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-2-26 25214]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/29/2011 8:28 PM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/29/2008 10:41 AM 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/29/2008 10:41 AM 20568]
S2 Ca533av;Polaroid Digital Cam Video;c:\windows\system32\Drivers\Ca533av.sys --> c:\windows\system32\Drivers\Ca533av.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\windows\system32\drivers\dump_wmimmc.sys --> c:\windows\system32\drivers\dump_wmimmc.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2009-11-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-11-01 06:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\t6eungkr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
.
- - - - ORPHANS REMOVED - - - -
.
Notify-= - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-18 10:14
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.EXE'(2564)
c:\program files\Common Files\Ahead\lib\NeroDigitalExt.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
Completion time: 2011-12-18 10:20:36
ComboFix-quarantined-files.txt 2011-12-18 18:20
ComboFix2.txt 2011-12-18 08:43
.
Pre-Run: 63,001,587,712 bytes free
Post-Run: 62,996,971,520 bytes free
.
- - End Of File - - AFF0B1AA4AFFA5C231927F7E985A4CEB


TDSkiller logs:

10:23:28.0609 0536 TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31
10:23:29.0171 0536 ============================================================
10:23:29.0171 0536 Current date / time: 2011/12/18 10:23:29.0171
10:23:29.0171 0536 SystemInfo:
10:23:29.0171 0536
10:23:29.0171 0536 OS Version: 5.1.2600 ServicePack: 2.0
10:23:29.0171 0536 Product type: Workstation
10:23:29.0171 0536 ComputerName: RYAN-5CE9271662
10:23:29.0171 0536 UserName: Ryan
10:23:29.0171 0536 Windows directory: C:\WINDOWS
10:23:29.0171 0536 System windows directory: C:\WINDOWS
10:23:29.0171 0536 Processor architecture: Intel x86
10:23:29.0171 0536 Number of processors: 1
10:23:29.0171 0536 Page size: 0x1000
10:23:29.0171 0536 Boot type: Normal boot
10:23:29.0171 0536 ============================================================
10:23:29.0171 0536 SetPrivileges failed!
10:23:30.0984 0536 Initialize success
10:23:42.0406 3068 ============================================================
10:23:42.0406 3068 Scan started
10:23:42.0406 3068 Mode: Manual;
10:23:42.0406 3068 ============================================================
10:23:43.0171 3068 Aavmker4 (b6de0336f9f4b687b4ff57939f7b657a) C:\WINDOWS\system32\drivers\Aavmker4.sys
10:23:43.0187 3068 Aavmker4 - ok
10:23:43.0203 3068 Abiosdsk - ok
10:23:43.0234 3068 abp480n5 - ok
10:23:43.0296 3068 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:23:43.0312 3068 ACPI - ok
10:23:43.0375 3068 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:23:43.0375 3068 ACPIEC - ok
10:23:43.0421 3068 adpu160m - ok
10:23:43.0484 3068 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
10:23:43.0500 3068 aec - ok
10:23:43.0562 3068 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
10:23:43.0562 3068 AFD - ok
10:23:43.0593 3068 Aha154x - ok
10:23:43.0625 3068 aic78u2 - ok
10:23:43.0656 3068 aic78xx - ok
10:23:43.0703 3068 AliIde - ok
10:23:43.0734 3068 amsint - ok
10:23:43.0875 3068 AR5416 (08e6891421d44ac3e044bd8790b3c46d) C:\WINDOWS\system32\DRIVERS\athw.sys
10:23:43.0906 3068 AR5416 - ok
10:23:43.0953 3068 asc - ok
10:23:43.0968 3068 asc3350p - ok
10:23:44.0000 3068 asc3550 - ok
10:23:44.0093 3068 aswFsBlk (054df24c92b55427e0757cfff160e4f2) C:\WINDOWS\system32\drivers\aswFsBlk.sys
10:23:44.0093 3068 aswFsBlk - ok
10:23:44.0156 3068 aswMon2 (ef0e9ad83380724bd6fbbb51d2d0f5b8) C:\WINDOWS\system32\drivers\aswMon2.sys
10:23:44.0187 3068 aswMon2 - ok
10:23:44.0281 3068 aswRdr (352d5a48ebab35a7693b048679304831) C:\WINDOWS\system32\drivers\aswRdr.sys
10:23:44.0281 3068 aswRdr - ok
10:23:44.0406 3068 aswSnx (8d34d2b24297e27d93e847319abfdec4) C:\WINDOWS\system32\drivers\aswSnx.sys
10:23:44.0437 3068 aswSnx - ok
10:23:44.0484 3068 aswSP (010012597333da1f46c3243f33f8409e) C:\WINDOWS\system32\drivers\aswSP.sys
10:23:44.0500 3068 aswSP - ok
10:23:44.0562 3068 aswTdi (f9f84364416658e9786235904d448d37) C:\WINDOWS\system32\drivers\aswTdi.sys
10:23:44.0562 3068 aswTdi - ok
10:23:44.0625 3068 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:23:44.0625 3068 AsyncMac - ok
