Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Info/Removal Assistance Request


  • This topic is locked This topic is locked
14 replies to this topic

#1 astein

astein

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 24 December 2011 - 05:04 PM

Hi,

I recently noticed malware infection. I first ran malware bytes and cleaned some recommended files and registry entries. It then came back, and I ran rkill and combofix following fireman4it (antivirus disabled, etc):

http://www.bleepingcomputer.com/forums/topic316502.html

At one point combofix said it detected a rootkit (starts with "A"..., didn't catch full name) and that it was "particularly difficult" to clean. I then allowed it to restart my machine as recommended, which stalled after several minutes. After 10 minutes I did a hard restart. Combo fix then resumed automatically and appeared to complete successfully, but after about half a day the rootkit behavior returned. (Mostly as high ping.exe activity slowness)

I then attempted to re-do the same clean procedure, but now rkill fails to start, giving 3 "installation failed" popup alerts and eventually displaying a completion log with no items found.

I then began the full prep/post procedure as detailed here:

http://www.bleepingcomputer.com/forums/topic34773.html

Thanks for your assistance.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Andrew at 11:57:31 on 2011-12-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2005 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k NecUsbSevice
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\8TSL53jb.com
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/advanced_search
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [uTorrent] "c:\documents and settings\andrew\desktop\utorrent.exe" /MINIMIZED
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IDTSysTrayApp] sttray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\fortem~1.lnk - c:\program files\lg soft india\fortemanager\bin\Monitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://txssl10.vpn.att.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1311557185991
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://txssl10.vpn.att.com/CACHE/sdesktop/install/binaries/instweb.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2DBDCF51-6328-4264-8B66-3533322C45A4} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A2F68AB5-D3B0-41CB-A94F-FF83F31CF859} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: NecUsb3Sevice - USB3Nw32.dll
Notify: USB3Nw32 - USB3Nw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\andrew\application data\mozilla\firefox\profiles\4eapel9q.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/advanced_search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl32774ea2;MpKsl32774ea2;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a6639d37-7952-4a28-9535-5c9fd2e4cdab}\MpKsl32774ea2.sys [2011-12-24 29904]
R2 NecUsb;USB Service;c:\windows\system32\svchost.exe -k NecUsbSevice [2004-8-4 14336]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-7-25 2255464]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2010-8-16 592120]
R3 LGDDCDevice;LGDDCDevice;c:\program files\lg soft india\fortemanager\bin\I2CDriver.sys [2011-8-14 14336]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-7-30 119528]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.sys [2006-7-12 402944]
S1 MpKsl4c97a7c7;MpKsl4c97a7c7;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1650b3f5-37c4-411e-9f8b-9c3b98ff374d}\mpksl4c97a7c7.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1650b3f5-37c4-411e-9f8b-9c3b98ff374d}\MpKsl4c97a7c7.sys [?]
S1 MpKsl4d69be8f;MpKsl4d69be8f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2bd1a1de-3267-477a-bab4-7e2a67e8dd11}\mpksl4d69be8f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2bd1a1de-3267-477a-bab4-7e2a67e8dd11}\MpKsl4d69be8f.sys [?]
S1 MpKslb779459e;MpKslb779459e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b46d3abc-1a5f-4b35-bab5-dee8f1888eee}\mpkslb779459e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b46d3abc-1a5f-4b35-bab5-dee8f1888eee}\MpKslb779459e.sys [?]
S1 MpKslde5fb075;MpKslde5fb075;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{52efd14d-7b8e-44ba-ac2e-082eb2a63bf9}\mpkslde5fb075.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{52efd14d-7b8e-44ba-ac2e-082eb2a63bf9}\MpKslde5fb075.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-10-9 136176]
S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\system32\drivers\dvc325.sys --> c:\windows\system32\drivers\dvc325.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-10-9 136176]
S3 LGII2CDevice;LGII2CDevice;c:\program files\lg soft india\fortemanager\bin\PII2CDriver.sys [2011-8-14 18432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-24 17:29:23 -------- d--h--w- c:\windows\PIF
2011-12-24 17:21:23 29184 ----a-w- c:\windows\system32\8TSL53jb.com
2011-12-24 17:21:13 53248 ----a-w- c:\windows\system32\6to4v32.dll
2011-12-24 17:21:12 37888 ----a-w- c:\windows\system32\USB3Nw32.dll
2011-12-24 17:21:12 157184 ----a-w- c:\windows\system32\NUSB3w32.dll
2011-12-24 06:02:15 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a6639d37-7952-4a28-9535-5c9fd2e4cdab}\MpKsl32774ea2.sys
2011-12-24 06:02:12 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a6639d37-7952-4a28-9535-5c9fd2e4cdab}\offreg.dll
2011-12-24 06:02:06 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a6639d37-7952-4a28-9535-5c9fd2e4cdab}\mpengine.dll
2011-12-24 05:07:38 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-24 05:03:56 -------- d-sha-r- C:\cmdcons
2011-12-24 05:02:10 98816 ----a-w- c:\windows\sed.exe
2011-12-24 05:02:10 518144 ----a-w- c:\windows\SWREG.exe
2011-12-24 05:02:10 256000 ----a-w- c:\windows\PEV.exe
2011-12-24 05:02:10 208896 ----a-w- c:\windows\MBR.exe
2011-12-23 23:26:02 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-23 23:26:02 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 12:03:02.23 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:05 PM

Posted 29 December 2011 - 08:29 PM

Hi,

Please post the ComboFix Log(s) you have

the recent log will be located at C:\ComboFix.txt, older logs will be located at C:\qoobox\ComboFix2.txt

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 astein

astein
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 29 December 2011 - 11:04 PM

Hi Curtis,

Thanks for getting back and Happy Holidays.

Only one ComboFix log found. ComboFix quarantined files follows it.


Log:

ComboFix 11-12-23.01 - Andrew 12/23/2011 23:22:47.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2633 [GMT -6:00]

Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Andrew\Desktop\Setup.exe

c:\program files\RegGenie

c:\program files\RegGenie\Backups\40754.5804078009

c:\program files\RegGenie\RegGenie.ini

c:\windows\$NtUninstallKB40645$

c:\windows\$NtUninstallKB40645$\640202989\@

c:\windows\$NtUninstallKB40645$\640202989\bckfg.tmp

c:\windows\$NtUninstallKB40645$\640202989\cfg.ini

c:\windows\$NtUninstallKB40645$\640202989\Desktop.ini

c:\windows\$NtUninstallKB40645$\640202989\keywords

c:\windows\$NtUninstallKB40645$\640202989\kwrd.dll

c:\windows\$NtUninstallKB40645$\640202989\L\eiiemsvg

c:\windows\$NtUninstallKB40645$\640202989\lsflt7.ver

c:\windows\$NtUninstallKB40645$\640202989\U\00000001.@

c:\windows\$NtUninstallKB40645$\640202989\U\00000002.@

c:\windows\$NtUninstallKB40645$\640202989\U\00000004.@

c:\windows\$NtUninstallKB40645$\640202989\U\80000000.@

c:\windows\$NtUninstallKB40645$\640202989\U\80000004.@

c:\windows\$NtUninstallKB40645$\640202989\U\80000032.@

c:\windows\$NtUninstallKB40645$\991140022

c:\windows\RegGenieOnUninstall.exe

c:\windows\system32\oobe\isperror

c:\windows\system32\oobe\isperror\ispcnerr.htm

c:\windows\system32\oobe\isperror\ispdtone.htm

c:\windows\system32\oobe\isperror\isphdshk.htm

c:\windows\system32\oobe\isperror\ispins.htm

c:\windows\system32\oobe\isperror\ispnoanw.htm

c:\windows\system32\oobe\isperror\isppberr.htm

c:\windows\system32\oobe\isperror\ispphbsy.htm

c:\windows\system32\oobe\isperror\ispsbusy.htm

.

