Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit & malware removed (win32zaccess) ???


  • Please log in to reply
70 replies to this topic

#1 2fort

2fort

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 26 January 2012 - 01:49 PM

Hi thanks for the help

I have been helping friends and family remove malware and viruses for a long time but this is the first on removing a rootkit. I think I got the rootkit or rootkits removed but want to make sure before I work on the dns problem it also has.

What is strange is the computer will not connect to the internet (dns errors) but I'm still getting bytes sent and received without even opening a browser. I'm talking like any were from 5000 to 33000. This seems high and I'm thinking that something else is connecting and doing something at each boot.

Beside all the malware that malwarebytes and superantispyware removed, Kaspersky removed the following: virus.win32.zaccess.k and packed.win32.krap.hc

Also before I ran Kaspersky I did run combo fix and it said it removed a rootkit rebooted then the power went out and never had a chance to look at the log. To save sometime I also pasted the last comdo fix log.

If someone would check the logs and see if I did remove all the rootkits I can start working on the dns problems.

Thanks ahead of time for the great service you do for everyone.

George

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by HP_Owner at 18:09:36 on 2012-01-25
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.222 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
mPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
dPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{F33FBB71-6D62-40F0-8D9B-62C938483BE0} : DhcpNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\7kaz0kdp.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80117&language=en&qkw=
FF - prefs.js: network.proxy.type - 0
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: extentions.y2layers.installId - 862a6a7a-6198-4db8-bed6-75e08445db10
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 SASDIFSV;SASDIFSV;c:\docume~1\hp_owner\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\docume~1\hp_owner\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2011-7-12 67664]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-20 652872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-20 20464]
RUnknown 04494140;04494140; [x]
RUnknown 6268202drv;6268202drv; [x]
S3 BWSQ;BWSQ;c:\docume~1\hp_owner\locals~1\temp\bwsq.exe --> c:\docume~1\hp_owner\locals~1\temp\BWSQ.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 SQTECH9052;Disney Micro;c:\windows\system32\drivers\Capt9052.sys [2009-8-2 38656]
S3 SQTECH907B;EZCam(PID_907B_00);c:\windows\system32\drivers\capt907b.sys --> c:\windows\system32\drivers\Capt907B.sys [?]
S3 TFilter;TFilter;\??\c:\progra~1\avanqu~1\system~1\tfilter.sys --> c:\progra~1\avanqu~1\system~1\TFilter.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-23 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-23 135664]
S4 hpdj00;hpdj00; [x]
S4 hpdj01;hpdj01; [x]
.
=============== File Associations ===============
.
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
.
=============== Created Last 30 ================
.
2012-01-22 01:57:41 -------- d-----w- C:\ComboFix
2012-01-21 17:27:22 14664 ----a-w- c:\windows\stinger.sys
2012-01-21 17:26:22 -------- d-----w- c:\program files\stinger
2012-01-21 17:21:04 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-20 20:16:03 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-17 20:31:51 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2012-01-17 20:30:56 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2012-01-17 20:29:57 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2012-01-17 20:28:58 315520 -c--a-w- c:\windows\system32\dllcache\trid3d.dll
2012-01-17 20:27:57 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys
2012-01-17 20:26:56 16896 -c--a-w- c:\windows\system32\dllcache\stcusb.sys
2012-01-17 20:25:56 147200 -c--a-w- c:\windows\system32\dllcache\smidispb.dll
2012-01-17 20:24:58 68608 -c--a-w- c:\windows\system32\dllcache\sis6306p.sys
2012-01-17 20:23:57 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2012-01-17 20:22:58 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2012-01-17 20:21:58 33152 -c--a-w- c:\windows\system32\dllcache\ql10wnt.sys
2012-01-17 20:20:57 16384 -c--a-w- c:\windows\system32\dllcache\philcam1.dll
2012-01-17 20:19:58 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2012-01-17 20:18:55 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2012-01-17 20:17:57 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2012-01-17 20:16:55 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2012-01-17 20:15:58 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2012-01-17 20:14:59 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2012-01-17 20:13:57 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys
2012-01-17 20:12:59 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2012-01-17 20:11:59 2688 -c--a-w- c:\windows\system32\dllcache\hidswvd.sys
2012-01-17 20:10:56 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2012-01-17 20:09:58 18503 -c--a-w- c:\windows\system32\dllcache\epro4.sys
2012-01-17 20:08:57 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2012-01-17 20:07:59 7424 -c--a-w- c:\windows\system32\dllcache\ddsmc.sys
2012-01-17 20:06:58 248064 -c--a-w- c:\windows\system32\dllcache\cl546xm.sys
2012-01-17 20:05:38 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2012-01-17 20:04:59 23552 -c--a-w- c:\windows\system32\dllcache\atixbar.sys
2012-01-17 20:03:43 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2012-01-17 19:00:13 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-17 16:35:49 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-01-17 14:20:20 -------- d-----w- c:\windows\Microsoft Antimalware
2012-01-17 14:17:34 -------- d-----w- c:\windows\Windows Defender Offline
2012-01-16 22:29:53 98816 ----a-w- c:\windows\sed.exe
2012-01-16 22:29:53 518144 ----a-w- c:\windows\SWREG.exe
2012-01-16 22:29:53 256000 ----a-w- c:\windows\PEV.exe
2012-01-16 22:29:53 208896 ----a-w- c:\windows\MBR.exe
2012-01-16 17:07:47 -------- d-----w- c:\program files\MozBackup
2012-01-15 22:52:02 -------- d-----w- c:\program files\Sophos
2012-01-14 16:35:44 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys
2012-01-14 16:35:44 36224 ----a-w- c:\windows\system32\drivers\an983.sys
2012-01-13 17:01:44 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-13 17:01:44 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-13 17:01:44 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-13 17:01:44 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-13 15:35:42 -------- d-----w- c:\documents and settings\hp_owner\application data\iolo
2012-01-13 15:35:42 -------- d-----w- c:\documents and settings\all users\application data\iolo
2012-01-13 00:43:35 -------- d-----w- c:\documents and settings\hp_owner\application data\SUPERAntiSpyware.com
2012-01-13 00:43:34 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-01-12 20:22:27 -------- d-----w- c:\documents and settings\hp_owner\application data\Malwarebytes
2012-01-12 20:22:13 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-12 20:22:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-10 02:29:11 74703 ----a-w- c:\windows\system32\mfc45.dll
2012-01-09 05:12:17 -------- d-----w- C:\found.001
2012-01-06 12:58:13 138112 ----a-w- c:\windows\system32\drivers\jnFFlsCV.sys
2012-01-03 02:45:51 -------- d-----w- c:\documents and settings\all users\application data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-01-03 01:36:20 -------- d-----w- c:\documents and settings\hp_owner\application data\DriverCure
2012-01-03 01:36:19 -------- d-----w- c:\documents and settings\hp_owner\application data\SpeedMaxPc
2012-01-03 01:34:36 -------- d-----w- c:\documents and settings\all users\application data\SpeedMaxPc
2012-01-03 01:21:58 -------- d-----w- c:\program files\Uniblue
2012-01-03 01:21:28 -------- d-----w- c:\documents and settings\hp_owner\local settings\application data\PackageAware
2012-01-01 17:15:11 138112 ----a-w- c:\windows\system32\drivers\ozXseBEa.sys
2011-12-29 02:06:43 138112 ----a-w- c:\windows\system32\drivers\ItgQNdTr.sys
2011-12-27 18:35:13 138112 ----a-w- c:\windows\system32\drivers\fnShgqpi.sys
.
==================== Find3M ====================
.
2012-01-12 20:54:33 141272 ----a-w- c:\windows\system32\WRusr.dll
2012-01-09 04:29:14 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2004-08-04 12:00:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2010-12-20 17:32:15 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
============= FINISH: 18:11:20.43 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-25 21:46:44
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-1b Maxtor_6Y160P0 rev.YAR41BW0
Running: 101wmg09.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\kwtciaow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


