Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search-Fast-Results Redirect and Rootkit ZeroAccess


  • This topic is locked This topic is locked
38 replies to this topic

#1 joefrog91

joefrog91

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 12 January 2012 - 08:15 AM

Three days ago, my computer was infected with the XP Antispyware 2012 virus. I googled how to fix it and thought everything was okay. The next day I kept getting Malwarebytes popup balloons saying it was blocking outgoing IPs. I searched on how to fix that and added Register Keys to turn off the popups.

I then noticed my Google searches were being redirected by something called Search-Fast-Results. I Googled that and found out, from your site, it is a virus. It seemed that the first thing people were being told was to run Combofix. So, I ran it. The program said I was infected with Rootkit ZeroAcess. It was past 2 am so I may not have fully understood what it said to do next. But I thought it said for me to reboot the computer and see if I could open the internet. If I couldn't, I needed to run Combofix again. I didn't get a log from that run. I rebooted the computer and was able to get on the internet and my Google searches were not redirected anymore. However, I thought it would be a good idea to post on here to get more help.

I was told by Broni to run SecurityCheck, Farbar Service Scanne, MiniToolBox, Malwarebytes, and aswMBR. The topic is located HERE.

Broni then said I had some serious issues and asked me to run the Prep Guide starting at Step 6. I followed the steps and have the DDS.txt and Attach.txt logs. However, I fell asleep while running the GMER program. My computer did an automatic update during the night and rebooted my computer. So, I don't have a log for that one. Should I rerun it to get a log? Here are the other two logs.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by Joe at 21:44:48 on 2012-01-11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.221 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdwserv.exe
C:\WINDOWS\system32\lxdwcoms.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe
C:\Program Files\Lexmark 7600 Series\lxdwMsdMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Logitech\Vid HD\Vid.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\D-Link\DWA-130 revE\wirelesscm.exe
C:\Program Files\Verizon Wireless\mp3_downloadmanager_service.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Joe\My Documents\firefox.exe
C:\Documents and Settings\Joe\My Documents\plugin-container.exe
C:\Documents and Settings\Joe\My Documents\plugin-container.exe
C:\Documents and Settings\Joe\Desktop\Defogger.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Logitech Vid] "c:\program files\logitech\vid hd\Vid.exe" -bootmode
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [lxdwmon.exe] "c:\program files\lexmark 7600 series\lxdwmon.exe"
mRun: [lxdwamon] "c:\program files\lexmark 7600 series\lxdwamon.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [VMM Mode Selection] c:\program files\htc\modeselection\VMMModeSelection.exe
mRun: [DownloadManagerService] "c:\program files\verizon wireless\dist\servicerunner.exe" /action:startService
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [InnoSetupRegFile.0000000001] "c:\windows\is-4KB1K.exe" /REG /REGSVRMODE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\dwa-130 reve\wirelesscm.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
Trusted Zone: cinemanow.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{149EE808-7314-4C66-8164-206F01F2CB9F} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\joe\application data\mozilla\firefox\profiles\ji2iyn3o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\joe\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\joe\application data\mozilla\firefox\profiles\ji2iyn3o.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\documents and settings\joe\my documents\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: c:\documents and settings\joe\my documents\plugins\npdeployJava1.dll
FF - plugin: c:\documents and settings\joe\my documents\plugins\npwachk.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 165648]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [2010-2-27 98984]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-2 652872]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [2011-3-24 20480]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-15 20464]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2011-3-24 588032]
S1 cswxqeje;cswxqeje;\??\c:\windows\system32\drivers\cswxqeje.sys --> c:\windows\system32\drivers\cswxqeje.sys [?]
S1 MpKsl1ff108d4;MpKsl1ff108d4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bbfd33aa-2879-4b26-a6d5-3d7f687e4f05}\mpksl1ff108d4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bbfd33aa-2879-4b26-a6d5-3d7f687e4f05}\MpKsl1ff108d4.sys [?]
S1 MpKsl3e20492a;MpKsl3e20492a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{45a0f256-392c-4ec5-96a0-f29600577ca6}\mpksl3e20492a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{45a0f256-392c-4ec5-96a0-f29600577ca6}\MpKsl3e20492a.sys [?]
