Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit.Zeroaccess


  • This topic is locked This topic is locked
27 replies to this topic

#1 Dan Kalmick

Dan Kalmick

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 10 April 2012 - 02:05 PM

Hi. So my client dropped off this machine and it was a mess. I ran malware bytes and tdsskiller and combofix as I tend to know what I'm doing on these things, the seemingly got rid of the major infection. I've now run the scans for just about everything I can find, but Combofix is still saying AVGFree 2011 is installed (it's not...it was but I've run the AVG Remover from them and then gone through the registry and deleted all references to AVG) and Combo Fix still comes up and says Rootkit.ZeroAccess has embedded itself in the TCP/IP Stack. I've gone through all the forums and looked at different iterations, but I'm completely hosed on this. attached it the GMER, DDS and last combofix Log. Please take a look and see if there's anything I'm missing as to why Combofix is still reporting things whilst everything else says clean. Additionally...Combofix seems to be hit and miss on removing .sys files. It will say there's a rootkit and then do nothing, but the next time it's run...it'll detect it again and as in this log, so that it got something, but if I run it again it'll detect ZeroAccess and then spit out a log that it didn't do anything.

Thanks!!!

edit: added OTL logs

Attached Files


Edited by Dan Kalmick, 10 April 2012 - 02:31 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:56 PM

Posted 14 April 2012 - 09:08 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Open notepad and copy/paste the text in the quote box below into it:

Firefox::
FF - ProfilePath - c:\documents and settings\bob\application data\mozilla\firefox\profiles\csrefus6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2776682&SearchSource=3&q={searchTerms}
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2776682&SearchSource=2&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 54202
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll



Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    SE2Bmgmt.sys
    RushTopDevice.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
===

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Please post the logs for my review.

#3 Dan Kalmick

Dan Kalmick
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 14 April 2012 - 03:01 PM

Hi Nasdaq...thanks for getting back.

Attached are the logs from those three programs.

Combofix is still reporting both AVG 2011 is installed and that there is a ZeroAccess rootkit installed as well.

Thanks! I'll be around all weekend so that we can hopefully get this taken care of quickly.

~DK

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:56 PM

Posted 15 April 2012 - 06:59 AM

Avg is being reported by ComboFix because of this remnant item in the registry. Nothing to worry about.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

===


This is my concern at the moment.

Combo Fix still comes up and says Rootkit.ZeroAccess has embedded itself in the TCP/IP Stack.


You have SE2Bmgmt running as a service but no file found on your system

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
trlokom_rmhsvc
gusvc
idebusdr
SfCtlCom
VAIOMediaPlatform-MusicServer-HTTP
SE2Bmgmt
stacsv


Quoted from this article.

Se2bmgmt.sys with description Sony Ericsson Device 043 USB WMC Device Management Driver is a driver file from company MCCI belonging to product Sony Ericsson Device 043 USB WMC Device Management.

http://www.runscanner.net/lib/SE2Bmgmt.sys.html
==

Do you have such a USB device?

I do not want to modify the registry key unless we are sure that this is the culprit.

How is your computer running presently?
Any issues?

#5 Dan Kalmick

Dan Kalmick
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 15 April 2012 - 01:33 PM

Hi,

More info: This is a Toshiba Satellite laptop. So there shouldn't be anything Sony related in it sans maybe the optical drive which doesn't matter. The VAIOMedia Platform thing is weird too but may be left over from something the client tried to install, but let's hose it nonetheless.

The machine was fine for a bit, but now the svchost.exe process is back up to 50% CPU and 50MB of RAM (Windows updates did run on accident on shutdown yesterday).

I searched the registry for SE2Bmgmt and it just references the service starting svchost...which could be the culprit. There are also some errants services in the in the "Services MMC" that don't have any description that I've stop and disabled. It's a usual tactic I use because most legit processes have descriptions.

as an aside...i searched the registry for the GUID/SID associated with AVG "{17DDD097-36FF-435F-9E1B-52D74245D6BF}" and came up with nothing.