ComboFix 12-01-19.02 - HP_Owner 01/20/2012 10:51:35.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.188 [GMT -5:00]
Running from: l:\rookkit\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-20 to 2012-01-20 )))))))))))))))))))))))))))))))
.
.
2012-01-20 14:16 . 2012-01-20 14:17 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-20 13:56 . 2012-01-20 13:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-01-17 20:31 . 2001-08-17 18:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2012-01-17 20:30 . 2001-08-17 18:28 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2012-01-17 20:29 . 2001-08-18 03:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2012-01-17 20:28 . 2001-08-17 19:56 315520 -c--a-w- c:\windows\system32\dllcache\trid3d.dll
2012-01-17 20:27 . 2001-08-17 18:52 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys
2012-01-17 20:26 . 2001-08-17 18:51 16896 -c--a-w- c:\windows\system32\dllcache\stcusb.sys
2012-01-17 20:25 . 2001-08-17 19:56 147200 -c--a-w- c:\windows\system32\dllcache\smidispb.dll
2012-01-17 20:24 . 2001-08-17 17:50 68608 -c--a-w- c:\windows\system32\dllcache\sis6306p.sys
2012-01-17 20:23 . 2001-08-17 18:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2012-01-17 20:22 . 2001-08-17 17:12 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2012-01-17 20:21 . 2001-08-17 18:52 33152 -c--a-w- c:\windows\system32\dllcache\ql10wnt.sys
2012-01-17 20:20 . 2001-08-18 03:36 16384 -c--a-w- c:\windows\system32\dllcache\philcam1.dll
2012-01-17 20:19 . 2001-08-18 03:36 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2012-01-17 20:18 . 2001-08-17 17:12 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2012-01-17 20:17 . 2001-08-17 18:50 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2012-01-17 20:16 . 2001-08-17 18:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2012-01-17 20:15 . 2001-08-17 17:12 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2012-01-17 20:14 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2012-01-17 20:13 . 2001-08-17 19:06 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys
2012-01-17 20:12 . 2001-08-18 03:36 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2012-01-17 20:11 . 2008-04-14 01:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-01-17 20:10 . 2001-08-17 17:10 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2012-01-17 20:09 . 2001-08-17 17:12 18503 -c--a-w- c:\windows\system32\dllcache\epro4.sys
2012-01-17 20:08 . 2001-08-17 17:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2012-01-17 20:07 . 2001-08-17 18:52 7424 -c--a-w- c:\windows\system32\dllcache\ddsmc.sys
2012-01-17 20:06 . 2001-08-17 18:57 248064 -c--a-w- c:\windows\system32\dllcache\cl546xm.sys
2012-01-17 20:05 . 2001-08-17 18:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2012-01-17 20:04 . 2001-08-17 17:49 23552 -c--a-w- c:\windows\system32\dllcache\atixbar.sys
2012-01-17 20:03 . 2001-08-17 19:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2012-01-17 19:00 . 2012-01-17 19:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-01-17 19:00 . 2012-01-17 19:00 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-17 16:35 . 2012-01-17 16:35 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-01-17 14:20 . 2012-01-17 22:05 -------- d-----w- c:\windows\Microsoft Antimalware
2012-01-17 14:17 . 2012-01-17 14:17 -------- d-----w- c:\windows\Windows Defender Offline
2012-01-16 19:29 . 2012-01-16 19:29 -------- d-----w- c:\documents and settings\Administrator
2012-01-16 17:09 . 2012-01-16 23:55 181064 ----a-w- c:\windows\PSEXESVC.EXE
2012-01-16 17:07 . 2012-01-16 17:07 -------- d-----w- c:\program files\MozBackup
2012-01-15 22:52 . 2012-01-15 22:52 -------- d-----w- c:\program files\Sophos
2012-01-14 16:35 . 2004-08-04 03:31 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys
2012-01-14 16:35 . 2004-08-04 03:31 36224 ----a-w- c:\windows\system32\drivers\an983.sys
2012-01-13 17:01 . 2011-12-21 07:24 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-13 17:01 . 2011-12-21 04:30 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-13 17:01 . 2011-12-21 04:30 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-13 17:01 . 2011-12-21 04:30 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-13 15:35 . 2012-01-13 15:35 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\iolo
2012-01-13 15:35 . 2012-01-13 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2012-01-13 00:43 . 2012-01-13 00:43 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com
2012-01-13 00:43 . 2012-01-13 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-01-12 20:54 . 2012-01-12 20:54 107336 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2012-01-12 20:22 . 2012-01-12 20:22 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2012-01-12 20:22 . 2012-01-12 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-12 20:22 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-12 20:22 . 2012-01-13 15:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-10 02:29 . 2012-01-10 02:29 74703 ----a-w- c:\windows\system32\mfc45.dll
2012-01-09 05:12 . 2012-01-09 05:12 -------- d-----w- C:\found.001
2012-01-06 12:58 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\jnFFlsCV.sys
2012-01-03 02:45 . 2012-01-03 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-01-03 01:36 . 2012-01-03 01:36 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\DriverCure
2012-01-03 01:36 . 2012-01-03 01:36 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\SpeedMaxPc
2012-01-03 01:34 . 2012-01-13 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedMaxPc
2012-01-03 01:21 . 2012-01-03 01:21 -------- d-----w- c:\program files\Uniblue
2012-01-03 01:21 . 2012-01-03 01:21 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\PackageAware
2012-01-01 17:15 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\ozXseBEa.sys
2011-12-29 02:06 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\ItgQNdTr.sys
2011-12-27 18:35 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\fnShgqpi.sys
2011-12-27 09:00 . 2011-12-27 09:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-12-26 17:16 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\eJkkcAdY.sys
2011-12-25 21:34 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\grlnTvDg.sys
2011-12-25 21:29 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\XynjchFS.sys
2011-12-24 16:12 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\GvvueuOj.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 20:54 . 2011-12-11 00:40 141272 ----a-w- c:\windows\system32\WRusr.dll
2012-01-09 04:29 . 2004-08-07 18:46 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-21 07:24 . 2011-04-14 17:30 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2004-08-04 12:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
2010-12-20 17:32 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5-Day Forecast]
2010-06-15 16:30 876544 ----a-w- c:\program files\5-Day Forecast\5-Day Forecast\5-day forecast.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-03-04 16:01 88209 ----a-w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 18:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-12-14 22:17 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 11:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 07:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2004-03-04 15:46 172032 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
2004-06-08 01:42 659456 ----a-w- c:\windows\system32\hphmon06.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2004-06-08 01:53 49152 ----a-w- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 23:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 22:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-12-24 22:50 460872 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2005-02-01 21:43 163840 ----a-w- c:\progra~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2002-10-16 23:57 81920 ----a-w- c:\windows\system32\ps2.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-15 03:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2001-07-03 13:11 57344 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-01-13 22:53 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2004-10-22 16:53 53248 ----a-w- c:\windows\system32\VTTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nmservice"=2 (0x2)
"idsvc"=3 (0x3)
"hpdj01"=2 (0x2)
"hpdj00"=2 (0x2)
"gusvc"=3 (0x3)
"NetTcpPortSharing"=2 (0x2)
"iPod Service"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\HP_Owner\\My Documents\\AmazonMP3Installer.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/12/2012 3:22 PM 20464]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/12/2012 3:22 PM 652872]
S3 BWSQ;BWSQ;c:\docume~1\HP_Owner\LOCALS~1\Temp\BWSQ.exe --> c:\docume~1\HP_Owner\LOCALS~1\Temp\BWSQ.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/20/2012 9:16 AM 40776]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 SQTECH9052;Disney Micro;c:\windows\system32\drivers\Capt9052.sys [8/2/2009 5:49 PM 38656]
S3 SQTECH907B;EZCam(PID_907B_00);c:\windows\system32\Drivers\Capt907B.sys --> c:\windows\system32\Drivers\Capt907B.sys [?]
S3 TFilter;TFilter;\??\c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys --> c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/23/2010 10:00 PM 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/23/2010 10:00 PM 135664]
S4 hpdj00;hpdj00; [x]
S4 hpdj01;hpdj01; [x]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 46194405
*Deregistered* - 46194405
*Deregistered* - NDISRD
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
2012-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-24 03:00]
.
2012-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-24 03:00]
.
2012-01-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-01-20 c:\windows\Tasks\User_Feed_Synchronization-{DB55124A-6B37-42CC-9B57-2899C8CC1399}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\7kaz0kdp.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80117&language=en&qkw=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: extentions.y2layers.installId - 862a6a7a-6198-4db8-bed6-75e08445db10
.
.
------- File Associations -------
.
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-20 11:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\9.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2368)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-01-20 11:09:03
ComboFix-quarantined-files.txt 2012-01-20 16:08
ComboFix2.txt 2012-01-17 21:20
ComboFix3.txt 2012-01-17 19:45
ComboFix4.txt 2012-01-17 18:03
ComboFix5.txt 2012-01-20 15:46
.
Pre-Run: 118,101,671,936 bytes free
Post-Run: 118,089,576,448 bytes free
.
- - End Of File - - 21D1CFB5D845F90E3DE5ECB2F0258638