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected

Restored copy from - The cat found it :)

.

((((((((((((((((((((((((( Files Created from 2011-11-24 to 2011-12-24 )))))))))))))))))))))))))))))))

.

.

2011-12-24 05:40 . 2011-12-24 05:40 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D1E9DF23-4CCF-4112-A41D-90E63689DA62}\offreg.dll

2011-12-24 05:07 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-12-24 04:57 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D1E9DF23-4CCF-4112-A41D-90E63689DA62}\mpengine.dll

2011-12-23 23:34 . 2011-12-23 23:34 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-12-23 23:26 . 2011-12-23 23:26 -------- d-----w- c:\windows\system32\wbem\Repository

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-21 10:47 . 2011-10-21 01:30 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-11-04 19:20 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec

2011-11-01 16:07 . 2004-08-04 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-18 11:13 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-10 14:22 . 2011-07-25 00:09 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 16:41 . 2010-03-18 15:09 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-11-10 04:33 . 2011-07-26 04:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="c:\documents and settings\Andrew\Desktop\utorrent.exe" [2011-10-08 641400]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200]

"NvMediaCenter"="NvMCTray.dll" [2011-08-03 111208]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

forteManager.lnk - c:\program files\LG Soft India\forteManager\bin\Monitor.exe [2011-8-14 1687552]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Documents and Settings\\Andrew\\Desktop\\utorrent.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Winamp\\winamp.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

.

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [7/25/2011 7:29 AM 2255464]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [8/16/2010 12:16 PM 592120]

R3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [8/14/2011 8:02 PM 14336]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [7/30/2011 11:56 PM 119528]

R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.sys [7/12/2006 9:19 AM 402944]

S1 MpKsl4c97a7c7;MpKsl4c97a7c7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1650B3F5-37C4-411E-9F8B-9C3B98FF374D}\MpKsl4c97a7c7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1650B3F5-37C4-411E-9F8B-9C3B98FF374D}\MpKsl4c97a7c7.sys [?]

S1 MpKsl4d69be8f;MpKsl4d69be8f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2BD1A1DE-3267-477A-BAB4-7E2A67E8DD11}\MpKsl4d69be8f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2BD1A1DE-3267-477A-BAB4-7E2A67E8DD11}\MpKsl4d69be8f.sys [?]

S1 MpKslb779459e;MpKslb779459e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B46D3ABC-1A5F-4B35-BAB5-DEE8F1888EEE}\MpKslb779459e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B46D3ABC-1A5F-4B35-BAB5-DEE8F1888EEE}\MpKslb779459e.sys [?]

S1 MpKslde5fb075;MpKslde5fb075;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52EFD14D-7B8E-44BA-AC2E-082EB2A63BF9}\MpKslde5fb075.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52EFD14D-7B8E-44BA-AC2E-082EB2A63BF9}\MpKslde5fb075.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/9/2011 12:34 AM 136176]

S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\system32\DRIVERS\dvc325.sys --> c:\windows\system32\DRIVERS\dvc325.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/9/2011 12:34 AM 136176]

S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [8/14/2011 8:02 PM 18432]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-09 06:34]

.

2011-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-09 06:34]

.

2011-12-24 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.ca/advanced_search

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://txssl10.vpn.att.com/CACHE/stc/1/binaries/vpnweb.cab

DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://txssl10.vpn.att.com/CACHE/sdesktop/install/binaries/instweb.cab

FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4eapel9q.default\

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/advanced_search

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-23 23:41

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2636)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\devldr32.exe

c:\windows\system32\RunDLL32.exe

c:\windows\system32\msiexec.exe

c:\program files\HP\Digital Imaging\bin\hpqgalry.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Java\Java Update\jucheck.exe

.

**************************************************************************

.

Completion time: 2011-12-23 23:46:48 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-24 05:46

.

Pre-Run: 56,477,851,648 bytes free

Post-Run: 59,849,158,656 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 4BD171F46594B57F3EC1EB656A7A2177

--------------------------------------------------------------------------------------------------------------------------------


ComboFix-quarantined-files.txt:

2011-12-24 05:31:50 . 2011-12-24 05:31:50 218 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB40645$\_991140022_.zip

2011-12-24 05:30:28 . 2011-12-24 05:30:28 8,343 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2011-12-24 05:02:04 . 2011-12-24 05:39:29 754 ----a-w- C:\Qoobox\Quarantine\catchme.log

2011-12-23 23:31:09 . 2011-12-24 04:50:36 5,176 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB40645$\640202989\lsflt7.ver.vir

2011-12-23 23:27:35 . 2011-12-24 04:47:28 223,744 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB40645$\640202989\kwrd.dll.vir

2011-12-23 23:27:12 . 2011-12-24 04:47:10 4,608 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB40645$\640202989\Desktop.ini.vir

2011-12-21 22:22:46 . 2011-12-21 22:37:27 1,536 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB40645$\640202989\U\00000001.@.vir

2011-12-20 15:27:26 . 2011-12-24 04:52:12 427 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB40645$\640202989\keywords.vir

2011-12-20 12:58:30 . 2011-12-24 05:05:34 814 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB40645$\640202989\bckfg.tmp.vir

2011-12-20 12:56:31 . 2011-12-20 12:56:31 2,048 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB40645$\640202989\@.vir

2011-12-20 12:56:31 . 2011-12-24 04:50:36 206 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB40645$\640202989\cfg.ini.vir

2011-12-20 12:56:31 . 2011-12-20 12:56:31 162,816 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB40645$\640202989\L\eiiemsvg.vir

2011-12-20 12:33:56 . 2011-12-20 13:12:56 11,264 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB40645$\640202989\U\80000000.@.vir

2011-12-20 08:42:40 . 2011-12-20 12:58:30 97,792 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB40645$\640202989\U\80000032.@.vir

2011-12-02 12:07:49 . 2011-12-20 12:58:27 224,768 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB40645$\640202989\U\00000002.@.vir

2011-11-29 13:10:08 . 2011-12-20 12:58:27 12,800 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB40645$\640202989\U\80000004.@.vir

2011-11-02 17:48:14 . 2011-12-20 12:58:26 1,024 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB40645$\640202989\U\00000004.@.vir