10:23:44.0703 3068 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:23:44.0703 3068 atapi - ok
10:23:44.0734 3068 Atdisk - ok
10:23:44.0765 3068 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:23:44.0781 3068 Atmarpc - ok
10:23:44.0812 3068 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:23:44.0812 3068 audstub - ok
10:23:44.0875 3068 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:23:44.0890 3068 Beep - ok
10:23:44.0921 3068 Ca533av - ok
10:23:45.0015 3068 catchme - ok
10:23:45.0046 3068 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:23:45.0046 3068 cbidf2k - ok
10:23:45.0109 3068 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
10:23:45.0109 3068 CCDECODE - ok
10:23:45.0140 3068 cd20xrnt - ok
10:23:45.0187 3068 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:23:45.0187 3068 Cdaudio - ok
10:23:45.0218 3068 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
10:23:45.0218 3068 Cdfs - ok
10:23:45.0250 3068 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:23:45.0250 3068 Cdrom - ok
10:23:45.0281 3068 Changer - ok
10:23:45.0328 3068 CmdIde - ok
10:23:45.0437 3068 cmuda (e5adeef2c0db43964223f408f1fcc97e) C:\WINDOWS\system32\drivers\cmuda.sys
10:23:45.0484 3068 cmuda - ok
10:23:45.0562 3068 Cpqarray - ok
10:23:45.0609 3068 dac2w2k - ok
10:23:45.0625 3068 dac960nt - ok
10:23:45.0687 3068 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
10:23:45.0703 3068 Disk - ok
10:23:45.0765 3068 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
10:23:45.0781 3068 dmboot - ok
10:23:45.0843 3068 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
10:23:45.0843 3068 dmio - ok
10:23:45.0890 3068 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:23:45.0890 3068 dmload - ok
10:23:45.0937 3068 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
10:23:45.0953 3068 DMusic - ok
10:23:45.0984 3068 dpti2o - ok
10:23:46.0031 3068 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
10:23:46.0031 3068 drmkaud - ok
10:23:46.0062 3068 dump_wmimmc - ok
10:23:46.0125 3068 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
10:23:46.0140 3068 Fastfat - ok
10:23:46.0171 3068 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
10:23:46.0187 3068 Fdc - ok
10:23:46.0234 3068 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
10:23:46.0234 3068 FETNDIS - ok
10:23:46.0281 3068 FETNDISB (b7186b33b6cf3a23841015531e6e7d68) C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
10:23:46.0281 3068 FETNDISB - ok
10:23:46.0328 3068 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
10:23:46.0328 3068 Fips - ok
10:23:46.0359 3068 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
10:23:46.0359 3068 Flpydisk - ok
10:23:46.0421 3068 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
10:23:46.0421 3068 FltMgr - ok
10:23:46.0500 3068 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:23:46.0515 3068 Fs_Rec - ok
10:23:46.0578 3068 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:23:46.0578 3068 Ftdisk - ok
10:23:46.0656 3068 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
10:23:46.0656 3068 GEARAspiWDM - ok
10:23:46.0734 3068 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:23:46.0734 3068 Gpc - ok
10:23:46.0812 3068 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:23:46.0812 3068 HidUsb - ok
10:23:46.0843 3068 hpn - ok
10:23:46.0906 3068 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
10:23:46.0906 3068 HPZid412 - ok
10:23:46.0937 3068 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
10:23:46.0937 3068 HPZipr12 - ok
10:23:47.0000 3068 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
10:23:47.0000 3068 HPZius12 - ok
10:23:47.0062 3068 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
10:23:47.0078 3068 HTTP - ok
10:23:47.0109 3068 i2omgmt - ok
10:23:47.0140 3068 i2omp - ok
10:23:47.0187 3068 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
10:23:47.0187 3068 i8042prt - ok
10:23:47.0250 3068 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:23:47.0250 3068 Imapi - ok
10:23:47.0281 3068 InCDFs - ok
10:23:47.0312 3068 InCDPass - ok
10:23:47.0343 3068 InCDRm - ok
10:23:47.0375 3068 ini910u - ok
10:23:47.0406 3068 IntelIde - ok
10:23:47.0437 3068 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
10:23:47.0453 3068 intelppm - ok