Let me know the next steps to hose those services.

Thanks

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:56 PM

Posted 16 April 2012 - 07:23 AM

Open notepad and copy/paste the text in the quote box below into it:

NetSvc::
VAIOMediaPlatform-MusicServer-HTTP
SE2Bmgmt


Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Please let me know if the problem persists.

#7 Dan Kalmick

Dan Kalmick
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 16 April 2012 - 02:28 PM

Hi,

So I ran Combofix again...attached is the log file.

All the net services seems suspicious:
trlokom_rmhsvc
gusvc
idebusdr
SfCtlCom
stacsv

Are you familiar with all of those? The idebusdr is a disabled service that I did but the display name is lspwdsvc under the services mmc control panel. The machine seems to be running fine, but I'm still suspicious of Combofix yelling at me for AVG 2011 and the Zero.Access service. Should we just hose the rest of the net svcs?

~DK

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:56 PM

Posted 17 April 2012 - 06:58 AM

trlokom_rmhsvc
http://www.systemlookup.com/search.php?type=name&client=malwaresearch-ff&search=trlokom_rmhsvc
Legit.

gusvc
http://www.systemlookup.com/search.php?type=name&client=malwaresearch-ff&search=gusvc
Could be for Google, but may also be malware.

idebusdr
http://www.systemlookup.com/search.php?type=name&client=malwaresearch-ff&search=idebusdr
Legit

SfCtlCom
http://www.systemlookup.com/search.php?type=name&client=malwaresearch-ff&search=SfCtlCom
Trend micro - could be an old program.

stacsv
http://www.systemlookup.com/search.php?type=name&client=malwaresearch-ff&search=stacsv
legit.


If you decide to remove these NetSvcs keys execute the script below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
trlokom_rmhsvc
gusvc
idebusdr
SfCtlCom
stacsv

Do as you did before with the ComboFix script in post no 6.

NetSvc::
trlokom_rmhsvc
gusvc
idebusdr
SfCtlCom
stacsv


If you wish to keep any of them then remove it from this list.
Do this at your own risk.

The machine seems to be running fine, but I'm still suspicious of Combofix yelling at me for AVG 2011 and the Zero.Access service.
No problem with AVG and ComboFix. Reinstall AVG.

Zero Access the only think that could be reported by AVG is this, other wise I do not see it.


2012-04-10 06:15 . 2012-04-10 06:15 -------- d-----w- c:\documents and settings\Bob\Application Data\SUPERAntiSpyware.com
2012-04-10 06:15 . 2012-04-10 06:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-10 06:15 . 2012-04-10 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-04-10 05:42 . 2012-04-10 05:44 -------- d-----w- C:\MGtools
2012-04-10 02:26 . 2012-04-10 02:26 -------- d-----w- c:\documents and settings\Bob\Application Data\FixZeroAccess



#9 Dan Kalmick

Dan Kalmick
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 17 April 2012 - 02:26 PM

Hi,

So I ran Combofix again removing all those net svcs. I uninstalled Microsoft Security Essentials and installed Symantec Endpoint Security and then ran a full scan with that (it found nothing).

Just ran combofix again and it's still detecting ZeroAccess.rootkit.

I also deleted the FixZeroAccess folder.

I have no idea why Combofix is showing so many false positives. The machine seems to be running ok. So I guess we'll call it a day?

Attached Files



#10 Dan Kalmick

Dan Kalmick
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 17 April 2012 - 04:50 PM

And here's the log from running combo fix from Safe Mode. Just thought I'd try that. Still detected a rootkit.

Attached Files

  • Attached File  log.txt   11.81KB   1 downloads


#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:56 PM

Posted 18 April 2012 - 09:00 AM

Lets check deeper.