Attached Files



BC AdBot (Login to Remove)

 


#2 Cookiegal

Cookiegal

  • Security Colleague
  • 93 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:34 AM

Posted 27 January 2012 - 12:12 PM

As you've run ComboFix several times, I'd like to see this log as well so please copy and paste the contents here:

C:\qoobox\ComboFix4.txt

#3 2fort

2fort
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 27 January 2012 - 12:34 PM

Thanks for the help.


ComboFix 12-01-19.02 - HP_Owner 01/20/2012 10:51:35.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.188 [GMT -5:00]
Running from: l:\rookkit\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-20 to 2012-01-20 )))))))))))))))))))))))))))))))
.
.
2012-01-20 14:16 . 2012-01-20 14:17 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-20 13:56 . 2012-01-20 13:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-01-17 20:31 . 2001-08-17 18:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2012-01-17 20:30 . 2001-08-17 18:28 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2012-01-17 20:29 . 2001-08-18 03:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2012-01-17 20:28 . 2001-08-17 19:56 315520 -c--a-w- c:\windows\system32\dllcache\trid3d.dll
2012-01-17 20:27 . 2001-08-17 18:52 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys
2012-01-17 20:26 . 2001-08-17 18:51 16896 -c--a-w- c:\windows\system32\dllcache\stcusb.sys
2012-01-17 20:25 . 2001-08-17 19:56 147200 -c--a-w- c:\windows\system32\dllcache\smidispb.dll
2012-01-17 20:24 . 2001-08-17 17:50 68608 -c--a-w- c:\windows\system32\dllcache\sis6306p.sys
2012-01-17 20:23 . 2001-08-17 18:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2012-01-17 20:22 . 2001-08-17 17:12 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2012-01-17 20:21 . 2001-08-17 18:52 33152 -c--a-w- c:\windows\system32\dllcache\ql10wnt.sys
2012-01-17 20:20 . 2001-08-18 03:36 16384 -c--a-w- c:\windows\system32\dllcache\philcam1.dll
2012-01-17 20:19 . 2001-08-18 03:36 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2012-01-17 20:18 . 2001-08-17 17:12 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2012-01-17 20:17 . 2001-08-17 18:50 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2012-01-17 20:16 . 2001-08-17 18:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2012-01-17 20:15 . 2001-08-17 17:12 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2012-01-17 20:14 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2012-01-17 20:13 . 2001-08-17 19:06 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys
2012-01-17 20:12 . 2001-08-18 03:36 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2012-01-17 20:11 . 2008-04-14 01:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-01-17 20:10 . 2001-08-17 17:10 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2012-01-17 20:09 . 2001-08-17 17:12 18503 -c--a-w- c:\windows\system32\dllcache\epro4.sys
2012-01-17 20:08 . 2001-08-17 17:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2012-01-17 20:07 . 2001-08-17 18:52 7424 -c--a-w- c:\windows\system32\dllcache\ddsmc.sys
2012-01-17 20:06 . 2001-08-17 18:57 248064 -c--a-w- c:\windows\system32\dllcache\cl546xm.sys
2012-01-17 20:05 . 2001-08-17 18:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2012-01-17 20:04 . 2001-08-17 17:49 23552 -c--a-w- c:\windows\system32\dllcache\atixbar.sys
2012-01-17 20:03 . 2001-08-17 19:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2012-01-17 19:00 . 2012-01-17 19:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-01-17 19:00 . 2012-01-17 19:00 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-17 16:35 . 2012-01-17 16:35 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-01-17 14:20 . 2012-01-17 22:05 -------- d-----w- c:\windows\Microsoft Antimalware
2012-01-17 14:17 . 2012-01-17 14:17 -------- d-----w- c:\windows\Windows Defender Offline
2012-01-16 19:29 . 2012-01-16 19:29 -------- d-----w- c:\documents and settings\Administrator
2012-01-16 17:09 . 2012-01-16 23:55 181064 ----a-w- c:\windows\PSEXESVC.EXE
2012-01-16 17:07 . 2012-01-16 17:07 -------- d-----w- c:\program files\MozBackup
2012-01-15 22:52 . 2012-01-15 22:52 -------- d-----w- c:\program files\Sophos
2012-01-14 16:35 . 2004-08-04 03:31 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys
2012-01-14 16:35 . 2004-08-04 03:31 36224 ----a-w- c:\windows\system32\drivers\an983.sys
2012-01-13 17:01 . 2011-12-21 07:24 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-13 17:01 . 2011-12-21 04:30 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-13 17:01 . 2011-12-21 04:30 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-13 17:01 . 2011-12-21 04:30 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-13 15:35 . 2012-01-13 15:35 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\iolo
2012-01-13 15:35 . 2012-01-13 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2012-01-13 00:43 . 2012-01-13 00:43 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com
2012-01-13 00:43 . 2012-01-13 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-01-12 20:54 . 2012-01-12 20:54 107336 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2012-01-12 20:22 . 2012-01-12 20:22 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2012-01-12 20:22 . 2012-01-12 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-12 20:22 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-12 20:22 . 2012-01-13 15:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-10 02:29 . 2012-01-10 02:29 74703 ----a-w- c:\windows\system32\mfc45.dll
2012-01-09 05:12 . 2012-01-09 05:12 -------- d-----w- C:\found.001
2012-01-06 12:58 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\jnFFlsCV.sys