10:23:47.0484 3068 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
10:23:47.0500 3068 Ip6Fw - ok
10:23:47.0546 3068 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:23:47.0546 3068 IpFilterDriver - ok
10:23:47.0593 3068 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:23:47.0593 3068 IpInIp - ok
10:23:47.0656 3068 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:23:47.0671 3068 IpNat - ok
10:23:47.0718 3068 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:23:47.0718 3068 IPSec - ok
10:23:47.0781 3068 irda (86c204836feec22510d434982d4221b8) C:\WINDOWS\system32\DRIVERS\irda.sys
10:23:47.0781 3068 irda - ok
10:23:47.0828 3068 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:23:47.0843 3068 IRENUM - ok
10:23:47.0875 3068 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
10:23:47.0875 3068 irsir - ok
10:23:47.0953 3068 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:23:47.0953 3068 isapnp - ok
10:23:48.0015 3068 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:23:48.0015 3068 Kbdclass - ok
10:23:48.0062 3068 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
10:23:48.0062 3068 kbdhid - ok
10:23:48.0125 3068 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
10:23:48.0140 3068 kmixer - ok
10:23:48.0203 3068 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
10:23:48.0203 3068 KSecDD - ok
10:23:48.0250 3068 lbrtfdc - ok
10:23:48.0343 3068 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:23:48.0343 3068 mnmdd - ok
10:23:48.0406 3068 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
10:23:48.0406 3068 Modem - ok
10:23:48.0437 3068 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:23:48.0437 3068 Mouclass - ok
10:23:48.0500 3068 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:23:48.0515 3068 mouhid - ok
10:23:48.0546 3068 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
10:23:48.0546 3068 MountMgr - ok
10:23:48.0562 3068 mraid35x - ok
10:23:48.0609 3068 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:23:48.0609 3068 MRxDAV - ok
10:23:48.0687 3068 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:23:48.0703 3068 MRxSmb - ok
10:23:48.0781 3068 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
10:23:48.0781 3068 Msfs - ok
10:23:48.0875 3068 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:23:48.0890 3068 MSKSSRV - ok
10:23:48.0953 3068 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:23:48.0953 3068 MSPCLOCK - ok
10:23:48.0968 3068 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
10:23:48.0984 3068 MSPQM - ok
10:23:49.0000 3068 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:23:49.0015 3068 mssmbios - ok
10:23:49.0062 3068 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
10:23:49.0062 3068 MSTEE - ok
10:23:49.0125 3068 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
10:23:49.0125 3068 Mup - ok
10:23:49.0187 3068 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
10:23:49.0187 3068 NABTSFEC - ok
10:23:49.0234 3068 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
10:23:49.0250 3068 NDIS - ok
10:23:49.0296 3068 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
10:23:49.0296 3068 NdisIP - ok
10:23:49.0328 3068 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:23:49.0328 3068 NdisTapi - ok
10:23:49.0375 3068 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:23:49.0375 3068 Ndisuio - ok
10:23:49.0421 3068 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:23:49.0421 3068 NdisWan - ok
10:23:49.0468 3068 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
10:23:49.0468 3068 NDProxy - ok
10:23:49.0531 3068 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:23:49.0531 3068 NetBIOS - ok
10:23:49.0578 3068 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:23:49.0578 3068 NetBT - ok
10:23:49.0671 3068 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
10:23:49.0687 3068 Npfs - ok
10:23:49.0703 3068 NSNDIS5 - ok
10:23:49.0781 3068 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
10:23:49.0812 3068 Ntfs - ok
10:23:49.0890 3068 NTSIM (a568b9a9ffe2d9387222a5c90f86d731) C:\WINDOWS\system32\ntsim.sys
10:23:49.0906 3068 NTSIM - ok
10:23:49.0953 3068 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:23:49.0953 3068 Null - ok
10:23:50.0015 3068 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:23:50.0015 3068 NwlnkFlt - ok