  • Download OTL to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    explorer.exe
    svchost.exe
    userinit.exe
    qmgr.dll
    proquota.exe
    kernel32.dll
    ndis.sys
    autochk.exe
    spoolsv.exe
    xmlprov.dll
    ntmssvc.dll
    mswsock.dll
    Beep.SYS
    ntfs.sys
    termsrv.dll
    sfcfiles.dll
    st3shark.sys
    ahcix86.sys
    srsvc.dll
    /md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
===

#12 Dan Kalmick

Dan Kalmick
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 18 April 2012 - 01:44 PM

OTL logfile created on: 4/18/2012 11:23:44 AM - Run 2

OTL by OldTimer - Version 3.2.40.0     Folder = C:\Documents and Settings\Bob\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

 

1.99 Gb Total Physical Memory | 1.41 Gb Available Physical Memory | 70.91% Memory free

3.84 Gb Paging File | 3.44 Gb Available in Paging File | 89.57% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 148.80 Gb Total Space | 115.55 Gb Free Space | 77.65% Space Free | Partition Type: NTFS

 

Computer Name: TOSHIBA-USER | User Name: Bob | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 

[color=#E56717]========== Processes (SafeList) ==========[/color]

 

PRC - C:\Documents and Settings\Bob\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\Smc.exe (Symantec Corporation)

PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe (Symantec Corporation)

PRC - C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe ()

PRC - C:\WINDOWS\twain_32\Samsung\CLX3170\Scan2Pc.exe ()

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe (TOSHIBA Inc.)

PRC - C:\Program Files\Synaptics\SynTP\Toshiba.exe (Synaptics, Inc.)

PRC - C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation)

PRC - C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (Intel Corporation)

PRC - C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe (Intel Corporation)

PRC - C:\Program Files\Toshiba\ConfigFree\CFSServ.exe (TOSHIBA CORPORATION)

PRC - C:\Program Files\Toshiba\ConfigFree\NDSTray.exe (TOSHIBA CORPORATION)

PRC - C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)

PRC - C:\Program Files\Google\Gmail Notifier\gnotify.exe (Google Inc.)

PRC - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe ()

PRC - C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)

PRC - C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)

PRC - C:\WINDOWS\system32\DVDRAMSV.exe (Matsubleepa Electric Industrial Co., Ltd.)

 

 

[color=#E56717]========== Modules (No Company Name) ==========[/color]

 

MOD - C:\WINDOWS\system32\quartz.dll ()

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()

MOD - C:\WINDOWS\system32\sbe.dll ()

MOD - C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe ()

MOD - C:\WINDOWS\twain_32\Samsung\CLX3170\Scan2Pc.exe ()

MOD - C:\WINDOWS\twain_32\Samsung\CLX3170\SSOle.dll ()

MOD - C:\WINDOWS\twain_32\Samsung\CLX3170\NetModule.dll ()

MOD - C:\WINDOWS\twain_32\Samsung\CLX3170\IMFilter.dll ()

MOD - C:\WINDOWS\system32\msdmo.dll ()

MOD - C:\WINDOWS\system32\devenum.dll ()

MOD - C:\WINDOWS\system32\sst1cl3.dll ()

MOD - C:\WINDOWS\system32\tsbwls.dll ()

MOD - C:\Program Files\Intel\Wireless\Bin\Libeay32.dll ()

MOD - C:\Program Files\Intel\Wireless\Bin\iWMSProv.dll ()

MOD - C:\Program Files\Intel\Wireless\Bin\IntStngs.dll ()

MOD - C:\Program Files\Intel\Wireless\Bin\acAuth.dll ()

MOD - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe ()

MOD - C:\WINDOWS\system32\TosBtHcrpAPI.dll ()

 

 

[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

 