2012-01-03 02:45 . 2012-01-03 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-01-03 01:36 . 2012-01-03 01:36 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\DriverCure
2012-01-03 01:36 . 2012-01-03 01:36 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\SpeedMaxPc
2012-01-03 01:34 . 2012-01-13 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedMaxPc
2012-01-03 01:21 . 2012-01-03 01:21 -------- d-----w- c:\program files\Uniblue
2012-01-03 01:21 . 2012-01-03 01:21 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\PackageAware
2012-01-01 17:15 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\ozXseBEa.sys
2011-12-29 02:06 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\ItgQNdTr.sys
2011-12-27 18:35 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\fnShgqpi.sys
2011-12-27 09:00 . 2011-12-27 09:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-12-26 17:16 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\eJkkcAdY.sys
2011-12-25 21:34 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\grlnTvDg.sys
2011-12-25 21:29 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\XynjchFS.sys
2011-12-24 16:12 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\GvvueuOj.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 20:54 . 2011-12-11 00:40 141272 ----a-w- c:\windows\system32\WRusr.dll
2012-01-09 04:29 . 2004-08-07 18:46 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-21 07:24 . 2011-04-14 17:30 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2004-08-04 12:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
2010-12-20 17:32 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5-Day Forecast]
2010-06-15 16:30 876544 ----a-w- c:\program files\5-Day Forecast\5-Day Forecast\5-day forecast.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-03-04 16:01 88209 ----a-w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 18:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-12-14 22:17 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 11:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 07:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2004-03-04 15:46 172032 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
2004-06-08 01:42 659456 ----a-w- c:\windows\system32\hphmon06.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2004-06-08 01:53 49152 ----a-w- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 23:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 22:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-12-24 22:50 460872 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2005-02-01 21:43 163840 ----a-w- c:\progra~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2002-10-16 23:57 81920 ----a-w- c:\windows\system32\ps2.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-15 03:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2001-07-03 13:11 57344 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-01-13 22:53 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2004-10-22 16:53 53248 ----a-w- c:\windows\system32\VTTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nmservice"=2 (0x2)
"idsvc"=3 (0x3)
"hpdj01"=2 (0x2)
"hpdj00"=2 (0x2)
"gusvc"=3 (0x3)
"NetTcpPortSharing"=2 (0x2)
"iPod Service"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\HP_Owner\\My Documents\\AmazonMP3Installer.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/12/2012 3:22 PM 20464]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/12/2012 3:22 PM 652872]
S3 BWSQ;BWSQ;c:\docume~1\HP_Owner\LOCALS~1\Temp\BWSQ.exe --> c:\docume~1\HP_Owner\LOCALS~1\Temp\BWSQ.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/20/2012 9:16 AM 40776]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 SQTECH9052;Disney Micro;c:\windows\system32\drivers\Capt9052.sys [8/2/2009 5:49 PM 38656]
S3 SQTECH907B;EZCam(PID_907B_00);c:\windows\system32\Drivers\Capt907B.sys --> c:\windows\system32\Drivers\Capt907B.sys [?]
S3 TFilter;TFilter;\??\c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys --> c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/23/2010 10:00 PM 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/23/2010 10:00 PM 135664]
S4 hpdj00;hpdj00; [x]
S4 hpdj01;hpdj01; [x]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 46194405
*Deregistered* - 46194405
*Deregistered* - NDISRD
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
2012-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-24 03:00]
.
2012-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-24 03:00]
.
2012-01-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-01-20 c:\windows\Tasks\User_Feed_Synchronization-{DB55124A-6B37-42CC-9B57-2899C8CC1399}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\7kaz0kdp.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80117&language=en&qkw=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: extentions.y2layers.installId - 862a6a7a-6198-4db8-bed6-75e08445db10
.
.
------- File Associations -------
.
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-20 11:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\9.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2368)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-01-20 11:09:03
ComboFix-quarantined-files.txt 2012-01-20 16:08
ComboFix2.txt 2012-01-17 21:20
ComboFix3.txt 2012-01-17 19:45
ComboFix4.txt 2012-01-17 18:03
ComboFix5.txt 2012-01-20 15:46
.
Pre-Run: 118,101,671,936 bytes free
Post-Run: 118,089,576,448 bytes free
.
- - End Of File - - 21D1CFB5D845F90E3DE5ECB2F0258638

#4 Cookiegal

Cookiegal

  • Security Colleague
  • 93 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:34 AM

Posted 27 January 2012 - 12:38 PM

You're welcome but unfortunately, you've posted the same log as before.