10:23:50.0046 3068 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:23:50.0046 3068 NwlnkFwd - ok
10:23:50.0109 3068 PalmUSBD (240c0d4049a833b16b63b636acf01672) C:\WINDOWS\system32\drivers\PalmUSBD.sys
10:23:50.0109 3068 PalmUSBD - ok
10:23:50.0156 3068 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
10:23:50.0156 3068 Parport - ok
10:23:50.0187 3068 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
10:23:50.0187 3068 PartMgr - ok
10:23:50.0234 3068 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:23:50.0234 3068 ParVdm - ok
10:23:50.0296 3068 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
10:23:50.0296 3068 PCI - ok
10:23:50.0312 3068 PCIDump - ok
10:23:50.0375 3068 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:23:50.0375 3068 PCIIde - ok
10:23:50.0406 3068 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:23:50.0421 3068 Pcmcia - ok
10:23:50.0453 3068 PDCOMP - ok
10:23:50.0468 3068 PDFRAME - ok
10:23:50.0500 3068 PDRELI - ok
10:23:50.0531 3068 PDRFRAME - ok
10:23:50.0562 3068 perc2 - ok
10:23:50.0578 3068 perc2hib - ok
10:23:50.0671 3068 PfModNT (c8a2d6ff660ac601b7bb9a9b16a5c25e) C:\WINDOWS\system32\drivers\PfModNT.sys
10:23:50.0671 3068 PfModNT - ok
10:23:50.0734 3068 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:23:50.0750 3068 PptpMiniport - ok
10:23:50.0781 3068 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
10:23:50.0796 3068 PSched - ok
10:23:50.0828 3068 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:23:50.0828 3068 Ptilink - ok
10:23:50.0843 3068 ql1080 - ok
10:23:50.0875 3068 Ql10wnt - ok
10:23:50.0906 3068 ql12160 - ok
10:23:50.0953 3068 ql1240 - ok
10:23:50.0984 3068 ql1280 - ok
10:23:51.0046 3068 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:23:51.0062 3068 RasAcd - ok
10:23:51.0140 3068 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
10:23:51.0140 3068 Rasirda - ok
10:23:51.0171 3068 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:23:51.0171 3068 Rasl2tp - ok
10:23:51.0203 3068 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:23:51.0203 3068 RasPppoe - ok
10:23:51.0218 3068 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:23:51.0234 3068 Raspti - ok
10:23:51.0281 3068 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:23:51.0296 3068 Rdbss - ok
10:23:51.0328 3068 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:23:51.0328 3068 RDPCDD - ok
10:23:51.0375 3068 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:23:51.0390 3068 rdpdr - ok
10:23:51.0453 3068 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
10:23:51.0468 3068 RDPWD - ok
10:23:51.0515 3068 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:23:51.0515 3068 redbook - ok
10:23:51.0625 3068 RT73 (bf4709c002d632170dc15a282813d6b3) C:\WINDOWS\system32\DRIVERS\rt73.sys
10:23:51.0640 3068 RT73 - ok
10:23:51.0734 3068 SCDEmu (16b1abe7f3e35f21dac57592b6c5d464) C:\WINDOWS\system32\drivers\SCDEmu.sys
10:23:51.0734 3068 SCDEmu - ok
10:23:51.0812 3068 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:23:51.0812 3068 Secdrv - ok
10:23:51.0875 3068 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:23:51.0890 3068 serenum - ok
10:23:51.0937 3068 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
10:23:51.0937 3068 Serial - ok
10:23:52.0015 3068 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:23:52.0015 3068 Sfloppy - ok
10:23:52.0062 3068 Simbad - ok
10:23:52.0125 3068 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
10:23:52.0125 3068 SLIP - ok
10:23:52.0156 3068 Sparrow - ok
10:23:52.0218 3068 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
10:23:52.0218 3068 splitter - ok
10:23:52.0296 3068 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
10:23:52.0296 3068 sr - ok
10:23:52.0375 3068 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
10:23:52.0390 3068 Srv - ok
10:23:52.0484 3068 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
10:23:52.0484 3068 streamip - ok
10:23:52.0531 3068 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:23:52.0531 3068 swenum - ok
10:23:52.0593 3068 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
10:23:52.0593 3068 swmidi - ok
10:23:52.0625 3068 symc810 - ok
10:23:52.0656 3068 symc8xx - ok
10:23:52.0687 3068 sym_hi - ok
10:23:52.0718 3068 sym_u3 - ok