2011-08-06 01:36:55 . 2011-08-06 01:37:09 562,195 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Andrew\Desktop\Setup.exe.vir

2011-07-30 18:55:47 . 2011-07-30 18:55:47 22 ----a-w- C:\Qoobox\Quarantine\C\Program Files\RegGenie\Backups\40754.5804078009.vir

2011-07-30 18:52:27 . 2011-07-30 18:56:01 776 ----a-w- C:\Qoobox\Quarantine\C\Program Files\RegGenie\RegGenie.ini.vir

2011-07-30 18:52:25 . 2011-03-08 08:30:14 299,544 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\RegGenieOnUninstall.exe.vir

2011-07-25 00:10:23 . 2004-08-04 12:00:00 2,329 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\oobe\isperror\ispsbusy.htm.vir

2011-07-25 00:10:23 . 2004-08-04 12:00:00 6,180 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\oobe\isperror\ispphbsy.htm.vir

2011-07-25 00:10:23 . 2004-08-04 12:00:00 6,494 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\oobe\isperror\ispnoanw.htm.vir

2011-07-25 00:10:23 . 2004-08-04 12:00:00 2,542 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\oobe\isperror\ispins.htm.vir

2011-07-25 00:10:23 . 2004-08-04 12:00:00 2,310 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\oobe\isperror\isphdshk.htm.vir

2011-07-25 00:10:23 . 2004-08-04 12:00:00 2,200 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\oobe\isperror\isppberr.htm.vir

2011-07-25 00:10:23 . 2004-08-04 12:00:00 3,015 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\oobe\isperror\ispdtone.htm.vir

2011-07-25 00:10:23 . 2004-08-04 12:00:00 3,359 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\oobe\isperror\ispcnerr.htm.vir

2004-08-04 12:00:00 . 2008-04-13 19:21:00 162,816 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\netbt.sys.vir

2004-08-04 12:00:00 . 2008-04-13 19:21:00 162,816 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\netbt.sys.vir_

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:05 PM

Posted 29 December 2011 - 11:30 PM

Hi

what symptoms are you experiencing now?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 astein

astein
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 30 December 2011 - 12:16 AM

I still can't run rkill (fails with the popup alerts though it finishes showing nothing stopped). That was as far as I got with any subsequent tries to clean anything.

I still have the ping that starts up and consumes all the cpu. I still get a strange behavior in the browser which replaces google search links with canned sites. I still get a browser window which opens in another tab and which starts with an alert looking message "Congratulations..." (that was the message that originally led me to a bleeping clean procedure page (http://www.bleepingcomputer.com/forums/topic316502.html, stating rootkit?) with the rkill, combofix, etc.)

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:05 PM

Posted 30 December 2011 - 12:21 AM

OK

Please run the following


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT


Please re-run ComboFix > allow it to update if it asks to do so, make sure your security programs are disabled before running it.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 astein

astein
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 30 December 2011 - 01:54 AM

Hi,

Both seemed to complete normally. Auto restart was successful.