#5 2fort

2fort
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 27 January 2012 - 12:56 PM

Your right I think it was because I was doing two things

1. at first I was running the program from a flash drive.
2. I was saving the file also in a different place.

I can run a new one if that would help. Sorry, I know I should of not run it on my own.

I tried posting 5 which is the last I ran by using the date created but it is to long.

#6 Cookiegal

Cookiegal

  • Security Colleague
  • 93 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:34 AM

Posted 27 January 2012 - 01:06 PM

Please remove ComboFix by dragging it to the recycle bin. Then grab the latest version and transfer it to the desktop of the problem machine via USB flash drive.

Please visit Combofix Guide & Instructions for instructions for installing the recovery console (if it's not already installed) and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

#7 2fort

2fort
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 27 January 2012 - 01:45 PM

ComboFix 12-01-27.01 - HP_Owner 01/27/2012 13:19:34.10.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.85 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\puppy.exe
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
.
.
2012-01-22 01:57 . 2012-01-27 18:13 -------- d-----w- C:\ComboFix
2012-01-21 17:27 . 2012-01-21 17:27 14664 ----a-w- c:\windows\stinger.sys
2012-01-21 17:26 . 2012-01-21 17:34 -------- d-----w- c:\program files\stinger
2012-01-21 17:21 . 2012-01-21 17:21 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-20 20:16 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-20 13:56 . 2012-01-20 13:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-01-17 20:31 . 2001-08-17 18:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2012-01-17 20:30 . 2001-08-17 18:28 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2012-01-17 20:29 . 2001-08-18 03:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2012-01-17 20:28 . 2001-08-17 19:56 315520 -c--a-w- c:\windows\system32\dllcache\trid3d.dll
2012-01-17 20:27 . 2001-08-17 18:52 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys
2012-01-17 20:26 . 2001-08-17 18:51 16896 -c--a-w- c:\windows\system32\dllcache\stcusb.sys
2012-01-17 20:25 . 2001-08-17 19:56 147200 -c--a-w- c:\windows\system32\dllcache\smidispb.dll
2012-01-17 20:24 . 2001-08-17 17:50 68608 -c--a-w- c:\windows\system32\dllcache\sis6306p.sys
2012-01-17 20:23 . 2001-08-17 18:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2012-01-17 20:22 . 2001-08-17 17:12 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2012-01-17 20:21 . 2001-08-17 18:52 33152 -c--a-w- c:\windows\system32\dllcache\ql10wnt.sys
2012-01-17 20:20 . 2001-08-18 03:36 16384 -c--a-w- c:\windows\system32\dllcache\philcam1.dll
2012-01-17 20:19 . 2001-08-18 03:36 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2012-01-17 20:18 . 2001-08-17 17:12 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2012-01-17 20:17 . 2001-08-17 18:50 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2012-01-17 20:16 . 2001-08-17 18:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2012-01-17 20:15 . 2001-08-17 17:12 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2012-01-17 20:14 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2012-01-17 20:13 . 2001-08-17 19:06 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys
2012-01-17 20:12 . 2001-08-18 03:36 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2012-01-17 20:11 . 2008-04-14 01:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-01-17 20:10 . 2001-08-17 17:10 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2012-01-17 20:09 . 2001-08-17 17:12 18503 -c--a-w- c:\windows\system32\dllcache\epro4.sys
2012-01-17 20:08 . 2001-08-17 17:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2012-01-17 20:07 . 2001-08-17 18:52 7424 -c--a-w- c:\windows\system32\dllcache\ddsmc.sys
2012-01-17 20:06 . 2001-08-17 18:57 248064 -c--a-w- c:\windows\system32\dllcache\cl546xm.sys
2012-01-17 20:05 . 2001-08-17 18:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2012-01-17 20:04 . 2001-08-17 17:49 23552 -c--a-w- c:\windows\system32\dllcache\atixbar.sys
2012-01-17 20:03 . 2001-08-17 19:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2012-01-17 19:00 . 2012-01-17 19:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-01-17 19:00 . 2012-01-17 19:00 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-17 16:35 . 2012-01-17 16:35 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-01-17 14:20 . 2012-01-17 22:05 -------- d-----w- c:\windows\Microsoft Antimalware
2012-01-17 14:17 . 2012-01-17 14:17 -------- d-----w- c:\windows\Windows Defender Offline
2012-01-16 19:29 . 2012-01-16 19:29 -------- d-----w- c:\documents and settings\Administrator
2012-01-16 17:09 . 2012-01-21 14:33 181064 ----a-w- c:\windows\PSEXESVC.EXE
2012-01-16 17:07 . 2012-01-16 17:07 -------- d-----w- c:\program files\MozBackup
2012-01-15 22:52 . 2012-01-15 22:52 -------- d-----w- c:\program files\Sophos
2012-01-14 16:35 . 2004-08-04 03:31 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys
2012-01-14 16:35 . 2004-08-04 03:31 36224 ----a-w- c:\windows\system32\drivers\an983.sys
2012-01-13 17:01 . 2011-12-21 07:24 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-13 17:01 . 2011-12-21 04:30 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-13 17:01 . 2011-12-21 04:30 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-13 17:01 . 2011-12-21 04:30 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-13 15:35 . 2012-01-13 15:35 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\iolo
2012-01-03 01:21 . 2012-01-03 01:21 -------- d-----w- c:\program files\Uniblue
2012-01-03 01:21 . 2012-01-03 01:21 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\PackageAware
2012-01-01 17:15 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\ozXseBEa.sys
2011-12-29 02:06 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\ItgQNdTr.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 20:54 . 2011-12-11 00:40 141272 ----a-w- c:\windows\system32\WRusr.dll
2012-01-09 04:29 . 2004-08-07 18:46 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-21 07:24 . 2011-04-14 17:30 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2004-08-04 12:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
2010-12-20 17:32 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2012-01-17_21.16.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-18 08:00 . 2006-10-18 08:00 36624 c:\windows\system32\drivers\1pxhelp20.sys
+ 2004-12-29 20:53 . 2003-09-19 06:47 10368 c:\windows\system32\drivers\1pfc.sys
+ 2009-08-12 01:15 . 2009-06-22 14:58 24576 c:\windows\system32\drivers\1ndisrd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5-Day Forecast]
2010-06-15 16:30 876544 ----a-w- c:\program files\5-Day Forecast\5-Day Forecast\5-day forecast.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-03-04 16:01 88209 ----a-w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 18:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-12-14 22:17 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 11:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 07:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2004-03-04 15:46 172032 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
2004-06-08 01:42 659456 ----a-w- c:\windows\system32\hphmon06.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2004-06-08 01:53 49152 ----a-w- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 23:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 22:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-12-24 22:50 460872 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2005-02-01 21:43 163840 ----a-w- c:\progra~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2002-10-16 23:57 81920 ----a-w- c:\windows\system32\ps2.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-15 03:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2001-07-03 13:11 57344 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-01-13 22:53 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2004-10-22 16:53 53248 ----a-w- c:\windows\system32\VTTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nmservice"=2 (0x2)
"idsvc"=3 (0x3)
"hpdj01"=2 (0x2)
"hpdj00"=2 (0x2)
"gusvc"=3 (0x3)
"NetTcpPortSharing"=2 (0x2)
"iPod Service"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\HP_Owner\\My Documents\\AmazonMP3Installer.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/20/2012 3:16 PM 652872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/20/2012 3:16 PM 20464]
S3 BWSQ;BWSQ;c:\docume~1\HP_Owner\LOCALS~1\Temp\BWSQ.exe --> c:\docume~1\HP_Owner\LOCALS~1\Temp\BWSQ.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 SQTECH9052;Disney Micro;c:\windows\system32\drivers\Capt9052.sys [8/2/2009 5:49 PM 38656]
S3 SQTECH907B;EZCam(PID_907B_00);c:\windows\system32\Drivers\Capt907B.sys --> c:\windows\system32\Drivers\Capt907B.sys [?]
S3 TFilter;TFilter;\??\c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys --> c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/23/2010 10:00 PM 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/23/2010 10:00 PM 135664]
S4 hpdj00;hpdj00; [x]
S4 hpdj01;hpdj01; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
2012-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-24 03:00]
.
2012-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-24 03:00]
.
2012-01-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-01-27 c:\windows\Tasks\User_Feed_Synchronization-{DB55124A-6B37-42CC-9B57-2899C8CC1399}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\7kaz0kdp.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80117&language=en&qkw=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: extentions.y2layers.installId - 862a6a7a-6198-4db8-bed6-75e08445db10
.
.
------- File Associations -------
.
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-27 13:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\9.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3492)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-01-27 13:39:56
ComboFix-quarantined-files.txt 2012-01-27 18:39
ComboFix2.txt 2012-01-22 02:23
ComboFix3.txt 2012-01-21 18:23
ComboFix4.txt 2012-01-21 16:49
ComboFix5.txt 2012-01-27 18:14
.
Pre-Run: 117,294,718,976 bytes free
Post-Run: 117,399,887,872 bytes free
.
- - End Of File - - 1D247A105934801F0DB5307B544F302F






Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:42:20, on 1/27/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: BWSQ - Unknown owner - C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\BWSQ.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 3648 bytes

#8 Cookiegal

Cookiegal

  • Security Colleague
  • 93 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:34 AM

Posted 27 January 2012 - 03:09 PM

Open Notepad and copy and paste the text in the code box below into it:

File::
c:\windows\system32\drivers\ozXseBEa.sys
c:\windows\system32\drivers\ItgQNdTr.sys

Driver::
ozXseBEa
ItgQNdTr
BWSQ

Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe

Posted Image


This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

#9 2fort

2fort
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 27 January 2012 - 03:14 PM

Just wanted to let you know I will be away from the computer for 6 or 7 hours, will post the log then.

#10 Cookiegal

Cookiegal

  • Security Colleague
  • 93 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:34 AM

Posted 27 January 2012 - 03:32 PM

That's fine but I may be signed off for the night by then so I'll give you another utility that I'd like you to run as well.

Please download Farbar Service Scanner and transfer it to the desktop of the computer with the issue.
  • Make sure only the following option is checked:
    • Internet Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run (which should be on the desktop.)
  • Please copy and paste the log to your reply.


#11 2fort

2fort
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 27 January 2012 - 08:53 PM

combo fix log & hijackthis log


ComboFix 12-01-27.01 - HP_Owner 01/27/2012 15:22:58.11.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.25 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\puppy.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\system32\drivers\ItgQNdTr.sys"
"c:\windows\system32\drivers\ozXseBEa.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\ItgQNdTr.sys
c:\windows\system32\drivers\ozXseBEa.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_BWSQ
-------\Service_BWSQ
.
.
((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
.
.
2012-01-22 01:57 . 2012-01-27 18:13 -------- d-----w- C:\ComboFix
2012-01-21 17:27 . 2012-01-21 17:27 14664 ----a-w- c:\windows\stinger.sys
2012-01-21 17:26 . 2012-01-21 17:34 -------- d-----w- c:\program files\stinger
2012-01-21 17:21 . 2012-01-21 17:21 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-20 20:16 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-20 13:56 . 2012-01-20 13:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-01-17 20:24 . 2001-08-17 17:50 68608 -c--a-w- c:\windows\system32\dllcache\sis6306p.sys
2012-01-17 20:23 . 2001-08-17 18:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2012-01-17 20:22 . 2001-08-17 17:12 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2012-01-17 20:21 . 2001-08-17 18:52 33152 -c--a-w- c:\windows\system32\dllcache\ql10wnt.sys
2012-01-17 20:20 . 2001-08-18 03:36 16384 -c--a-w- c:\windows\system32\dllcache\philcam1.dll
2012-01-17 20:19 . 2001-08-18 03:36 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2012-01-17 20:18 . 2001-08-17 17:12 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2012-01-17 20:17 . 2001-08-17 18:50 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2012-01-17 20:16 . 2001-08-17 18:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2012-01-17 20:15 . 2001-08-17 17:12 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2012-01-17 20:14 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2012-01-17 20:13 . 2001-08-17 19:06 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys
2012-01-17 20:12 . 2001-08-18 03:36 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2012-01-17 20:11 . 2008-04-14 01:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-01-17 20:10 . 2001-08-17 17:10 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2012-01-17 20:09 . 2001-08-17 17:12 18503 -c--a-w- c:\windows\system32\dllcache\epro4.sys
2012-01-17 20:08 . 2001-08-17 17:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2012-01-17 20:07 . 2001-08-17 18:52 7424 -c--a-w- c:\windows\system32\dllcache\ddsmc.sys
2012-01-17 20:06 . 2001-08-17 18:57 248064 -c--a-w- c:\windows\system32\dllcache\cl546xm.sys
2012-01-17 20:05 . 2001-08-17 18:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2012-01-17 20:04 . 2001-08-17 17:49 23552 -c--a-w- c:\windows\system32\dllcache\atixbar.sys
2012-01-17 20:03 . 2001-08-17 19:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2012-01-17 19:00 . 2012-01-17 19:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-01-17 19:00 . 2012-01-17 19:00 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-17 16:35 . 2012-01-17 16:35 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-01-17 14:20 . 2012-01-17 22:05 -------- d-----w- c:\windows\Microsoft Antimalware
2012-01-17 14:17 . 2012-01-17 14:17 -------- d-----w- c:\windows\Windows Defender Offline
2012-01-16 19:29 . 2012-01-16 19:29 -------- d-----w- c:\documents and settings\Administrator
2012-01-16 17:09 . 2012-01-21 14:33 181064 ----a-w- c:\windows\PSEXESVC.EXE
2012-01-16 17:07 . 2012-01-16 17:07 -------- d-----w- c:\program files\MozBackup
2012-01-15 22:52 . 2012-01-15 22:52 -------- d-----w- c:\program files\Sophos
2012-01-14 16:35 . 2004-08-04 03:31 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys
2012-01-14 16:35 . 2004-08-04 03:31 36224 ----a-w- c:\windows\system32\drivers\an983.sys
2012-01-13 17:01 . 2011-12-21 07:24 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-13 17:01 . 2011-12-21 04:30 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-13 17:01 . 2011-12-21 04:30 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-13 17:01 . 2011-12-21 04:30 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-13 15:35 . 2012-01-13 15:35 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\iolo