SRV - (trlokom_rmhsvc) -- %systemroot%\system32\atchksrv.dll File not found

SRV - (stacsv) -- %systemroot%\system32\mwagent.dll File not found

SRV - (SfCtlCom) -- %systemroot%\system32\mctskshd.exe.dll File not found

SRV - (SE2Bmgmt) -- %systemroot%\system32\RushTopDevice.dll File not found

SRV - (nwcworkstation) -- %systemroot%\system32\tap0901.dll File not found

SRV - (idebusdr) -- %systemroot%\system32\NVTCP.dll File not found

SRV - (gusvc) -- %systemroot%\system32\wg4n.dll File not found

SRV - (SmcService) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\Smc.exe (Symantec Corporation)

SRV - (SNAC) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\snac.exe (Symantec Corporation)

SRV - (SepMasterService) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe (Symantec Corporation)

SRV - (Swupdtmr) -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe ()

SRV - (CFSvcs) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)

SRV - (DVD-RAM_Service) -- C:\WINDOWS\system32\DVDRAMSV.exe (Matsubleepa Electric Industrial Co., Ltd.)

 

 

[color=#E56717]========== Driver Services (SafeList) ==========[/color]

 

DRV - (WDICA) --  File not found

DRV - (UIUSys) -- system32\DRIVERS\UIUSYS.SYS File not found

DRV - (SSPORT) -- C:\WINDOWS\system32\Drivers\SSPORT.sys File not found

DRV - (smihlp) -- C:\Program Files\Protector Suite QL\smihlp.sys File not found

DRV - (PDRFRAME) --  File not found

DRV - (PDRELI) --  File not found

DRV - (PDFRAME) --  File not found

DRV - (PDCOMP) --  File not found

DRV - (PCIDump) --  File not found

DRV - (lbrtfdc) --  File not found

DRV - (i2omgmt) --  File not found

DRV - (FileDisk2) -- C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys File not found

DRV - (FdRedir) -- C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys File not found

DRV - (DgiVecp) -- C:\WINDOWS\system32\Drivers\DgiVecp.sys File not found

DRV - (Changer) --  File not found

DRV - (catchme) -- C:\DOCUME~1\Bob\LOCALS~1\Temp\catchme.sys File not found

DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)

DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)

DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)

DRV - (meiudf) -- C:\WINDOWS\system32\drivers\meiudf.sys (Matsubleepa Electric Industrial Co.,Ltd.)

DRV - (BHDrvx86) -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Definitions\BASHDefs\20120402.011\BHDrvx86.sys (Symantec Corporation)

DRV - (IDSxpx86) -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Definitions\IPSDefs\20120416.001\IDSXpx86.sys (Symantec Corporation)

DRV - (NAVEX15) -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Definitions\VirusDefs\20120416.001\NAVEX15.SYS (Symantec Corporation)

DRV - (NAVENG) -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Definitions\VirusDefs\20120416.001\NAVENG.SYS (Symantec Corporation)

DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\SEP\0C0103E8\009D.105\x86\srtsp.sys (Symantec Corporation)

DRV - (SRTSPX) Symantec Real Time Storage Protection (PEL) -- C:\WINDOWS\system32\drivers\SEP\0C0103E8\009D.105\x86\srtspx.sys (Symantec Corporation)

DRV - (SymIRON) -- C:\WINDOWS\system32\drivers\SEP\0C0103E8\009D.105\x86\Ironx86.sys (Symantec Corporation)

DRV - (SYMTDI) -- C:\WINDOWS\system32\drivers\SEP\0C0103E8\009D.105\x86\symtdi.sys (Symantec Corporation)

DRV - (SymEFA) -- C:\WINDOWS\system32\drivers\SEP\0C0103E8\009D.105\x86\SymEFA.sys (Symantec Corporation)

DRV - (SymDS) -- C:\WINDOWS\system32\drivers\SEP\0C0103E8\009D.105\x86\SymDS.sys (Symantec Corporation)

DRV - (ubloxusb) -- C:\WINDOWS\system32\drivers\ubloxusb.sys (u-blox AG)

DRV - (BVRPMPR5) -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS (Avanquest Software)

DRV - (SMCB000) -- C:\WINDOWS\system32\drivers\HIDSMSC.SYS (SMSC)

DRV - (qkbfiltr) -- C:\WINDOWS\system32\drivers\qkbfiltr.sys (Quanta Computer, Inc.)

DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\CHDAud.sys (Conexant Systems Inc.)

DRV - (w39n51) Intel(R) -- C:\WINDOWS\system32\drivers\w39n51.sys (Intel® Corporation)

DRV - (tifm21) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)

DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)

DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)

DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)

DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)

DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)

DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)

DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)

DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)

DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)

DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)

DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)

DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)

DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)

DRV - (tbiosdrv) -- C:\WINDOWS\system32\drivers\tbiosdrv.sys ()

DRV - (BoiHwsetup) -- C:\WINDOWS\system32\drivers\BoiHwSetup.sys (Quanta Computer Corp)

DRV - (qmofiltr) -- C:\WINDOWS\system32\drivers\qmofiltr.sys (Quanta Computer, Inc.)

DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)

DRV - (Netdevio) -- C:\WINDOWS\system32\drivers\Netdevio.sys (TOSHIBA Corporation.)

DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)

 

 

[color=#E56717]========== Standard Registry (SafeList) ==========[/color]

 

 

[color=#E56717]========== Internet Explorer ==========[/color]

 

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

 

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\..\SearchScopes,DefaultScope = {2CF0D3C9-A080-41D5-9658-279DB656E26E}

IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

IE - HKCU\..\SearchScopes\{2CF0D3C9-A080-41D5-9658-279DB656E26E}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

 

[color=#E56717]========== FireFox ==========[/color]

 

FF - prefs.js..browser.search.defaultthis.engineName: "BrotherSoft Extreme Customized Web Search"

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "about:home"

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24

FF - prefs.js..extensions.enabledItems: {51a86bb3-6602-4c85-92a5-130ee4864f13}:3.5.1.1

 

 

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()

 

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\IPSFFPlgn\ [2012/04/18 10:55:54 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/18 10:46:57 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/04/05 22:07:35 | 000,000,000 | ---D | M]

 

[2010/01/27 18:09:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Extensions

[2012/03/18 20:03:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\csrefus6.default\extensions

[2010/07/06 14:20:20 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\csrefus6.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2012/03/18 20:03:39 | 000,000,000 | ---D | M] (BrotherSoft Extreme Community Toolbar) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\csrefus6.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}

[2011/08/06 11:58:42 | 000,000,000 | ---D | M] (Toggle Private Browsing) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\csrefus6.default\extensions\toggleprivatebrowsing@supernova00.biz

[2012/04/05 16:50:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2012/04/05 16:50:50 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}

[2012/04/05 16:49:10 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

[2012/03/18 10:46:57 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2012/04/05 16:49:06 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

[2012/01/09 07:57:31 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2012/01/09 07:57:31 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

 

O1 HOSTS File: ([2012/04/10 10:14:00 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1       localhost

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\IPS\IPSBHO.dll (Symantec Corporation)

O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll File not found

O4 - HKLM..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe (Google Inc.)

O4 - HKLM..\Run: [3170 Scan2PC] C:\WINDOWS\Twain_32\Samsung\CLX3170\Scan2pc.exe ()

O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)

O4 - HKLM..\Run: [CFSServ.exe] CFSServ.exe -NoClient File not found

O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)

O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\CHDAudPropShortcut.exe (Windows (R) Server 2003 DDK provider)

O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)

O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)

O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found

O4 - HKLM..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe ()

O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [Toshiba Hotkey Utility] c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe (TOSHIBA Inc.)