Thanks,

TDSSKiller.2.6.25.0_29.12.2011_23.55.42_log

23:55:42.0515 3416 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
23:55:42.0906 3416 ============================================================
23:55:42.0906 3416 Current date / time: 2011/12/29 23:55:42.0906
23:55:42.0906 3416 SystemInfo:
23:55:42.0906 3416
23:55:42.0906 3416 OS Version: 5.1.2600 ServicePack: 3.0
23:55:42.0906 3416 Product type: Workstation
23:55:42.0906 3416 ComputerName: PERSONAL-07B471
23:55:42.0906 3416 UserName: Andrew
23:55:42.0906 3416 Windows directory: C:\WINDOWS
23:55:42.0906 3416 System windows directory: C:\WINDOWS
23:55:42.0906 3416 Processor architecture: Intel x86
23:55:42.0906 3416 Number of processors: 2
23:55:42.0906 3416 Page size: 0x1000
23:55:42.0906 3416 Boot type: Normal boot
23:55:42.0906 3416 ============================================================
23:55:44.0156 3416 Initialize success
23:56:02.0671 3172 ============================================================
23:56:02.0671 3172 Scan started
23:56:02.0671 3172 Mode: Manual;
23:56:02.0671 3172 ============================================================
23:56:11.0109 3172 Abiosdsk - ok
23:56:11.0984 3172 abp480n5 - ok
23:56:13.0140 3172 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:56:13.0468 3172 ACPI - ok
23:56:14.0671 3172 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
23:56:15.0203 3172 ACPIEC - ok
23:56:15.0671 3172 adpu160m - ok
23:56:16.0468 3172 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
23:56:16.0671 3172 aec - ok
23:56:17.0734 3172 AFD (8e1525b090d8cb5427042ab21202196c) C:\WINDOWS\System32\drivers\afd.sys
23:56:17.0734 3172 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 8e1525b090d8cb5427042ab21202196c, Fake md5: 1e44bc1e83d8fd2305f8d452db109cf9
23:56:17.0734 3172 AFD ( Rootkit.Win32.ZAccess.aml ) - infected
23:56:17.0734 3172 AFD - detected Rootkit.Win32.ZAccess.aml (0)
23:56:18.0234 3172 Aha154x - ok
23:56:18.0656 3172 aic78u2 - ok
23:56:19.0171 3172 aic78xx - ok
23:56:19.0609 3172 AliIde - ok
23:56:19.0984 3172 amsint - ok
23:56:20.0609 3172 asc - ok
23:56:21.0296 3172 asc3350p - ok
23:56:22.0015 3172 asc3550 - ok
23:56:22.0671 3172 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:56:22.0671 3172 AsyncMac - ok
23:56:23.0328 3172 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
23:56:23.0328 3172 atapi - ok
23:56:24.0031 3172 Atdisk - ok
23:56:24.0968 3172 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:56:25.0015 3172 Atmarpc - ok
23:56:25.0875 3172 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
23:56:25.0875 3172 audstub - ok
23:56:26.0421 3172 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
23:56:26.0453 3172 Beep - ok
23:56:27.0421 3172 bvrp_pci - ok
23:56:27.0437 3172 catchme - ok
23:56:28.0156 3172 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
23:56:28.0171 3172 cbidf2k - ok
23:56:28.0734 3172 cd20xrnt - ok
23:56:29.0421 3172 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
23:56:29.0437 3172 Cdaudio - ok
23:56:30.0312 3172 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
23:56:30.0359 3172 Cdfs - ok
23:56:30.0968 3172 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:56:31.0000 3172 Cdrom - ok
23:56:31.0375 3172 Changer - ok
23:56:32.0078 3172 CmdIde - ok
23:56:32.0437 3172 Cpqarray - ok
23:56:34.0484 3172 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
23:56:34.0562 3172 ctljystk - ok
23:56:36.0453 3172 dac2w2k - ok
23:56:37.0187 3172 dac960nt - ok
23:56:38.0265 3172 DCamUSBLTN - ok
23:56:39.0171 3172 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
23:56:39.0203 3172 Disk - ok
23:56:40.0140 3172 DLABOIOM (d8d58a84f3ece3359df95fd2e459b330) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
23:56:40.0187 3172 DLABOIOM - ok
23:56:41.0078 3172 DLACDBHM (ec6ae8bc9f773382d2eed49e4dfdae2a) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
23:56:41.0093 3172 DLACDBHM - ok
23:56:41.0718 3172 DLADResN (27c78078bd9c4f2de2ad3eb04bfe101b) C:\WINDOWS\system32\DLA\DLADResN.SYS
23:56:41.0750 3172 DLADResN - ok
23:56:42.0343 3172 DLAIFS_M (7f2d93e560b763ef5d11422d78da8ed0) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
23:56:42.0515 3172 DLAIFS_M - ok
23:56:43.0671 3172 DLAOPIOM (f643637de6aac57e38d197aa63d9ea74) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
23:56:43.0687 3172 DLAOPIOM - ok
23:56:44.0531 3172 DLAPoolM (340705474807f57a46d59d18fc2959f1) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
23:56:44.0593 3172 DLAPoolM - ok
23:56:45.0937 3172 DLARTL_N (0605b66052f82b6f07204dbdb61c13ff) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
23:56:45.0953 3172 DLARTL_N - ok
23:56:47.0093 3172 DLAUDFAM (6984ea763907c045ce813468882bc587) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
23:56:47.0140 3172 DLAUDFAM - ok
23:56:48.0421 3172 DLAUDF_M (12b30c449cfd36adbed53eb6560933c6) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
23:56:48.0625 3172 DLAUDF_M - ok
23:56:51.0953 3172 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
23:56:53.0609 3172 dmboot - ok
23:56:55.0515 3172 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
23:56:55.0734 3172 dmio - ok
23:56:57.0312 3172 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
23:56:57.0375 3172 dmload - ok
23:56:58.0937 3172 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
23:56:59.0093 3172 DMusic - ok
23:57:00.0390 3172 dpti2o - ok
23:57:01.0750 3172 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
23:57:01.0781 3172 drmkaud - ok
23:57:02.0859 3172 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
23:57:02.0937 3172 DRVMCDB - ok
23:57:04.0484 3172 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
23:57:04.0531 3172 DRVNDDM - ok
23:57:05.0921 3172 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
23:57:06.0390 3172 E100B - ok
23:57:08.0656 3172 emu10k (01f83e1b5dce05f5cb7d99113ca9e890) C:\WINDOWS\system32\drivers\emu10k1m.sys
23:57:09.0312 3172 emu10k - ok
23:57:11.0062 3172 emu10k1 (7ffa171cce6a8bfc774862a578ba39a2) C:\WINDOWS\system32\drivers\ctlfacem.sys
23:57:11.0109 3172 emu10k1 - ok
23:57:13.0000 3172 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
23:57:13.0093 3172 Fastfat - ok
23:57:14.0015 3172 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
23:57:14.0093 3172 Fdc - ok
23:57:15.0906 3172 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
23:57:15.0906 3172 Fips - ok
23:57:17.0937 3172 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
23:57:18.0031 3172 Flpydisk - ok
23:57:20.0015 3172 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
23:57:21.0031 3172 FltMgr - ok
23:57:23.0750 3172 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
23:57:23.0765 3172 Fs_Rec - ok
23:57:25.0437 3172 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
23:57:25.0593 3172 Ftdisk - ok
23:57:26.0468 3172 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
23:57:26.0515 3172 gameenum - ok
23:57:28.0218 3172 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
23:57:28.0218 3172 GEARAspiWDM - ok
23:57:29.0796 3172 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
23:57:30.0859 3172 Gpc - ok
23:57:32.0796 3172 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
23:57:32.0796 3172 HDAudBus - ok
23:57:34.0687 3172 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
23:57:34.0718 3172 hidusb - ok
23:57:35.0828 3172 hpn - ok
23:57:37.0921 3172 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
23:57:38.0093 3172 HPZid412 - ok
23:57:39.0562 3172 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
23:57:42.0140 3172 HPZipr12 - ok
23:57:43.0546 3172 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
23:57:43.0703 3172 HPZius12 - ok
23:57:45.0328 3172 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
23:57:46.0000 3172 HTTP - ok
23:57:46.0921 3172 i2omgmt - ok
23:57:47.0921 3172 i2omp - ok
23:57:49.0359 3172 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
23:57:49.0421 3172 i8042prt - ok
23:57:50.0734 3172 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
23:57:50.0796 3172 Imapi - ok
23:57:52.0218 3172 ini910u - ok
23:57:53.0046 3172 IntelIde - ok
23:57:53.0984 3172 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
23:57:54.0015 3172 intelppm - ok
23:57:54.0906 3172 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
23:57:54.0953 3172 Ip6Fw - ok
23:57:56.0125 3172 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
23:57:56.0203 3172 IpFilterDriver - ok
23:57:57.0437 3172 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
23:57:57.0484 3172 IpInIp - ok
23:57:59.0031 3172 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
23:57:59.0031 3172 IpNat - ok
23:58:00.0468 3172 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
23:58:00.0546 3172 IPSec - ok
23:58:01.0328 3172 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
23:58:01.0359 3172 IRENUM - ok
23:58:02.0343 3172 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
23:58:02.0375 3172 isapnp - ok
23:58:03.0453 3172 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
23:58:03.0484 3172 Kbdclass - ok
23:58:04.0781 3172 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
23:58:04.0812 3172 kbdhid - ok
23:58:05.0890 3172 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
23:58:06.0171 3172 kmixer - ok
23:58:07.0140 3172 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
23:58:07.0328 3172 KSecDD - ok
23:58:08.0312 3172 lbrtfdc - ok
23:58:09.0312 3172 LGDDCDevice (9dcb9d9bdb7e3c0f66f86ee09a392cbb) C:\Program Files\LG Soft India\forteManager\bin\I2CDriver.sys
23:58:09.0312 3172 LGDDCDevice - ok
23:58:10.0562 3172 LGII2CDevice (21a62a7a95b1905634e7c12e5158ec32) C:\Program Files\LG Soft India\forteManager\bin\PII2CDriver.sys
23:58:10.0640 3172 LGII2CDevice - ok
23:58:11.0843 3172 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
23:58:11.0890 3172 mnmdd - ok
23:58:13.0453 3172 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
23:58:13.0515 3172 Modem - ok
23:58:14.0718 3172 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
23:58:14.0750 3172 Mouclass - ok
23:58:16.0593 3172 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
23:58:16.0640 3172 mouhid - ok
23:58:18.0500 3172 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
23:58:18.0546 3172 MountMgr - ok
23:58:19.0953 3172 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
23:58:19.0953 3172 MpFilter - ok
23:58:20.0781 3172 MpKsl4c97a7c7 - ok