S1 MpKsl4566065e;MpKsl4566065e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fc6a04e6-ff83-45ea-ad5b-6655aeb6944b}\mpksl4566065e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fc6a04e6-ff83-45ea-ad5b-6655aeb6944b}\MpKsl4566065e.sys [?]
S1 MpKsl5bd01105;MpKsl5bd01105;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f6f208b7-5d09-4f28-8f2d-442458e43e96}\mpksl5bd01105.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f6f208b7-5d09-4f28-8f2d-442458e43e96}\MpKsl5bd01105.sys [?]
S1 MpKsl93a192bd;MpKsl93a192bd;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7dba69e2-092b-4f06-a51b-5e5cbb21ef96}\mpksl93a192bd.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7dba69e2-092b-4f06-a51b-5e5cbb21ef96}\MpKsl93a192bd.sys [?]
S1 MpKsla79984bc;MpKsla79984bc;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eb3582f7-15df-4187-bfc7-331bcea9aab8}\mpksla79984bc.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eb3582f7-15df-4187-bfc7-331bcea9aab8}\MpKsla79984bc.sys [?]
S1 MpKsld00c6d7e;MpKsld00c6d7e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{de6c85bc-9240-43c7-a3e1-699d3859901b}\mpksld00c6d7e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{de6c85bc-9240-43c7-a3e1-699d3859901b}\MpKsld00c6d7e.sys [?]
S1 MpKsle6737f8b;MpKsle6737f8b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9c4c215b-657a-4aa8-9419-c47b8a8ffae3}\mpksle6737f8b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9c4c215b-657a-4aa8-9419-c47b8a8ffae3}\MpKsle6737f8b.sys [?]
S1 MpKslef6c32fb;MpKslef6c32fb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2c9f00fd-630a-4253-a663-8c69dae04763}\mpkslef6c32fb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2c9f00fd-630a-4253-a663-8c69dae04763}\MpKslef6c32fb.sys [?]
S1 pmloqtud;pmloqtud;\??\c:\windows\system32\drivers\pmloqtud.sys --> c:\windows\system32\drivers\pmloqtud.sys [?]
S2 77D;77D;c:\windows\system32\svchost.exe -k netsvcs [2002-9-3 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-11 136176]
S2 WLSVC;WLSVC;c:\program files\d-link\dwa-130 reve\WLSVC.exe [2011-3-24 167936]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [2010-11-9 20704]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-11 136176]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-1-10 24064]
S3 qcserxp;HTC Diagnostic Port;c:\windows\system32\drivers\qcserxp.sys --> c:\windows\system32\drivers\qcserxp.sys [?]
S3 qcusbser;Qualcomm USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcmdmxp.sys --> c:\windows\system32\drivers\qcmdmxp.sys [?]
.
=============== Created Last 30 ================
.
2012-01-12 01:56:52 709968 ----a-w- c:\windows\is-4KB1K.exe
2012-01-12 01:53:01 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{22cc7114-d161-40cb-8ae8-99d22e02bdfe}\offreg.dll
2012-01-12 00:54:24 709968 ----a-w- c:\windows\isRS-000.tmp
2012-01-11 08:36:44 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{22cc7114-d161-40cb-8ae8-99d22e02bdfe}\mpengine.dll
2012-01-11 07:57:42 -------- d-sha-r- C:\cmdcons
2012-01-11 07:55:03 98816 ----a-w- c:\windows\sed.exe
2012-01-11 07:55:03 518144 ----a-w- c:\windows\SWREG.exe
2012-01-11 07:55:03 256000 ----a-w- c:\windows\PEV.exe
2012-01-11 07:55:03 208896 ----a-w- c:\windows\MBR.exe
2012-01-11 07:54:45 -------- d-s---w- C:\ComboFix
2012-01-11 07:23:59 98224 ----a-w- c:\windows\system32\drivers\04443434.sys
2012-01-11 02:39:02 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-01-10 03:33:24 709968 ----a-w- c:\windows\is-5HG7A.exe
2012-01-10 03:08:42 634504 ----a-w- c:\program files\internet explorer\Copy of iexplore.scr
2011-12-18 23:46:30 -------- d-----w- c:\program files\MSECache
.
==================== Find3M ====================
.
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-31 23:43:21 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:43:21 78336 ------w- c:\windows\system32\ieencode.dll
2011-10-31 23:43:21 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:43:20 17408 ------w- c:\windows\system32\corpol.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
.
============= FINISH: 21:46:06.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:33 AM

Posted 16 January 2012 - 11:52 AM

Do you still need help?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 joefrog91

joefrog91
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 16 January 2012 - 06:37 PM

Do you still need help?


I guess so. The original person that responded to my post, Broni, said I still had issues and to post in this forum. I have not received a response yet.

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:33 AM

Posted 16 January 2012 - 09:58 PM

Hi joefrog91 and welcome to BC.

We need to see a fresh log for us to see the current status of your machine, please run a scan with DDS again and post the new report for my review. We will begin from there. Thank you.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 joefrog91

joefrog91
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 16 January 2012 - 10:55 PM

Hi joefrog91 and welcome to BC.

We need to see a fresh log for us to see the current status of your machine, please run a scan with DDS again and post the new report for my review. We will begin from there. Thank you.