O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)

O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{93133D66-B199-462B-9107-8CF7BE9E5EF3}: DhcpNameServer = 192.168.1.1

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\Bob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Bob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/03/02 14:28:47 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

 

NetSvcs: 6to4 -  File not found

NetSvcs: Ias -  File not found

NetSvcs: Iprip -  File not found

NetSvcs: Irmon -  File not found

NetSvcs: NWCWorkstation - %systemroot%\system32\tap0901.dll File not found

NetSvcs: Nwsapagent -  File not found

NetSvcs: nwcworkstation - %systemroot%\system32\tap0901.dll File not found

NetSvcs: WmdmPmSp -  File not found

 

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

 

[2012/04/18 11:22:50 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Bob\Desktop\OTL.exe

[2012/04/17 14:45:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp

[2012/04/16 12:54:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\Local Settings\Application Data\Symantec

[2012/04/16 12:53:58 | 000,060,872 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL

[2012/04/16 12:53:57 | 000,127,096 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS

[2012/04/16 12:53:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared

[2012/04/16 12:52:50 | 000,241,584 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\SymVPN.dll

[2012/04/16 12:52:50 | 000,076,208 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\FwsVpn.dll

[2012/04/16 12:52:50 | 000,032,208 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\WGX.SYS

[2012/04/16 12:52:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\regid.1992_12.com.symantec

[2012/04/16 12:52:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\SEP\0C0103E8\009D.105\x86

[2012/04/16 12:52:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\SEP

[2012/04/16 12:52:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\SEP\0C0103E8

[2012/04/16 12:52:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\SEP\0C0103E8\009D.105

[2012/04/16 12:52:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Symantec Endpoint Protection

[2012/04/16 12:52:05 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec

[2012/04/16 12:52:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Symantec

[2012/04/16 12:39:17 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy

[2012/04/14 12:20:14 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2012/04/14 12:20:14 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2012/04/14 12:20:14 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2012/04/14 12:20:14 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2012/04/10 12:01:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss

[2012/04/09 23:28:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\Local Settings\Application Data\NPE

[2012/04/09 23:28:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton

[2012/04/09 22:42:20 | 000,000,000 | ---D | C] -- C:\MGtools

[2012/04/09 21:58:49 | 000,092,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mqac.svs

[2012/04/09 16:38:58 | 004,462,354 | R--- | C] (Swearware) -- C:\Documents and Settings\Bob\Desktop\ComboFix.exe

[2012/04/05 16:51:46 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2012/04/05 16:49:52 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2012/04/05 16:49:51 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2012/04/05 16:49:51 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2012/04/05 16:49:51 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2012/04/05 15:32:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun

[2012/04/03 15:47:42 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine

[2012/04/03 15:26:53 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Bob\Start Menu\Programs\Administrative Tools

[2012/03/31 19:21:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun

 

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

 

[2012/04/18 11:21:52 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bob\Desktop\OTL.exe

[2012/04/18 10:55:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2012/04/18 10:55:33 | 2137,182,208 | -HS- | M] () -- C:\hiberfil.sys

[2012/04/16 12:54:06 | 000,657,174 | ---- | M] () -- C:\WINDOWS\System32\drivers\SEP\0C0103E8\009D.105\x86\Cat.DB

[2012/04/16 12:53:57 | 000,127,096 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS

[2012/04/16 12:53:57 | 000,060,872 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL

[2012/04/16 12:53:57 | 000,007,510 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT

[2012/04/16 12:53:57 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF

[2012/04/16 12:52:50 | 000,241,584 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\SymVPN.dll

[2012/04/16 12:52:50 | 000,076,208 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\FwsVpn.dll

[2012/04/16 12:52:50 | 000,032,208 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\WGX.SYS

[2012/04/16 12:52:50 | 000,000,114 | ---- | M] () -- C:\WINDOWS\System32\drivers\SEP\0C0103E8\009D.105\x86\isolate.ini

[2012/04/16 12:49:13 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif

[2012/04/16 12:30:49 | 000,507,552 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2012/04/16 12:30:49 | 000,090,180 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2012/04/16 11:44:33 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2012/04/14 13:06:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2012/04/14 12:19:04 | 004,462,354 | R--- | M] (Swearware) -- C:\Documents and Settings\Bob\Desktop\ComboFix.exe