23:58:21.0671 3172 MpKsl4d69be8f - ok
23:58:22.0421 3172 MpKslb779459e - ok
23:58:23.0531 3172 MpKslde5fb075 - ok
23:58:24.0625 3172 mraid35x - ok
23:58:25.0765 3172 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
23:58:26.0140 3172 MRxDAV - ok
23:58:27.0859 3172 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
23:58:28.0687 3172 MRxSmb - ok
23:58:30.0875 3172 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
23:58:30.0937 3172 Msfs - ok
23:58:32.0234 3172 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
23:58:32.0250 3172 MSKSSRV - ok
23:58:34.0312 3172 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
23:58:34.0390 3172 MSPCLOCK - ok
23:58:36.0000 3172 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
23:58:36.0031 3172 MSPQM - ok
23:58:37.0046 3172 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
23:58:37.0078 3172 mssmbios - ok
23:58:38.0343 3172 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
23:58:38.0421 3172 Mup - ok
23:58:39.0203 3172 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
23:58:39.0281 3172 NDIS - ok
23:58:40.0000 3172 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
23:58:41.0750 3172 NdisTapi - ok
23:58:42.0093 3172 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
23:58:42.0093 3172 Ndisuio - ok
23:58:42.0453 3172 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
23:58:42.0484 3172 NdisWan - ok
23:58:42.0812 3172 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
23:58:42.0843 3172 NDProxy - ok
23:58:43.0156 3172 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
23:58:43.0171 3172 NetBIOS - ok
23:58:43.0546 3172 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
23:58:43.0609 3172 NetBT - ok
23:58:44.0203 3172 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
23:58:44.0234 3172 Npfs - ok
23:58:45.0437 3172 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
23:58:45.0750 3172 Ntfs - ok
23:58:46.0609 3172 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
23:58:46.0625 3172 Null - ok
23:58:53.0968 3172 nv (6733e80a193fc36f41c24142b0c45c0e) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
23:59:02.0468 3172 nv - ok
23:59:03.0187 3172 NVHDA (1fda0adfd0dd666ecb1cbf8436f81805) C:\WINDOWS\system32\drivers\nvhda32.sys
23:59:03.0187 3172 NVHDA - ok
23:59:04.0500 3172 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
23:59:04.0546 3172 NwlnkFlt - ok
23:59:05.0390 3172 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
23:59:05.0406 3172 NwlnkFwd - ok
23:59:06.0140 3172 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
23:59:06.0234 3172 Parport - ok
23:59:06.0906 3172 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
23:59:06.0953 3172 PartMgr - ok
23:59:07.0656 3172 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
23:59:07.0687 3172 ParVdm - ok
23:59:08.0390 3172 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
23:59:08.0484 3172 PCI - ok
23:59:09.0187 3172 PCIDump - ok
23:59:10.0171 3172 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
23:59:10.0234 3172 PCIIde - ok
23:59:10.0890 3172 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
23:59:11.0000 3172 Pcmcia - ok
23:59:11.0593 3172 PDCOMP - ok
23:59:12.0281 3172 PDFRAME - ok
23:59:12.0984 3172 PDRELI - ok
23:59:13.0859 3172 PDRFRAME - ok
23:59:14.0765 3172 perc2 - ok
23:59:15.0421 3172 perc2hib - ok
23:59:16.0343 3172 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
23:59:16.0406 3172 PptpMiniport - ok
23:59:17.0687 3172 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
23:59:17.0765 3172 PSched - ok
23:59:18.0500 3172 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
23:59:18.0546 3172 Ptilink - ok
23:59:19.0796 3172 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
23:59:19.0875 3172 PxHelp20 - ok
23:59:20.0484 3172 ql1080 - ok
23:59:21.0046 3172 Ql10wnt - ok
23:59:21.0593 3172 ql12160 - ok
23:59:22.0281 3172 ql1240 - ok
23:59:23.0093 3172 ql1280 - ok
23:59:23.0906 3172 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
23:59:23.0937 3172 RasAcd - ok
23:59:24.0609 3172 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
23:59:24.0640 3172 Rasl2tp - ok
23:59:25.0859 3172 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
23:59:25.0906 3172 RasPppoe - ok
23:59:26.0875 3172 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
23:59:26.0921 3172 Raspti - ok
23:59:28.0093 3172 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
23:59:28.0265 3172 Rdbss - ok
23:59:29.0000 3172 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
23:59:29.0046 3172 RDPCDD - ok
23:59:30.0234 3172 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
23:59:30.0359 3172 rdpdr - ok
23:59:32.0031 3172 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
23:59:32.0265 3172 RDPWD - ok
23:59:33.0125 3172 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
23:59:33.0234 3172 redbook - ok
23:59:34.0078 3172 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
23:59:34.0125 3172 RimUsb - ok
23:59:35.0281 3172 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
23:59:35.0312 3172 Secdrv - ok
23:59:36.0156 3172 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
23:59:36.0218 3172 Serial - ok
23:59:37.0765 3172 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
23:59:37.0812 3172 Sfloppy - ok
23:59:39.0546 3172 sfman (0b1a5e9cacb5cdd54a2815107bd7c772) C:\WINDOWS\system32\drivers\sfmanm.sys
23:59:39.0593 3172 sfman - ok
23:59:40.0781 3172 Simbad - ok
23:59:41.0593 3172 Sparrow - ok
23:59:42.0156 3172 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
23:59:42.0203 3172 splitter - ok
23:59:43.0000 3172 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
23:59:43.0093 3172 sr - ok
23:59:44.0031 3172 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
23:59:44.0312 3172 Srv - ok
23:59:45.0953 3172 STHDA (352b663a81402be7cd7bd4ea27c9998c) C:\WINDOWS\system32\drivers\sthda.sys
23:59:46.0265 3172 STHDA - ok
23:59:47.0312 3172 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
23:59:47.0343 3172 swenum - ok
23:59:48.0359 3172 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
23:59:48.0390 3172 swmidi - ok
23:59:49.0593 3172 symc810 - ok
23:59:50.0218 3172 symc8xx - ok
23:59:50.0937 3172 sym_hi - ok
23:59:51.0703 3172 sym_u3 - ok
23:59:52.0609 3172 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
23:59:52.0687 3172 sysaudio - ok
23:59:53.0906 3172 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
23:59:54.0234 3172 Tcpip - ok
23:59:54.0921 3172 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
23:59:54.0937 3172 TDPIPE - ok
23:59:55.0906 3172 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
23:59:55.0937 3172 TDTCP - ok
23:59:56.0656 3172 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
23:59:56.0687 3172 TermDD - ok
23:59:58.0015 3172 TosIde - ok
00:00:00.0265 3172 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
00:00:00.0343 3172 Udfs - ok
00:00:01.0140 3172 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
00:00:01.0171 3172 ultra - ok
00:00:02.0000 3172 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
00:00:02.0203 3172 Update - ok
00:00:03.0500 3172 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
00:00:03.0546 3172 USBAAPL - ok
00:00:04.0515 3172 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
00:00:04.0593 3172 usbccgp - ok
00:00:05.0718 3172 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
00:00:05.0734 3172 usbehci - ok
00:00:07.0031 3172 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
00:00:07.0078 3172 usbhub - ok
00:00:08.0171 3172 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
00:00:08.0234 3172 usbprint - ok
00:00:09.0390 3172 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
00:00:09.0421 3172 usbscan - ok
00:00:10.0078 3172 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
00:00:10.0078 3172 usbstor - ok
00:00:11.0078 3172 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
00:00:11.0093 3172 usbuhci - ok
00:00:12.0234 3172 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
00:00:12.0250 3172 VgaSave - ok
00:00:12.0921 3172 ViaIde - ok
00:00:13.0640 3172 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
00:00:13.0671 3172 VolSnap - ok
00:00:14.0640 3172 vpnva (1b7c80c66742dafaa31f98af4c3a5bc2) C:\WINDOWS\system32\DRIVERS\vpnva.sys
00:00:14.0671 3172 vpnva - ok
00:00:16.0000 3172 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
00:00:16.0062 3172 Wanarp - ok
00:00:16.0671 3172 WDICA - ok
00:00:17.0875 3172 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
00:00:18.0031 3172 wdmaud - ok
00:00:19.0437 3172 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
00:00:19.0531 3172 WudfPf - ok
00:00:20.0484 3172 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
00:00:20.0562 3172 WudfRd - ok
00:00:22.0000 3172 ZG760_XP (bd6354de4d081de96c79bdb53f55ca82) C:\WINDOWS\system32\DRIVERS\WlanGZXP.sys
00:00:22.0484 3172 ZG760_XP - ok
00:00:22.0671 3172 MBR (0x1B8) (916dcd8043ec08a9bfa4565f1f6fae42) \Device\Harddisk2\DR2
00:00:22.0718 3172 \Device\Harddisk2\DR2 - ok
00:00:23.0234 3172 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
00:00:42.0250 3172 \Device\Harddisk0\DR0 - ok
00:00:42.0562 3172 MBR (0x1B8) (b252f3839384984a882daad870963ed9) \Device\Harddisk1\DR1
00:00:43.0343 3172 \Device\Harddisk1\DR1 - ok
00:00:43.0546 3172 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk3\DR9
00:00:43.0750 3172 \Device\Harddisk3\DR9 - ok
00:00:44.0062 3172 Boot (0x1200) (17370469a05620e777b41571fa828434) \Device\Harddisk0\DR0\Partition0
00:00:44.0171 3172 \Device\Harddisk0\DR0\Partition0 - ok
00:00:44.0343 3172 Boot (0x1200) (30c03d0a3e2edd6d2e214e8d9d872882) \Device\Harddisk1\DR1\Partition0
00:00:44.0421 3172 \Device\Harddisk1\DR1\Partition0 - ok
00:00:44.0531 3172 Boot (0x1200) (cfbb3c3dfc30341582174c69f5cf9af6) \Device\Harddisk3\DR9\Partition0
00:00:44.0531 3172 \Device\Harddisk3\DR9\Partition0 - ok
00:00:44.0718 3172 ============================================================
00:00:44.0765 3172 Scan finished
00:00:44.0796 3172 ============================================================
00:00:45.0125 1272 Detected object count: 1
00:00:45.0125 1272 Actual detected object count: 1
00:01:17.0187 1272 Backup copy found, using it..
00:01:17.0359 1272 C:\WINDOWS\System32\drivers\afd.sys - will be cured on reboot
00:01:59.0828 1272 AFD ( Rootkit.Win32.ZAccess.aml ) - User select action: Cure
00:02:08.0000 3004 Deinitialize success