Here is the fresh scan.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by Joe at 21:50:27 on 2012-01-16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.201 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdwserv.exe
C:\WINDOWS\system32\lxdwcoms.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\Lexmark 7600 Series\lxdwMsdMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Vid HD\Vid.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\D-Link\DWA-130 revE\wirelesscm.exe
C:\Program Files\Verizon Wireless\mp3_downloadmanager_service.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Joe\My Documents\firefox.exe
C:\Documents and Settings\Joe\My Documents\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Logitech Vid] "c:\program files\logitech\vid hd\Vid.exe" -bootmode
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11c_Plugin.exe -update plugin
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [lxdwmon.exe] "c:\program files\lexmark 7600 series\lxdwmon.exe"
mRun: [lxdwamon] "c:\program files\lexmark 7600 series\lxdwamon.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [VMM Mode Selection] c:\program files\htc\modeselection\VMMModeSelection.exe
mRun: [DownloadManagerService] "c:\program files\verizon wireless\dist\servicerunner.exe" /action:startService
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\dwa-130 reve\wirelesscm.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
Trusted Zone: cinemanow.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{149EE808-7314-4C66-8164-206F01F2CB9F} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\joe\application data\mozilla\firefox\profiles\ji2iyn3o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\joe\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\joe\my documents\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: c:\documents and settings\joe\my documents\plugins\npdeployJava1.dll
FF - plugin: c:\documents and settings\joe\my documents\plugins\npwachk.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 165648]
R1 MpKsl956d3884;MpKsl956d3884;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{25e19661-6ce0-4b3c-9b96-a5e63ac01379}\MpKsl956d3884.sys [2012-1-13 29904]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [2010-2-27 98984]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-2 652872]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [2011-3-24 20480]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-15 20464]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2011-3-24 588032]
S1 cswxqeje;cswxqeje;\??\c:\windows\system32\drivers\cswxqeje.sys --> c:\windows\system32\drivers\cswxqeje.sys [?]
S1 MpKsl1ff108d4;MpKsl1ff108d4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bbfd33aa-2879-4b26-a6d5-3d7f687e4f05}\mpksl1ff108d4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bbfd33aa-2879-4b26-a6d5-3d7f687e4f05}\MpKsl1ff108d4.sys [?]
S1 MpKsl3e20492a;MpKsl3e20492a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{45a0f256-392c-4ec5-96a0-f29600577ca6}\mpksl3e20492a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{45a0f256-392c-4ec5-96a0-f29600577ca6}\MpKsl3e20492a.sys [?]
S1 MpKsl4566065e;MpKsl4566065e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fc6a04e6-ff83-45ea-ad5b-6655aeb6944b}\mpksl4566065e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fc6a04e6-ff83-45ea-ad5b-6655aeb6944b}\MpKsl4566065e.sys [?]
S1 MpKsl5bd01105;MpKsl5bd01105;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f6f208b7-5d09-4f28-8f2d-442458e43e96}\mpksl5bd01105.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f6f208b7-5d09-4f28-8f2d-442458e43e96}\MpKsl5bd01105.sys [?]
S1 MpKsl93a192bd;MpKsl93a192bd;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7dba69e2-092b-4f06-a51b-5e5cbb21ef96}\mpksl93a192bd.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7dba69e2-092b-4f06-a51b-5e5cbb21ef96}\MpKsl93a192bd.sys [?]
S1 MpKsla79984bc;MpKsla79984bc;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eb3582f7-15df-4187-bfc7-331bcea9aab8}\mpksla79984bc.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eb3582f7-15df-4187-bfc7-331bcea9aab8}\MpKsla79984bc.sys [?]
S1 MpKsld00c6d7e;MpKsld00c6d7e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{de6c85bc-9240-43c7-a3e1-699d3859901b}\mpksld00c6d7e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{de6c85bc-9240-43c7-a3e1-699d3859901b}\MpKsld00c6d7e.sys [?]
S1 MpKsle6737f8b;MpKsle6737f8b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9c4c215b-657a-4aa8-9419-c47b8a8ffae3}\mpksle6737f8b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9c4c215b-657a-4aa8-9419-c47b8a8ffae3}\MpKsle6737f8b.sys [?]
S1 MpKslef6c32fb;MpKslef6c32fb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2c9f00fd-630a-4253-a663-8c69dae04763}\mpkslef6c32fb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2c9f00fd-630a-4253-a663-8c69dae04763}\MpKslef6c32fb.sys [?]
S1 pmloqtud;pmloqtud;\??\c:\windows\system32\drivers\pmloqtud.sys --> c:\windows\system32\drivers\pmloqtud.sys [?]
S2 77D;77D;c:\windows\system32\svchost.exe -k netsvcs [2002-9-3 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-11 136176]
S2 WLSVC;WLSVC;c:\program files\d-link\dwa-130 reve\WLSVC.exe [2011-3-24 167936]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [2010-11-9 20704]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-11 136176]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-1-10 24064]
S3 qcserxp;HTC Diagnostic Port;c:\windows\system32\drivers\qcserxp.sys --> c:\windows\system32\drivers\qcserxp.sys [?]
S3 qcusbser;Qualcomm USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcmdmxp.sys --> c:\windows\system32\drivers\qcmdmxp.sys [?]
.
=============== Created Last 30 ================
.
2012-01-14 17:08:40 -------- d-----w- c:\documents and settings\joe\local settings\application data\Spotify
2012-01-14 17:06:23 -------- d-----w- c:\documents and settings\joe\application data\Spotify
2012-01-14 03:51:53 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{25e19661-6ce0-4b3c-9b96-a5e63ac01379}\MpKsl956d3884.sys
2012-01-14 03:51:48 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{25e19661-6ce0-4b3c-9b96-a5e63ac01379}\offreg.dll
2012-01-13 09:41:12 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{25e19661-6ce0-4b3c-9b96-a5e63ac01379}\mpengine.dll
2012-01-11 07:57:42 -------- d-sha-r- C:\cmdcons
2012-01-11 07:55:03 98816 ----a-w- c:\windows\sed.exe
2012-01-11 07:55:03 518144 ----a-w- c:\windows\SWREG.exe
2012-01-11 07:55:03 256000 ----a-w- c:\windows\PEV.exe
2012-01-11 07:55:03 208896 ----a-w- c:\windows\MBR.exe
2012-01-11 07:54:45 -------- d-s---w- C:\ComboFix
2012-01-11 07:23:59 98224 ----a-w- c:\windows\system32\drivers\04443434.sys
2012-01-11 02:39:02 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-01-10 03:33:24 709968 ----a-w- c:\windows\is-5HG7A.exe
2012-01-10 03:08:42 634504 ----a-w- c:\program files\internet explorer\Copy of iexplore.scr
2011-12-18 23:46:30 -------- d-----w- c:\program files\MSECache
.
==================== Find3M ====================
.
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-31 23:43:21 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:43:21 78336 ------w- c:\windows\system32\ieencode.dll
2011-10-31 23:43:21 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:43:20 17408 ------w- c:\windows\system32\corpol.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 21:52:04.25 ===============