2012-01-03 01:21 . 2012-01-03 01:21 -------- d-----w- c:\program files\Uniblue
2012-01-03 01:21 . 2012-01-03 01:21 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\PackageAware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 20:54 . 2011-12-11 00:40 141272 ----a-w- c:\windows\system32\WRusr.dll
2012-01-09 04:29 . 2004-08-07 18:46 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-21 07:24 . 2011-04-14 17:30 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2004-08-04 12:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
2010-12-20 17:32 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2012-01-17_21.16.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-18 08:00 . 2006-10-18 08:00 36624 c:\windows\system32\drivers\1pxhelp20.sys
+ 2004-12-29 20:53 . 2003-09-19 06:47 10368 c:\windows\system32\drivers\1pfc.sys
+ 2009-08-12 01:15 . 2009-06-22 14:58 24576 c:\windows\system32\drivers\1ndisrd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5-Day Forecast]
2010-06-15 16:30 876544 ----a-w- c:\program files\5-Day Forecast\5-Day Forecast\5-day forecast.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-03-04 16:01 88209 ----a-w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 18:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-12-14 22:17 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 11:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 07:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2004-03-04 15:46 172032 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
2004-06-08 01:42 659456 ----a-w- c:\windows\system32\hphmon06.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2004-06-08 01:53 49152 ----a-w- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 23:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 22:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-12-24 22:50 460872 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2005-02-01 21:43 163840 ----a-w- c:\progra~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2002-10-16 23:57 81920 ----a-w- c:\windows\system32\ps2.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-15 03:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2001-07-03 13:11 57344 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-01-13 22:53 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2004-10-22 16:53 53248 ----a-w- c:\windows\system32\VTTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nmservice"=2 (0x2)
"idsvc"=3 (0x3)
"hpdj01"=2 (0x2)
"hpdj00"=2 (0x2)
"gusvc"=3 (0x3)
"NetTcpPortSharing"=2 (0x2)
"iPod Service"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\HP_Owner\\My Documents\\AmazonMP3Installer.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/20/2012 3:16 PM 652872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/20/2012 3:16 PM 20464]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 SQTECH9052;Disney Micro;c:\windows\system32\drivers\Capt9052.sys [8/2/2009 5:49 PM 38656]
S3 SQTECH907B;EZCam(PID_907B_00);c:\windows\system32\Drivers\Capt907B.sys --> c:\windows\system32\Drivers\Capt907B.sys [?]
S3 TFilter;TFilter;\??\c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys --> c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/23/2010 10:00 PM 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/23/2010 10:00 PM 135664]
S4 hpdj00;hpdj00; [x]
S4 hpdj01;hpdj01; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
2012-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-24 03:00]
.
2012-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-24 03:00]
.
2012-01-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-01-27 c:\windows\Tasks\User_Feed_Synchronization-{DB55124A-6B37-42CC-9B57-2899C8CC1399}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\7kaz0kdp.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80117&language=en&qkw=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: extentions.y2layers.installId - 862a6a7a-6198-4db8-bed6-75e08445db10
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-27 15:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\9.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3424)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
.
**************************************************************************
.
Completion time: 2012-01-27 15:45:34 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-27 20:45
ComboFix2.txt 2012-01-27 18:39
ComboFix3.txt 2012-01-22 02:23
ComboFix4.txt 2012-01-21 18:23
ComboFix5.txt 2012-01-27 20:17
.
Pre-Run: 117,376,393,216 bytes free
Post-Run: 117,248,774,144 bytes free
.
- - End Of File - - 7CAA1FC58FF7A9542799AC78C205F450





Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:48:03, on 1/27/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 3551 bytes

#12 2fort

2fort
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 27 January 2012 - 09:17 PM

As far as the internet goes everything I get points to a dns problem. It is only when I tried a url i have a problem. I have checked the router is everything is good there as far as the dns settings go. (using open dns server)
All other computers that are connected to it can access the internet.

Tried resetting winsock, removing the adapter, installing new nic card, flushing dns cache, checking the namesever address and so on. Some of these things I may have done before removing the rootkits.

One other thing they said that all the problem started around the time when they install webroot. I think they had problems with things before that just did not know it. I have remove webroot and ran their uninstall program. I also went into the registry and removed everything I could find with webroot. Their uninstall program did not do that good of job.

FSS log below

Farbar Service Scanner Version: 18-01-2012 01
Ran by HP_Owner (administrator) on 27-01-2012 at 20:56:06
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0A000000040000000100000002000000030000000A0000000800000005000000060000000700000009000000
IpSec Tag value is correct.