10:23:52.0750 3068 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
10:23:52.0750 3068 sysaudio - ok
10:23:52.0843 3068 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:23:52.0843 3068 Tcpip - ok
10:23:52.0906 3068 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:23:52.0921 3068 TDPIPE - ok
10:23:52.0937 3068 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
10:23:52.0953 3068 TDTCP - ok
10:23:53.0015 3068 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:23:53.0015 3068 TermDD - ok
10:23:53.0062 3068 TosIde - ok
10:23:53.0156 3068 uagp35 (49c805d42d75eddc9b6a7130999c9054) C:\WINDOWS\system32\DRIVERS\uagp35.sys
10:23:53.0156 3068 uagp35 - ok
10:23:53.0218 3068 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
10:23:53.0234 3068 Udfs - ok
10:23:53.0265 3068 ultra - ok
10:23:53.0359 3068 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
10:23:53.0359 3068 Update - ok
10:23:53.0453 3068 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
10:23:53.0453 3068 USBAAPL - ok
10:23:53.0515 3068 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
10:23:53.0515 3068 usbaudio - ok
10:23:53.0578 3068 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:23:53.0578 3068 usbccgp - ok
10:23:53.0640 3068 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:23:53.0640 3068 usbehci - ok
10:23:53.0671 3068 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:23:53.0687 3068 usbhub - ok
10:23:53.0734 3068 USBIO (f90d8f845095fcd6924e3d751c04e442) C:\WINDOWS\system32\Drivers\usbio.sys
10:23:53.0734 3068 USBIO - ok
10:23:53.0796 3068 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
10:23:53.0812 3068 usbprint - ok
10:23:53.0875 3068 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
10:23:53.0875 3068 usbscan - ok
10:23:53.0937 3068 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:23:53.0937 3068 USBSTOR - ok
10:23:53.0968 3068 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:23:53.0968 3068 usbuhci - ok
10:23:54.0031 3068 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
10:23:54.0031 3068 VgaSave - ok
10:23:54.0093 3068 viagfx (a4bdcd1d4f9f6b82cbc86133192845ee) C:\WINDOWS\system32\DRIVERS\vtmini.sys
10:23:54.0109 3068 viagfx - ok
10:23:54.0156 3068 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
10:23:54.0156 3068 ViaIde - ok
10:23:54.0171 3068 viamraid - ok
10:23:54.0250 3068 VMnetAdapter (fdfd74ab4d0f27b5d062c2a39cbb6d54) C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys
10:23:54.0250 3068 VMnetAdapter - ok
10:23:54.0296 3068 VMnetuserif (d2fe0d6e1b5c62afee860b41ae14b714) C:\WINDOWS\system32\drivers\vmnetuserif.sys
10:23:54.0312 3068 VMnetuserif - ok
10:23:54.0343 3068 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
10:23:54.0359 3068 VolSnap - ok
10:23:54.0375 3068 vsdatant - ok
10:23:54.0453 3068 vstor2 - ok
10:23:54.0562 3068 VX3000 (88322300247273203665c3ffa892e425) C:\WINDOWS\system32\DRIVERS\VX3000.sys
10:23:54.0640 3068 VX3000 - ok
10:23:54.0687 3068 w300bus (d4baa1ac8dcea1382e81aa6fe48cdd7c) C:\WINDOWS\system32\DRIVERS\w300bus.sys
10:23:54.0703 3068 w300bus - ok
10:23:54.0765 3068 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:23:54.0781 3068 Wanarp - ok
10:23:54.0828 3068 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
10:23:54.0843 3068 WDC_SAM - ok
10:23:54.0859 3068 WDICA - ok
10:23:54.0921 3068 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
10:23:54.0937 3068 wdmaud - ok
10:23:55.0093 3068 WpdUsb (1385e5aa9c9821790d33a9563b8d2dd0) C:\WINDOWS\system32\Drivers\wpdusb.sys
10:23:55.0093 3068 WpdUsb - ok
10:23:55.0140 3068 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
10:23:55.0140 3068 WS2IFSL - ok
10:23:55.0203 3068 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
10:23:55.0203 3068 WSTCODEC - ok
10:23:55.0296 3068 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
10:23:55.0812 3068 \Device\Harddisk0\DR0 - ok
10:23:55.0828 3068 Boot (0x1200) (cb0ddefc9cc8ee82420614f90dedd59e) \Device\Harddisk0\DR0\Partition0
10:23:55.0828 3068 \Device\Harddisk0\DR0\Partition0 - ok
10:23:55.0843 3068 ============================================================
10:23:55.0843 3068 Scan finished
10:23:55.0843 3068 ============================================================
10:23:55.0859 2708 Detected object count: 0
10:23:55.0859 2708 Actual detected object count: 0