============================================================================================================================

Combofix:

ComboFix 11-12-29.05 - Andrew 12/30/2011 0:23.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2650 [GMT -6:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Andrew\Templates\sgsciy8r6pky8waa3djb7o837y2f
c:\windows\$NtUninstallKB40645$
c:\windows\$NtUninstallKB40645$\2135534870
c:\windows\$NtUninstallKB40645$\640202989\@
c:\windows\$NtUninstallKB40645$\640202989\bckfg.tmp
c:\windows\$NtUninstallKB40645$\640202989\cfg.ini
c:\windows\$NtUninstallKB40645$\640202989\Desktop.ini
c:\windows\$NtUninstallKB40645$\640202989\keywords
c:\windows\$NtUninstallKB40645$\640202989\kwrd.dll
c:\windows\$NtUninstallKB40645$\640202989\L\eiiemsvg
c:\windows\$NtUninstallKB40645$\640202989\lsflt7.ver
c:\windows\$NtUninstallKB40645$\640202989\U\00000001.$
c:\windows\$NtUninstallKB40645$\640202989\U\00000001.@
c:\windows\$NtUninstallKB40645$\640202989\U\00000002.@
c:\windows\$NtUninstallKB40645$\640202989\U\00000004.@
c:\windows\$NtUninstallKB40645$\640202989\U\80000000.@
c:\windows\$NtUninstallKB40645$\640202989\U\80000004.@
c:\windows\$NtUninstallKB40645$\640202989\U\80000032.$
c:\windows\$NtUninstallKB40645$\640202989\U\80000032.@
c:\windows\system32\6to4v32.dll
c:\windows\system32\certstore.dat
c:\windows\system32\NUSB3w32.dll
c:\windows\system32\USB3Nw32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_6to4
-------\Legacy_NecUsb
-------\Service_NecUsb
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-30 )))))))))))))))))))))))))))))))
.
.
2011-12-30 06:41 . 2011-12-30 06:41 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2CFEAB06-3AED-4ACB-92EC-0BFFEE8E41DF}\offreg.dll
2011-12-30 05:56 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2CFEAB06-3AED-4ACB-92EC-0BFFEE8E41DF}\mpengine.dll
2011-12-24 17:29 . 2011-12-24 17:29 -------- d--h--w- c:\windows\PIF
2011-12-24 17:21 . 2011-12-25 01:19 79872 ----a-w- c:\windows\system32\8TSL53jb.com_
2011-12-24 05:07 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-23 23:26 . 2011-12-23 23:26 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-30 06:03 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2011-10-21 01:30 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-04 19:20 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2011-07-25 00:09 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-11-10 04:33 . 2011-07-26 04:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-24_05.41.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-30 06:41 . 2011-12-30 06:41 16384 c:\windows\Temp\Perflib_Perfdata_20c.dat
+ 2011-07-25 00:22 . 2011-12-26 05:00 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2011-07-25 00:22 . 2011-10-19 20:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2011-07-25 00:22 . 2011-12-26 05:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-07-25 00:22 . 2011-10-19 20:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-12-24 21:39 . 2011-12-26 05:00 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2011-07-25 00:22 . 2011-10-19 20:09 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-12-24 17:25 . 2011-12-24 17:25 103733 c:\windows\system32\itusbcore.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200]
"NvMediaCenter"="NvMCTray.dll" [2011-08-03 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
forteManager.lnk - c:\program files\LG Soft India\forteManager\bin\Monitor.exe [2011-8-14 1687552]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Documents and Settings\\Andrew\\Desktop\\utorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
.
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [7/25/2011 7:29 AM 2255464]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [8/16/2010 12:16 PM 592120]
R3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [8/14/2011 8:02 PM 14336]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [7/30/2011 11:56 PM 119528]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.sys [7/12/2006 9:19 AM 402944]
S1 MpKsl4c97a7c7;MpKsl4c97a7c7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1650B3F5-37C4-411E-9F8B-9C3B98FF374D}\MpKsl4c97a7c7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1650B3F5-37C4-411E-9F8B-9C3B98FF374D}\MpKsl4c97a7c7.sys [?]
S1 MpKsl4d69be8f;MpKsl4d69be8f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2BD1A1DE-3267-477A-BAB4-7E2A67E8DD11}\MpKsl4d69be8f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2BD1A1DE-3267-477A-BAB4-7E2A67E8DD11}\MpKsl4d69be8f.sys [?]
S1 MpKslb779459e;MpKslb779459e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B46D3ABC-1A5F-4B35-BAB5-DEE8F1888EEE}\MpKslb779459e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B46D3ABC-1A5F-4B35-BAB5-DEE8F1888EEE}\MpKslb779459e.sys [?]
S1 MpKslde5fb075;MpKslde5fb075;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52EFD14D-7B8E-44BA-AC2E-082EB2A63BF9}\MpKslde5fb075.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52EFD14D-7B8E-44BA-AC2E-082EB2A63BF9}\MpKslde5fb075.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/9/2011 12:34 AM 136176]
S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\system32\DRIVERS\dvc325.sys --> c:\windows\system32\DRIVERS\dvc325.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/9/2011 12:34 AM 136176]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [8/14/2011 8:02 PM 18432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsbSevice REG_MULTI_SZ NecUsb
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-24 c:\windows\Tasks\At10.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At12.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At14.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At16.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At18.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At2.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At20.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At22.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At24.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At26.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At28.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At30.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At32.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At34.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At36.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-25 c:\windows\Tasks\At38.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At4.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-25 c:\windows\Tasks\At40.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-25 c:\windows\Tasks\At42.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At44.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At46.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-30 c:\windows\Tasks\At48.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At6.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-24 c:\windows\Tasks\At8.job
- c:\windows\system32\8TSL53jb.com_ [2011-12-24 01:19]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-09 06:34]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-09 06:34]
.
2011-12-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/advanced_search
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://txssl10.vpn.att.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://txssl10.vpn.att.com/CACHE/sdesktop/install/binaries/instweb.cab
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4eapel9q.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/advanced_search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
Notify-NecUsb3Sevice - USB3Nw32.dll
Notify-USB3Nw32 - USB3Nw32.dll
SafeBoot-98258525.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-30 00:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2924)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\RunDLL32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2011-12-30 00:50:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-30 06:50
ComboFix2.txt 2011-12-24 05:46
.
Pre-Run: 59,677,794,304 bytes free
Post-Run: 60,038,209,536 bytes free
.
- - End Of File - - C49C004E145B7F9A26AD5C2820A9947A