**** End of log ****

#13 Cookiegal

Cookiegal

  • Security Colleague
  • 93 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:34 AM

Posted 27 January 2012 - 09:22 PM

Please go to Start - Run - type in eventvwr.msc to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.

#14 2fort

2fort
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 27 January 2012 - 09:59 PM

app errors

A bunch of these all the same

Event Type: Error
Event Source: MPSampleSubmission
Event Category: None
Event ID: 5000
Date: 1/27/2012
Time: 21:42:10
User: N/A
Computer: MYNEWCOMPUTER
Description:
EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 NIL, P10 NIL.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 70 00 74 00 65 00 m.p.t.e.
0008: 6c 00 65 00 6d 00 65 00 l.e.m.e.
0010: 74 00 72 00 79 00 2c 00 t.r.y.,.
0018: 20 00 38 00 30 00 32 00 .8.0.2.
0020: 34 00 34 00 30 00 32 00 4.4.0.2.
0028: 63 00 2c 00 20 00 65 00 c.,. .e.
0030: 6e 00 64 00 73 00 65 00 n.d.s.e.
0038: 61 00 72 00 63 00 68 00 a.r.c.h.
0040: 2c 00 20 00 73 00 65 00 ,. .s.e.
0048: 61 00 72 00 63 00 68 00 a.r.c.h.
0050: 2c 00 20 00 33 00 2e 00 ,. .3...
0058: 30 00 2e 00 38 00 34 00 0...8.4.
0060: 30 00 32 00 2e 00 30 00 0.2...0.
0068: 2c 00 20 00 6d 00 70 00 ,. .m.p.
0070: 73 00 69 00 67 00 64 00 s.i.g.d.
0078: 77 00 6e 00 2e 00 64 00 w.n...d.
0080: 6c 00 6c 00 2c 00 20 00 l.l.,. .
0088: 33 00 2e 00 30 00 2e 00 3...0...
0090: 38 00 34 00 30 00 32 00 8.4.0.2.
0098: 2e 00 30 00 2c 00 20 00 ..0.,. .
00a0: 6d 00 69 00 63 00 72 00 m.i.c.r.
00a8: 6f 00 73 00 6f 00 66 00 o.s.o.f.
00b0: 74 00 20 00 73 00 65 00 t. .s.e.
00b8: 63 00 75 00 72 00 69 00 c.u.r.i.
00c0: 74 00 79 00 20 00 65 00 t.y. .e.
00c8: 73 00 73 00 65 00 6e 00 s.s.e.n.
00d0: 74 00 69 00 61 00 6c 00 t.i.a.l.
00d8: 73 00 20 00 28 00 65 00 s. .(.e.
00e0: 64 00 62 00 34 00 66 00 d.b.4.f.
00e8: 61 00 32 00 33 00 2d 00 a.2.3.-.
00f0: 35 00 33 00 62 00 38 00 5.3.b.8.
00f8: 2d 00 34 00 61 00 66 00 -.4.a.f.
0100: 61 00 2d 00 38 00 63 00 a.-.8.c.
0108: 35 00 64 00 2d 00 39 00 5.d.-.9.
0110: 39 00 37 00 35 00 32 00 9.7.5.2.
0118: 63 00 63 00 61 00 37 00 c.c.a.7.
0120: 30 00 39 00 34 00 29 00 0.9.4.).
0128: 2c 00 20 00 4e 00 49 00 ,. .N.I.
0130: 4c 00 2c 00 20 00 4e 00 L.,. .N.
0138: 49 00 4c 00 20 00 4e 00 I.L. .N.
0140: 49 00 4c 00 0d 00 0a 00 I.L.....



a bunch of this all the same

Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 1/25/2012
Time: 12:28:28
User: N/A
Computer: MYNEWCOMPUTER
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event errors

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 1/27/2012
Time: 21:31:55
User: N/A
Computer: MYNEWCOMPUTER
Description:
The following boot-start or system-start driver(s) failed to load:
SASDIFSV
SASKUTIL

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Print
Event Category: None
Event ID: 19
Date: 1/27/2012
Time: 21:31:52
User: NT AUTHORITY\SYSTEM
Computer: MYNEWCOMPUTER
Description:
Sharing printer failed + 1722, Printer Microsoft XPS Document Writer share name Printer.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


A bunch of these all the same only one copy

Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 29
Date: 1/27/2012
Time: 21:31:48
User: N/A
Computer: MYNEWCOMPUTER
Description:
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


A bunch of these all the same copy only one

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 1/27/2012
Time: 21:31:44
User: NT AUTHORITY\SYSTEM
Computer: MYNEWCOMPUTER
Description:
DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service gupdate with arguments "/comsvc" in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


A bunch of these all the same copy only one

Event Type: Error
Event Source: Microsoft Antimalware
Event Category: None
Event ID: 2001
Date: 1/27/2012
Time: 20:51:21
User: N/A
Computer: MYNEWCOMPUTER
Description:
Microsoft Antimalware has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 0.0.0.0
Update Source: Microsoft Malware Protection Center
Update Stage: Search
Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094
Signature Type: AntiVirus
Update Type: Full
User: NT AUTHORITY\NETWORK SERVICE
Current Engine Version:
Previous Engine Version: 0.0.0.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Windows Update Agent
Event Category: Software Sync
Event ID: 16
Date: 1/27/2012
Time: 10:34:15
User: N/A
Computer: MYNEWCOMPUTER
Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 57 69 6e 33 32 48 52 65 Win32HRe
0008: 73 75 6c 74 3d 30 78 30 sult=0x0
0010: 30 30 30 30 30 30 30 20 0000000
0018: 55 70 64 61 74 65 49 44 UpdateID
0020: 3d 7b 30 30 30 30 30 30 ={000000
0028: 30 30 2d 30 30 30 30 2d 00-0000-
0030: 30 30 30 30 2d 30 30 30 0000-000
0038: 30 2d 30 30 30 30 30 30 0-000000
0040: 30 30 30 30 30 30 7d 20 000000}
0048: 52 65 76 69 73 69 6f 6e Revision
0050: 4e 75 6d 62 65 72 3d 30 Number=0
0058: 20 00 .

#15 Cookiegal

Cookiegal

  • Security Colleague
  • 93 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:34 AM

Posted 28 January 2012 - 08:36 AM

Please run Farbar Service Scanner again. This time, type the following in the search box:

afd;netbt;tcpip

Click "Export Service" and post the log it makes (FSS.txt).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users