MalwareBytes logs:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8393

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/18/2011 10:48:45 AM
mbam-log-2011-12-18 (10-48-45).txt

Scan type: Quick scan
Objects scanned: 261382
Time elapsed: 15 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The ESET scan gave me "NO THREADS FOUND", so I didn't see any option to click "list of threats found" even though it took roughly 2 and a half hours to scan.
If possible, would you be able to describe the nature of the infections prior to the initial combofix logs?

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:30 AM

Posted 18 December 2011 - 04:57 PM

There was a malware driver and file on your system, unnamed infection,as well as some minor adware, malware is often unidentified specifically, just a general infestation, the different AV companies often have different names for the same thing as well. If you want to post the content of qoobox we could upload one of the files out of curiosity


Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply.


NEXT



Please do the following:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java SE 6 Update 29
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u29-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT


Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Silas18

Silas18
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 18 December 2011 - 05:17 PM

Combofix-quarantined files:

2011-12-18 17:57:41 . 2011-12-18 17:57:41 88 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2011-12-18 08:41:25 . 2011-12-18 08:41:25 546 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Color@Home_II_2.0.reg.dat
2011-12-18 08:39:13 . 2011-12-18 08:39:14 125 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Cmaudio.reg.dat
2011-12-18 08:38:53 . 2011-12-18 08:38:53 153 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Yahoo! Pager.reg.dat
2011-12-18 08:38:52 . 2011-12-18 08:38:53 147 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Otpa.reg.dat
2011-12-18 08:38:52 . 2011-12-18 08:38:52 174 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-RealPlayer.reg.dat
2011-12-18 08:38:52 . 2011-12-18 08:38:52 129 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-iqii.reg.dat
2011-12-18 08:11:43 . 2011-12-18 08:11:43 2,452 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_FFECE7AA.reg.dat
2011-12-18 08:11:43 . 2011-12-18 08:11:43 806 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_FFECE7AA.reg.dat
2011-12-18 08:06:13 . 2011-12-18 18:08:25 7,340 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-12-18 07:43:37 . 2011-12-18 17:50:47 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-12-15 00:55:47 . 2011-12-15 00:55:47 7,168 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\FFECE7AA.exe.vir
2011-12-08 02:33:40 . 2011-12-08 02:34:03 83,249,512 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\Windows Live\.cache\wlcC0.tmp.vir
2006-08-29 03:31:56 . 2006-08-30 08:46:12 2 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wtstr.exe.vir
2006-08-26 23:21:19 . 2006-08-26 23:21:19 578 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\EventSystem.log.vir
2006-08-13 07:54:55 . 2006-08-29 03:32:25 12,168 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Ssk.log.vir
2006-05-06 23:26:54 . 2006-08-30 03:24:13 57,604 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Ayette\Local Settings\Temporary Internet Files\Ssk.log.vir
2006-04-11 02:25:56 . 2006-04-11 02:25:20 724,992 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\iun6002.exe.vir
2006-02-26 23:00:22 . 2006-08-30 07:44:18 32 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\AutoRun.ini.vir


From the link you provided, I do not see a "Java SE 6 Update 29" ... I only see a "Java SE 6 Update 30". I do see other things with a 29... can you clarify if you want me to get Update 30 instead?