Attached Files



#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:33 AM

Posted 16 January 2012 - 11:15 PM

Thanks for the logs, ZeroAccess is still on board... Let's see what we can do.


Please delete any copy of Combofix that you have (do not uninstall) and then download/run a new copy.

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 joefrog91

joefrog91
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 17 January 2012 - 12:21 AM

I ran it. Received a message saying Rootkit was detected and my computer needed to reboot. I clicked ok. My screen has shown "Windows Shutting Down" message for 15 minutes now. That's unusually for my computer. Should I just shut it down?

I did not receive log once it finished.

Edited by joefrog91, 17 January 2012 - 12:22 AM.


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:33 AM

Posted 17 January 2012 - 12:35 AM

Please check if there's a log located at C:\ComboFix.txt and post the contents please.


Click Start > Run then copy/paste the following bolded text below. A log file will open, please post the contents in your next reply.

cmd /c dir /a /s C:\QooBox >log.txt&start log.txt


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 joefrog91

joefrog91
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 17 January 2012 - 12:38 AM

Ok, but should I do a hard shut down of my computer? It still hasn't shut down.

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:33 AM

Posted 17 January 2012 - 12:42 AM

Oh sorry, I thought you already did. Please do a restart and see if Combofix will continue to run after the restart.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 joefrog91

joefrog91
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 17 January 2012 - 12:44 AM

Yes, I restarted it and CimboFix started right up. Should I wait to see what it does before looking for the log?

Sorry to be so dense.

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:33 AM

Posted 17 January 2012 - 12:45 AM

Yes let it finish please.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 joefrog91

joefrog91
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 17 January 2012 - 01:19 AM

Here is the log.