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:05 PM

Posted 30 December 2011 - 10:15 AM

Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic434355.html/page__pid__2529898#entry2529898

Collect::
c:\windows\system32\8TSL53jb.com_

AtJob::

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Hi,

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 astein

astein
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 30 December 2011 - 06:40 PM

Hi,

All completed normally. I neglected to save the ESET results, unfortunately. Should I re-run or anything? It said 12 threats were ID'd and removed. No errors.

Thanks,

COMBOFIX:

ComboFix 11-12-29.05 - Andrew 12/30/2011 9:27.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2482 [GMT -6:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\bleep\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
file zipped: c:\windows\system32\8TSL53jb.com_
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\8TSL53jb.com_
c:\windows\Tasks\At10.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At8.job
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-30 )))))))))))))))))))))))))))))))
.
.
2011-12-30 15:39 . 2011-12-30 15:39 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B1924930-9A25-41B3-8EE5-1DC540C74A29}\offreg.dll
2011-12-30 07:32 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B1924930-9A25-41B3-8EE5-1DC540C74A29}\mpengine.dll
2011-12-24 17:29 . 2011-12-24 17:29 -------- d--h--w- c:\windows\PIF
2011-12-24 05:07 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-23 23:26 . 2011-12-23 23:26 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-30 06:03 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2011-10-21 01:30 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-04 19:20 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2011-07-25 00:09 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-11-10 04:33 . 2011-07-26 04:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-24_05.41.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-30 15:39 . 2011-12-30 15:39 16384 c:\windows\Temp\Perflib_Perfdata_318.dat
+ 2011-07-25 00:22 . 2011-12-26 05:00 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2011-07-25 00:22 . 2011-10-19 20:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2011-07-25 00:22 . 2011-12-26 05:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-07-25 00:22 . 2011-10-19 20:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-12-24 17:25 . 2011-12-24 17:25 103733 c:\windows\system32\itusbcore.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200]
"NvMediaCenter"="NvMCTray.dll" [2011-08-03 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
forteManager.lnk - c:\program files\LG Soft India\forteManager\bin\Monitor.exe [2011-8-14 1687552]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Documents and Settings\\Andrew\\Desktop\\utorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
.
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [7/25/2011 7:29 AM 2255464]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [8/16/2010 12:16 PM 592120]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [7/30/2011 11:56 PM 119528]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.sys [7/12/2006 9:19 AM 402944]
S1 MpKsl4c97a7c7;MpKsl4c97a7c7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1650B3F5-37C4-411E-9F8B-9C3B98FF374D}\MpKsl4c97a7c7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1650B3F5-37C4-411E-9F8B-9C3B98FF374D}\MpKsl4c97a7c7.sys [?]
S1 MpKsl4d69be8f;MpKsl4d69be8f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2BD1A1DE-3267-477A-BAB4-7E2A67E8DD11}\MpKsl4d69be8f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2BD1A1DE-3267-477A-BAB4-7E2A67E8DD11}\MpKsl4d69be8f.sys [?]
S1 MpKslb779459e;MpKslb779459e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B46D3ABC-1A5F-4B35-BAB5-DEE8F1888EEE}\MpKslb779459e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B46D3ABC-1A5F-4B35-BAB5-DEE8F1888EEE}\MpKslb779459e.sys [?]
S1 MpKslde5fb075;MpKslde5fb075;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52EFD14D-7B8E-44BA-AC2E-082EB2A63BF9}\MpKslde5fb075.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52EFD14D-7B8E-44BA-AC2E-082EB2A63BF9}\MpKslde5fb075.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/9/2011 12:34 AM 136176]
S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\system32\DRIVERS\dvc325.sys --> c:\windows\system32\DRIVERS\dvc325.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/9/2011 12:34 AM 136176]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [8/14/2011 8:02 PM 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [8/14/2011 8:02 PM 18432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsbSevice REG_MULTI_SZ NecUsb
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-09 06:34]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-09 06:34]
.
2011-12-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/advanced_search
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://txssl10.vpn.att.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://txssl10.vpn.att.com/CACHE/sdesktop/install/binaries/instweb.cab
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4eapel9q.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/advanced_search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-30 09:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3140)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\RunDLL32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-12-30 09:50:26 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-30 15:50
ComboFix2.txt 2011-12-30 06:50
ComboFix3.txt 2011-12-24 05:46
.
Pre-Run: 60,297,969,664 bytes free
Post-Run: 60,285,702,144 bytes free
.
- - End Of File - - D87A718CB5E650586A42A98CD1FBAAD7
Upload was successful

-==============================================================================================

MBAM:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.30.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Andrew :: PERSONAL-07B471 [administrator]

12/30/2011 9:57:43 AM
mbam-log-2011-12-30 (09-57-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 181205
Time elapsed: 12 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Andrew\Local Settings\Application Data\lfn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:05 PM

Posted 30 December 2011 - 07:25 PM

Hi

Please do the following:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java SE 6 Update 30
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u30-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Please post a fresh DDS Log and advise if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 astein

astein
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 31 December 2011 - 01:17 AM

Hi,

I updated the Java. My DDS is below.