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:30 AM

Posted 18 December 2011 - 05:35 PM

Hi,

Yes, it must have updated to 30 just recently, thanks, i'll amend my instructions


please up load the following files (note sometimes the AV scanners do not find an infection, that doesn't mean the file is clean, it just means they do not presently have the file in the virus definitions, I am certain these files are bad)


submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file C:\Qoobox\Quarantine\C\WINDOWS\system32\FFECE7AA.exe.vir
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.



Do the same for this file:

C:\Qoobox\Quarantine\C\WINDOWS\system32\wtstr.exe.vir

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Silas18

Silas18
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 18 December 2011 - 06:18 PM

Now that you have confirmed I should have downloaded "Java SE 6 Update 30", that has done and instructions followed from your earlier message in the thread. You also requested posting a fresh DDS logs, which I didn't follow through with since I was uncertain about installing Java SE 6 Update 30.

Fresh DDS logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_30
Run by Ryan at 15:00:02 on 2011-12-18
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.96 [GMT -8:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\ryan\startm~1\programs\startup\palmon~1.lnk - c:\program files\palmone\register.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{2DEF9C9C-E423-4015-A73D-136C545B37D0} : DhcpNameServer = 192.168.0.1
Notify: WRNotifier - WRLogonNTF.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ryan\application data\mozilla\firefox\profiles\t6eungkr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-29 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-9-29 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-9-29 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-18 44768]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-9-29 24652]
S2 Ca533av;Polaroid Digital Cam Video;c:\windows\system32\drivers\ca533av.sys --> c:\windows\system32\drivers\Ca533av.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\windows\system32\drivers\dump_wmimmc.sys --> c:\windows\system32\drivers\dump_wmimmc.sys [?]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2011-12-18 22:51:34 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-18 22:51:34 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-12-18 22:51:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-18 18:54:46 -------- d-----w- c:\program files\ESET
2011-12-18 07:48:59 -------- d-sha-r- C:\cmdcons
2011-12-18 07:43:49 98816 ----a-w- c:\windows\sed.exe
2011-12-18 07:43:49 518144 ----a-w- c:\windows\SWREG.exe
2011-12-18 07:43:49 256000 ----a-w- c:\windows\PEV.exe
2011-12-18 07:43:49 208896 ----a-w- c:\windows\MBR.exe
2011-12-16 03:41:08 -------- d-----w- c:\documents and settings\ryan\application data\Rovio
2011-12-11 00:01:32 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-12-11 00:01:30 159232 ----a-w- c:\windows\system32\ptpusd.dll
.
==================== Find3M ====================
.
2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 17:53:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-24 22:19:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 15:04:01.75 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/26/2006 2:34:28 PM
System Uptime: 12/18/2011 2:48:16 PM (1 hours ago)
.
Motherboard: | | P4VM800
Processor: Intel® Celeron® CPU 2.66GHz | CPUSocket | 2666/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 58.318 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: D-Link DWA-552 XtremeN Desktop Adapter
Device ID: PCI\VEN_168C&DEV_0029&SUBSYS_3A7A1186&REV_01\3&267A616A&0&48
Manufacturer: D-Link Corporation
Name: D-Link DWA-552 XtremeN Desktop Adapter
PNP Device ID: PCI\VEN_168C&DEV_0029&SUBSYS_3A7A1186&REV_01\3&267A616A&0&48
Service: AR5416
.
==== System Restore Points ===================
.
RP919: 9/16/2011 12:09:23 AM - System Checkpoint