ComboFix 12-01-16.05 - Joe 01/16/2012 23:43:33.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.489 [GMT -6:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\SPL18F.tmp
c:\documents and settings\All Users\SPL35.tmp
c:\documents and settings\All Users\SPL42.tmp
c:\documents and settings\All Users\SPLC.tmp
c:\documents and settings\Joe\Application Data\Local
c:\documents and settings\Joe\Application Data\Local\Temp\DDM\Settings\0.ddi
c:\documents and settings\Joe\Application Data\Local\Temp\DDM\Settings\1.ddi
c:\documents and settings\Joe\Application Data\Local\Temp\DDM\Settings\3100.4570710.avi&b=121.ddr
c:\documents and settings\Joe\Application Data\Local\Temp\DDM\Settings\3300.4570540.avi&b=122.ddr
c:\documents and settings\Joe\Application Data\Local\Temp\DDM\Settings\settings.ddi
c:\documents and settings\Joe\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\3100.4570710.avi&b=121
c:\documents and settings\Joe\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\3300.4570540.avi&b=122.ddp
c:\documents and settings\Joe\Application Data\Remote
c:\documents and settings\Joe\Application Data\Remote\rlrszi
c:\documents and settings\Joe\Recent\Thumbs.db
c:\windows\$NtUninstallKB47583$
c:\windows\$NtUninstallKB47583$\2087887243
c:\windows\$NtUninstallKB47583$\2480526841\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB47583$\2480526841\L\oboynipj
c:\windows\$NtUninstallKB47583$\2480526841\loader.tlb
c:\windows\$NtUninstallKB47583$\2480526841\U\@00000001
c:\windows\$NtUninstallKB47583$\2480526841\U\@000000c0
c:\windows\$NtUninstallKB47583$\2480526841\U\@000000cb
c:\windows\$NtUninstallKB47583$\2480526841\U\@000000cf
c:\windows\$NtUninstallKB47583$\2480526841\U\@80000000
c:\windows\$NtUninstallKB47583$\2480526841\U\@800000c0
c:\windows\$NtUninstallKB47583$\2480526841\U\@800000cb
c:\windows\$NtUninstallKB47583$\2480526841\U\@800000cf
c:\windows\system32\SET5E.tmp
c:\windows\system32\SET63.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-12-17 to 2012-01-17 )))))))))))))))))))))))))))))))
.
.
2012-01-17 06:00 . 2012-01-17 06:00 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{25E19661-6CE0-4B3C-9B96-A5E63AC01379}\offreg.dll
2012-01-14 17:08 . 2012-01-14 17:16 -------- d-----w- c:\documents and settings\Joe\Local Settings\Application Data\Spotify
2012-01-14 17:06 . 2012-01-14 17:16 -------- d-----w- c:\documents and settings\Joe\Application Data\Spotify
2012-01-13 09:41 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{25E19661-6CE0-4B3C-9B96-A5E63AC01379}\mpengine.dll
2012-01-11 07:23 . 2012-01-11 07:24 98224 ----a-w- c:\windows\system32\drivers\04443434.sys
2012-01-11 02:39 . 2012-01-11 02:39 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-01-10 03:33 . 2012-01-10 03:33 709968 ----a-w- c:\windows\is-5HG7A.exe
2012-01-10 03:08 . 2011-10-31 10:46 634504 ----a-w- c:\program files\Internet Explorer\Copy of iexplore.scr
2011-12-18 23:46 . 2011-12-18 23:46 -------- d-----w- c:\program files\MSECache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 21:24 . 2010-02-15 22:36 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2002-09-03 17:12 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2002-09-03 17:11 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2010-02-19 01:29 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-18 12:35 . 2002-09-03 16:51 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-03 15:28 . 2002-09-03 16:53 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-03 15:28 . 2002-09-03 16:53 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-01 16:07 . 2002-09-03 16:50 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-31 23:43 . 2010-02-15 21:38 78336 ------w- c:\windows\system32\ieencode.dll
2011-10-31 23:43 . 2002-09-03 17:12 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:43 . 2002-09-03 16:35 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:43 . 2002-09-03 16:29 17408 ------w- c:\windows\system32\corpol.dll
2011-10-28 05:31 . 2002-09-03 16:29 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2002-09-03 16:50 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2002-08-29 01:04 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2011-01-13 6129496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2009-05-11 676520]
"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2009-05-11 16040]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-01-10 1230704]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-08 165208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
"DownloadManagerService"="c:\program files\Verizon Wireless\dist\servicerunner.exe" [2011-05-18 94008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Wireless Connection Manager.lnk - c:\program files\D-Link\DWA-130 revE\wirelesscm.exe [2011-3-24 505152]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\77D]
@="service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HLBackupScheduler]
2010-12-08 09:24 5247624 ----a-w- c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Lexmark 7600 Series\\lxdwamon.exe"=
"c:\\Program Files\\Lexmark 7600 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Verizon Wireless\\mp3_downloadmanager_service.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Joe\\My Documents\\firefox.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
"c:\\Program Files\\Veetle\\Player\\VeetleNet.exe"=