I am happy to say that I am no longer seeing the runaway pings, the bad google links, or the weird new tabs or alert popups.

I ran MSE. I showed and cleaned 3 trojans. All of them looked to have already been quarantined by ComboFix, except the following also had second "Item" (in addition to the Qoobox one) which was apparently still on the system:

Trojan:Win32/Dynamer!dtc
file:C:\System Volume Information\_restore{37F5B680-F1E7-433B-BC3C-77DC281D7AD6}\RP209\A0092938.dll


As I said, everything looks good. I just had a few questions if we are close to wrapping up.

Is every thing coming up clean in the scans at this stage? Are there any more scans you would recommend I run to confirm they are clean?
Is there a procedure (same ticket, new ticket) to investigate further if anything returns, or other recommendations (eg. wipe/install)?


Am I okay to retry rkill? I was unable to run it before the cleanings.


Is it always better to uninstall old Java before updating and follow this procedure?


(And lastly, minor concern) Do you recall anything that could have been done different/better with my initial troubleshooting? My main tools up to now have been rkill, malwarebytes, and combofix.


Thanks a ton for your help with this!



Current DDS:
===========

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Andrew at 0:00:51 on 2011-12-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2021 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Andrew\Desktop\utorrent.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\system32\msiexec.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/advanced_search
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IDTSysTrayApp] sttray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\fortem~1.lnk - c:\program files\lg soft india\fortemanager\bin\Monitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://txssl10.vpn.att.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1311557185991
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://txssl10.vpn.att.com/CACHE/sdesktop/install/binaries/instweb.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2DBDCF51-6328-4264-8B66-3533322C45A4} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A2F68AB5-D3B0-41CB-A94F-FF83F31CF859} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\andrew\application data\mozilla\firefox\profiles\4eapel9q.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/advanced_search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsle2b1a9e6;MpKsle2b1a9e6;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5f64fbaa-6944-4838-a271-9bd047ae98c3}\MpKsle2b1a9e6.sys [2011-12-30 29904]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-7-25 2255464]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2010-8-16 592120]
R3 LGDDCDevice;LGDDCDevice;c:\program files\lg soft india\fortemanager\bin\I2CDriver.sys [2011-8-14 14336]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-7-30 119528]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.sys [2006-7-12 402944]
S1 MpKsl4c97a7c7;MpKsl4c97a7c7;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1650b3f5-37c4-411e-9f8b-9c3b98ff374d}\mpksl4c97a7c7.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1650b3f5-37c4-411e-9f8b-9c3b98ff374d}\MpKsl4c97a7c7.sys [?]
S1 MpKsl4d69be8f;MpKsl4d69be8f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2bd1a1de-3267-477a-bab4-7e2a67e8dd11}\mpksl4d69be8f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2bd1a1de-3267-477a-bab4-7e2a67e8dd11}\MpKsl4d69be8f.sys [?]
S1 MpKslb779459e;MpKslb779459e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b46d3abc-1a5f-4b35-bab5-dee8f1888eee}\mpkslb779459e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b46d3abc-1a5f-4b35-bab5-dee8f1888eee}\MpKslb779459e.sys [?]
S1 MpKslde5fb075;MpKslde5fb075;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{52efd14d-7b8e-44ba-ac2e-082eb2a63bf9}\mpkslde5fb075.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{52efd14d-7b8e-44ba-ac2e-082eb2a63bf9}\MpKslde5fb075.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-10-9 136176]
S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\system32\drivers\dvc325.sys --> c:\windows\system32\drivers\dvc325.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-10-9 136176]
S3 LGII2CDevice;LGII2CDevice;c:\program files\lg soft india\fortemanager\bin\PII2CDriver.sys [2011-8-14 18432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-31 03:19:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-31 03:12:16 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5f64fbaa-6944-4838-a271-9bd047ae98c3}\MpKsle2b1a9e6.sys
2011-12-31 03:11:56 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5f64fbaa-6944-4838-a271-9bd047ae98c3}\offreg.dll
2011-12-31 03:04:36 -------- d-----w- c:\windows\system32\appmgmt
2011-12-31 02:55:49 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5f64fbaa-6944-4838-a271-9bd047ae98c3}\mpengine.dll
2011-12-30 16:12:34 -------- d-----w- c:\program files\ESET
2011-12-24 17:29:23 -------- d--h--w- c:\windows\PIF
2011-12-24 05:07:38 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-24 05:03:56 -------- d-sha-r- C:\cmdcons
2011-12-24 05:02:10 98816 ----a-w- c:\windows\sed.exe
2011-12-24 05:02:10 518144 ----a-w- c:\windows\SWREG.exe
2011-12-24 05:02:10 256000 ----a-w- c:\windows\PEV.exe
2011-12-24 05:02:10 208896 ----a-w- c:\windows\MBR.exe
2011-12-23 23:26:02 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-23 23:26:02 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-12-31 03:19:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-30 06:03:19 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 0:01:18.00 ===============

Attached Files



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:05 PM

Posted 31 December 2011 - 01:57 AM

Hi

rkill is only designed to stop processes belonging to rogue antivirus infections so that our diagnostic and malware removal tools can run.

the item found by MSSE is in an old restore point.

Once you have the latest version of Java(which you now do) you can set it for automatic updates or select the update tab, no need to remove older Java now as it should over write it.

You should not be running ComboFix on your own, most times it's fine, but occasionally there could be problems and the developer of the tool advises against it.

It's fine to run your AntiVirus and Malwarebytes, but sometimes the more removal tools you run, quite often can make it more difficult to locate the problem,

It's better to run the diagnostic tools DDS, GMER, aswMBR etc. and post the logs unless it's minor and the AV and MBAM can fix it.

Your log appears to be clean now,so we just have some housekeeping to do now.

This thread will be closed after we're done, but if something arises from it, you can send a PM to have it re-opened

please do the following:


You can delete the TDSSKiller, aswMBR, DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 astein

astein
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 31 December 2011 - 02:45 PM

Catbyte,

Completed all cleanup recommendations, except don't believe I used the aswMBR during this work.

Thanks very much for your security recommendations and especially your critical assistance to recover my system. Please close this ticket and Happy New Year!

Andrew

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:05 PM

Posted 31 December 2011 - 02:55 PM

you are welcome

stay safe, have a happy new year :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:05 PM

Posted 31 December 2011 - 02:58 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users