RP920: 9/28/2011 10:46:18 PM - System Checkpoint
RP921: 10/31/2011 4:18:17 AM - System Checkpoint
RP922: 11/2/2011 12:45:55 AM - System Checkpoint
RP923: 11/9/2011 5:57:00 PM - System Checkpoint
RP924: 11/10/2011 6:32:26 PM - System Checkpoint
RP925: 11/12/2011 10:25:15 AM - System Checkpoint
RP926: 11/13/2011 3:19:01 PM - System Checkpoint
RP927: 11/15/2011 4:12:05 PM - System Checkpoint
RP928: 11/27/2011 1:36:51 PM - System Checkpoint
RP929: 12/1/2011 7:27:21 PM - System Checkpoint
RP930: 12/5/2011 5:17:39 PM - System Checkpoint
RP931: 12/8/2011 12:07:01 PM - System Checkpoint
RP932: 12/14/2011 3:37:15 PM - Software Distribution Service 3.0
RP933: 12/15/2011 7:40:00 PM - Installed Angry Birds
RP934: 12/15/2011 7:51:38 PM - Removed Angry Birds
RP935: 12/18/2011 9:51:46 AM - ComboFix created restore point
RP936: 12/18/2011 2:43:20 PM - Removed J2SE Runtime Environment 5.0 Update 6
RP937: 12/18/2011 2:50:46 PM - Installed Java™ 6 Update 30
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
ABBYY FineReader 6.0 Sprint
ACDSee 8
Adobe Acrobat 7.0 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Shockwave Player
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Free Antivirus
Azureus
Bonjour
C-Media 3D Audio
CloneDVD 3.5
Compatibility Pack for the 2007 Office system
Conduit Engine
Creative MediaSource
DivX Content Uploader
DivX Web Player
DJ_AIO_05_F4400_Software_Min
ESET Online Scanner v3
Guitar Pro 4
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB981793)
HP Deskjet F4400 Printer Driver 14.0 Rel. 5
InterActual Player
InterVideo WinDVD 7
iTunes
Java Auto Updater
Java™ 6 Update 30
Junk Mail filter update
Malwarebytes' Anti-Malware version 1.51.2.1300
Mavis Beacon Teaches Typing Platinum 20
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft LifeCam
Microsoft Managed DirectX (1126)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 8.0 (x86 en-US)
MSN
MSN Music Assistant
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB973686)
Nero 7 Ultra Edition
palmOne
Power CD+G Player Pro
PowerISO
QuickTax 2003 Standard
QuickTax 2005
QuickTax 2006
QuickTime
S3GSetup
Scan
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
Segoe UI
Sibelius Scorch
Sony DVD Architect 3.0
Toolbox
TuneUp Companion 1.9.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Video Converter 3
Viewpoint Media Player
VLC media player 1.1.10
Vuze
Vuze Remote Toolbar
WebFldrs XP
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
12/11/2011 6:19:53 PM, error: Service Control Manager [7000] - The Vstor2 Virtual Storage Driver service failed to start due to the following error: The system cannot find the path specified.
12/11/2011 6:19:53 PM, error: Service Control Manager [7000] - The Polaroid Digital Cam Video service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================


For the file C:\Qoobox\Quarantine\C\WINDOWS\system32\FFECE7AA.exe.vir from virustotal, the link is:
http://www.virustotal.com/file-scan/report.html?id=c2b66652c0c330f5eedfd1ef9535ee5e4ab64ffc8b7a88477cfbe638d15242d6-1324249149

And for the file C:\Qoobox\Quarantine\C\WINDOWS\system32\wtstr.exe.vir from virustotal, the link is:
http://www.virustotal.com/file-scan/report.html?id=3ed0256da8da5eabae7aa1680886a2aa394dd7c002eb2f3b02e9f0f9ec9daa2c-1324249551

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:30 AM

Posted 18 December 2011 - 06:48 PM

Hi

Yes, those detections show the malware hasn't been identified as yet as it is mostly labeled "generic" malware.

time to do some housekeeping now


You can delete the TDSSKiller, DDS and Rootkit Unhooker logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Silas18

Silas18
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 19 December 2011 - 03:51 AM

Thank you so much for your assistance in this. You may close this thread now.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:30 AM

Posted 19 December 2011 - 08:51 AM

you are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:30 AM

Posted 19 December 2011 - 08:51 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users