"c:\\Documents and Settings\\Joe\\Application Data\\Spotify\\spotify.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
.
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [2/27/2010 4:41 PM 98984]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/2/2010 10:39 AM 652872]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/24/2011 11:17 AM 20480]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/15/2010 4:36 PM 20464]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [3/24/2011 11:16 AM 588032]
S1 cswxqeje;cswxqeje;\??\c:\windows\system32\drivers\cswxqeje.sys --> c:\windows\system32\drivers\cswxqeje.sys [?]
S1 MpKsl1ff108d4;MpKsl1ff108d4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BBFD33AA-2879-4B26-A6D5-3D7F687E4F05}\MpKsl1ff108d4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BBFD33AA-2879-4B26-A6D5-3D7F687E4F05}\MpKsl1ff108d4.sys [?]
S1 MpKsl3e20492a;MpKsl3e20492a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{45A0F256-392C-4EC5-96A0-F29600577CA6}\MpKsl3e20492a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{45A0F256-392C-4EC5-96A0-F29600577CA6}\MpKsl3e20492a.sys [?]
S1 MpKsl4566065e;MpKsl4566065e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC6A04E6-FF83-45EA-AD5B-6655AEB6944B}\MpKsl4566065e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC6A04E6-FF83-45EA-AD5B-6655AEB6944B}\MpKsl4566065e.sys [?]
S1 MpKsl5bd01105;MpKsl5bd01105;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F6F208B7-5D09-4F28-8F2D-442458E43E96}\MpKsl5bd01105.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F6F208B7-5D09-4F28-8F2D-442458E43E96}\MpKsl5bd01105.sys [?]
S1 MpKsl93a192bd;MpKsl93a192bd;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7DBA69E2-092B-4F06-A51B-5E5CBB21EF96}\MpKsl93a192bd.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7DBA69E2-092B-4F06-A51B-5E5CBB21EF96}\MpKsl93a192bd.sys [?]
S1 MpKsla79984bc;MpKsla79984bc;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EB3582F7-15DF-4187-BFC7-331BCEA9AAB8}\MpKsla79984bc.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EB3582F7-15DF-4187-BFC7-331BCEA9AAB8}\MpKsla79984bc.sys [?]
S1 MpKsld00c6d7e;MpKsld00c6d7e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE6C85BC-9240-43C7-A3E1-699D3859901B}\MpKsld00c6d7e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE6C85BC-9240-43C7-A3E1-699D3859901B}\MpKsld00c6d7e.sys [?]
S1 MpKsle6737f8b;MpKsle6737f8b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9C4C215B-657A-4AA8-9419-C47B8A8FFAE3}\MpKsle6737f8b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9C4C215B-657A-4AA8-9419-C47B8A8FFAE3}\MpKsle6737f8b.sys [?]
S1 MpKslef6c32fb;MpKslef6c32fb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2C9F00FD-630A-4253-A663-8C69DAE04763}\MpKslef6c32fb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2C9F00FD-630A-4253-A663-8C69DAE04763}\MpKslef6c32fb.sys [?]
S1 pmloqtud;pmloqtud;\??\c:\windows\system32\drivers\pmloqtud.sys --> c:\windows\system32\drivers\pmloqtud.sys [?]
S2 77D;77D;c:\windows\system32\svchost.exe -k netsvcs [9/3/2002 11:05 AM 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/11/2010 1:48 PM 136176]
S2 WLSVC;WLSVC;c:\program files\D-Link\DWA-130 revE\WLSVC.exe [3/24/2011 11:17 AM 167936]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [11/9/2010 8:46 PM 20704]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/11/2010 1:48 PM 136176]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [1/10/2012 8:39 PM 24064]
S3 qcserxp;HTC Diagnostic Port;c:\windows\system32\DRIVERS\qcserxp.sys --> c:\windows\system32\DRIVERS\qcserxp.sys [?]
S3 qcusbser;Qualcomm USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcmdmxp.sys --> c:\windows\system32\DRIVERS\qcmdmxp.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
77D
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 19:47]
.
2012-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 19:47]
.
2012-01-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: cinemanow.com
TCP: DhcpNameServer = 192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\ji2iyn3o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
HKCU-Run-Vidalia - c:\program files\Vidalia Bundle\Vidalia\vidalia.exe
MSConfigStartUp-Bgunitexeted - c:\windows\ruiptxt.dll
MSConfigStartUp-lpc - c:\documents and settings\Joe\Application Data\Remote\yzzc14.dll
AddRemove-SoftwareUpdUtility - c:\program files\Common Files\Software Update Utility\uninstall.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-17 00:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\77D]
"servicedll"="\\.\globalroot\Device\HarddiskVolume1\DOCUME~1\Joe\LOCALS~1\Temp\77D.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4012)
c:\windows\system32\WININET.dll
c:\windows\system32\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\lxdwcoms.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\BCMSMMSG.exe
c:\program files\Lexmark 7600 Series\lxdwMsdMon.exe
c:\program files\Verizon Wireless\mp3_downloadmanager_service.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
c:\windows\SoftwareDistribution\Download\Install\AM_Delta.exe
.
**************************************************************************
.
Completion time: 2012-01-17 00:14:56 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-17 06:14
.
Pre-Run: 1,241,432,064 bytes free
Post-Run: 4,924,887,040 bytes free
.
- - End Of File - - 05388A1A7CFD3BF03049EBA81F313AE2

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:33 AM

Posted 17 January 2012 - 02:18 AM

Please tell me how's the computer running after doing the instructions below.


:step1: Please go to http://virscan.org/
  • Navigate the following file path into the "Suspicious files to scan" box on the top of the page:

    c:\windows\system32\drivers\04443434.sys
    c:\windows\is-5HG7A.exe

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.


:step2: We need to execute a ComboFix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy-paste the text in the code box below into it:

File::
c:\windows\system32\drivers\cswxqeje.sys
c:\windows\system32\drivers\pmloqtud.sys

FileLook::
c:\windows\system32\drivers\04443434.sys
c:\windows\is-5HG7A.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=dword:00000000

Driver::
cswxqeje
pmloqtud

4. Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 joefrog91

joefrog91
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 17 January 2012 - 01:27 PM

Here's the new log. It still gave me a message saying I had Rootkit Zero Access when I ran ComboFix again.

ComboFix 12-01-16.05 - Joe 01/17/2012 7:49.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.493 [GMT -6:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joe\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\system32\drivers\cswxqeje.sys"
"c:\windows\system32\drivers\pmloqtud.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_cswxqeje
-------\Service_pmloqtud
.
.
((((((((((((((((((((((((( Files Created from 2011-12-17 to 2012-01-17 )))))))))))))))))))))))))))))))
.
.
2012-01-17 14:03 . 2012-01-17 14:03 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FFFA8472-6020-4B94-B121-BF1B2336D281}\offreg.dll
2012-01-17 07:00 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FFFA8472-6020-4B94-B121-BF1B2336D281}\mpengine.dll
2012-01-14 17:08 . 2012-01-14 17:16 -------- d-----w- c:\documents and settings\Joe\Local Settings\Application Data\Spotify
2012-01-14 17:06 . 2012-01-14 17:16 -------- d-----w- c:\documents and settings\Joe\Application Data\Spotify
2012-01-11 07:23 . 2012-01-11 07:24 98224 ----a-w- c:\windows\system32\drivers\04443434.sys
2012-01-11 02:39 . 2012-01-11 02:39 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-01-10 03:33 . 2012-01-10 03:33 709968 ----a-w- c:\windows\is-5HG7A.exe
2012-01-10 03:08 . 2011-10-31 10:46 634504 ----a-w- c:\program files\Internet Explorer\Copy of iexplore.scr
2011-12-18 23:46 . 2011-12-18 23:46 -------- d-----w- c:\program files\MSECache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 21:24 . 2010-02-15 22:36 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2002-09-03 17:12 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2002-09-03 17:11 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2010-02-19 01:29 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-18 12:35 . 2002-09-03 16:51 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-03 15:28 . 2002-09-03 16:53 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-03 15:28 . 2002-09-03 16:53 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-01 16:07 . 2002-09-03 16:50 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-31 23:43 . 2010-02-15 21:38 78336 ------w- c:\windows\system32\ieencode.dll
2011-10-31 23:43 . 2002-09-03 17:12 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:43 . 2002-09-03 16:35 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:43 . 2002-09-03 16:29 17408 ------w- c:\windows\system32\corpol.dll
2011-10-28 05:31 . 2002-09-03 16:29 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2002-09-03 16:50 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2002-08-29 01:04 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\is-5HG7A.exe ---
Company:
File Description: Setup/Uninstall
File Version: 51.52.0.0
Product Name:
Copyright:
Original Filename:
File size: 709968
Created time: 2012-01-10 03:33
Modified time: 2012-01-10 03:33
MD5: D35094E97B0622D4758AD80CEC5458F6
SHA1: 8562CB47ED0198A6D01CABEFFE7521BE15CF9B84
.
.
--- c:\windows\system32\drivers\04443434.sys ---
Company: Kaspersky Lab, GERT
File Description: Kaspersky Lab Mini Driver
File Version: 2.7.0.0 built by: WinDDK
Product Name: Kaspersky Lab Mini Driver
Copyright: Copyright © Kaspersky Lab, GERT
Original Filename: klmd.sys
File size: 98224
Created time: 2012-01-11 07:23
Modified time: 2012-01-11 07:24
MD5: 21617FFFF50ABF580174AE9DAC968D9F
SHA1: C0183B03E434770E519C437EC84F0E866B22C1B4
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-17_06.02.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-17 14:03 . 2012-01-17 14:03 16384 c:\windows\Temp\Perflib_Perfdata_778.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2011-01-13 6129496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2009-05-11 676520]
"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2009-05-11 16040]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-01-10 1230704]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-08 165208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
"DownloadManagerService"="c:\program files\Verizon Wireless\dist\servicerunner.exe" [2011-05-18 94008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Wireless Connection Manager.lnk - c:\program files\D-Link\DWA-130 revE\wirelesscm.exe [2011-3-24 505152]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\77D]
@="service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HLBackupScheduler]
2010-12-08 09:24 5247624 ----a-w- c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Lexmark 7600 Series\\lxdwamon.exe"=
"c:\\Program Files\\Lexmark 7600 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Verizon Wireless\\mp3_downloadmanager_service.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Joe\\My Documents\\firefox.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
"c:\\Program Files\\Veetle\\Player\\VeetleNet.exe"=
"c:\\Documents and Settings\\Joe\\Application Data\\Spotify\\spotify.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
.
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [2/27/2010 4:41 PM 98984]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/2/2010 10:39 AM 652872]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/24/2011 11:17 AM 20480]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/15/2010 4:36 PM 20464]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [3/24/2011 11:16 AM 588032]
S1 MpKsl1ff108d4;MpKsl1ff108d4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BBFD33AA-2879-4B26-A6D5-3D7F687E4F05}\MpKsl1ff108d4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BBFD33AA-2879-4B26-A6D5-3D7F687E4F05}\MpKsl1ff108d4.sys [?]
S1 MpKsl3e20492a;MpKsl3e20492a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{45A0F256-392C-4EC5-96A0-F29600577CA6}\MpKsl3e20492a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{45A0F256-392C-4EC5-96A0-F29600577CA6}\MpKsl3e20492a.sys [?]
S1 MpKsl4566065e;MpKsl4566065e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC6A04E6-FF83-45EA-AD5B-6655AEB6944B}\MpKsl4566065e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC6A04E6-FF83-45EA-AD5B-6655AEB6944B}\MpKsl4566065e.sys [?]
S1 MpKsl5bd01105;MpKsl5bd01105;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F6F208B7-5D09-4F28-8F2D-442458E43E96}\MpKsl5bd01105.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F6F208B7-5D09-4F28-8F2D-442458E43E96}\MpKsl5bd01105.sys [?]
S1 MpKsl5d479347;MpKsl5d479347;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{25E19661-6CE0-4B3C-9B96-A5E63AC01379}\MpKsl5d479347.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{25E19661-6CE0-4B3C-9B96-A5E63AC01379}\MpKsl5d479347.sys [?]
S1 MpKsl93a192bd;MpKsl93a192bd;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7DBA69E2-092B-4F06-A51B-5E5CBB21EF96}\MpKsl93a192bd.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7DBA69E2-092B-4F06-A51B-5E5CBB21EF96}\MpKsl93a192bd.sys [?]
S1 MpKsla79984bc;MpKsla79984bc;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EB3582F7-15DF-4187-BFC7-331BCEA9AAB8}\MpKsla79984bc.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EB3582F7-15DF-4187-BFC7-331BCEA9AAB8}\MpKsla79984bc.sys [?]
S1 MpKsld00c6d7e;MpKsld00c6d7e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE6C85BC-9240-43C7-A3E1-699D3859901B}\MpKsld00c6d7e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE6C85BC-9240-43C7-A3E1-699D3859901B}\MpKsld00c6d7e.sys [?]
S1 MpKsle6737f8b;MpKsle6737f8b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9C4C215B-657A-4AA8-9419-C47B8A8FFAE3}\MpKsle6737f8b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9C4C215B-657A-4AA8-9419-C47B8A8FFAE3}\MpKsle6737f8b.sys [?]
S1 MpKslef6c32fb;MpKslef6c32fb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2C9F00FD-630A-4253-A663-8C69DAE04763}\MpKslef6c32fb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2C9F00FD-630A-4253-A663-8C69DAE04763}\MpKslef6c32fb.sys [?]
S2 77D;77D;c:\windows\system32\svchost.exe -k netsvcs [9/3/2002 11:05 AM 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/11/2010 1:48 PM 136176]
S2 WLSVC;WLSVC;c:\program files\D-Link\DWA-130 revE\WLSVC.exe [3/24/2011 11:17 AM 167936]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [11/9/2010 8:46 PM 20704]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/11/2010 1:48 PM 136176]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [1/10/2012 8:39 PM 24064]
S3 qcserxp;HTC Diagnostic Port;c:\windows\system32\DRIVERS\qcserxp.sys --> c:\windows\system32\DRIVERS\qcserxp.sys [?]
S3 qcusbser;Qualcomm USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcmdmxp.sys --> c:\windows\system32\DRIVERS\qcmdmxp.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
77D
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 19:47]
.
2012-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 19:47]
.
2012-01-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: cinemanow.com
TCP: DhcpNameServer = 192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\ji2iyn3o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-17 12:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\77D]
"servicedll"="\\.\globalroot\Device\HarddiskVolume1\DOCUME~1\Joe\LOCALS~1\Temp\77D.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2744)
c:\windows\system32\WININET.dll
c:\windows\system32\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\lxdwcoms.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\program files\Lexmark 7600 Series\lxdwMsdMon.exe
c:\program files\Verizon Wireless\mp3_downloadmanager_service.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2012-01-17 12:16:13 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-17 18:16
ComboFix2.txt 2012-01-17 06:14
.
Pre-Run: 4,956,995,584 bytes free
Post-Run: 4,879,220,736 bytes free
.
- - End Of File - - 7E158F865F625F2DF7CC31F83A927BA9




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users