[2012/04/10 10:14:00 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2012/04/09 23:41:23 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

[2012/04/09 23:36:48 | 000,000,325 | RHS- | M] () -- C:\boot.ini

[2012/04/09 22:44:24 | 000,239,449 | ---- | M] () -- C:\MGlogs.zip

[2012/04/09 20:10:58 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Bob\defogger_reenable

[2012/04/09 09:37:29 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2012/04/06 17:04:11 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2012/04/05 16:48:57 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2012/04/05 16:48:57 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2012/04/05 16:48:57 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2012/04/05 16:48:56 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2012/04/05 16:48:53 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll

[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2012/04/03 15:48:34 | 000,102,384 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) -- C:\WINDOWS\System32\drivers\meiudf.sys

 

[color=#E56717]========== Files Created - No Company Name ==========[/color]

 

[2012/04/17 14:51:34 | 2137,182,208 | -HS- | C] () -- C:\hiberfil.sys

[2012/04/16 12:53:59 | 000,657,174 | ---- | C] () -- C:\WINDOWS\System32\drivers\SEP\0C0103E8\009D.105\x86\Cat.DB

[2012/04/16 12:53:58 | 000,007,510 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT

[2012/04/16 12:53:57 | 000,000,806 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF

[2012/04/16 12:52:50 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\drivers\SEP\0C0103E8\009D.105\x86\isolate.ini

[2012/04/14 12:20:14 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2012/04/14 12:20:14 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2012/04/14 12:20:14 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2012/04/14 12:20:14 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2012/04/14 12:20:14 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2012/04/09 23:41:23 | 000,000,795 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

[2012/04/09 22:42:21 | 000,239,449 | ---- | C] () -- C:\MGlogs.zip

[2012/04/09 20:10:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Bob\defogger_reenable

[2012/03/31 17:09:02 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2012/02/16 11:15:36 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll

[2011/06/17 14:56:39 | 000,050,592 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat

[2010/10/10 15:06:58 | 000,113,768 | ---- | C] () -- C:\WINDOWS\Wiainst.exe

[2010/10/10 15:06:48 | 000,143,872 | ---- | C] () -- C:\WINDOWS\System32\SaXPWIA.dll

[2010/10/10 15:06:48 | 000,139,776 | ---- | C] () -- C:\WINDOWS\System32\SaXPEH.dll

[2010/10/10 15:06:48 | 000,138,240 | ---- | C] () -- C:\WINDOWS\System32\SaXPUIEx.dll

[2010/10/10 15:06:48 | 000,116,736 | ---- | C] () -- C:\WINDOWS\System32\SaXPIPH.dll

[2010/10/10 15:06:48 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\SaXPSTI.dll

[2010/10/10 15:03:20 | 000,482,408 | ---- | C] () -- C:\WINDOWS\ssndii.exe

[2010/10/10 15:02:36 | 000,022,723 | ---- | C] () -- C:\WINDOWS\System32\sst1cl3.dll

 

[color=#E56717]========== LOP Check ==========[/color]

 

[2010/10/29 16:55:17 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files

[2012/04/09 21:28:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData

[2012/04/16 12:52:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\regid.1992_12.com.symantec

[2006/03/02 17:02:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint

[2011/05/12 00:52:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent

[2011/05/12 00:54:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO

[2011/05/19 14:19:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

[2011/09/10 15:02:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\GetRightToGo

[2006/03/03 11:22:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\InterVideo

[2010/03/20 15:38:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Leadertech

[2010/01/27 12:05:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Protector Suite

[2010/04/04 12:20:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\Template

[2006/03/02 17:29:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bob\Application Data\toshiba

 

[color=#E56717]========== Purity Check ==========[/color]

 

 

 

[color=#E56717]========== Custom Scans ==========[/color]

 

[color=#A23BEC]< %SYSTEMDRIVE%\*.exe >[/color]

[2011/04/03 18:37:18 | 001,376,832 | ---- | M] () -- C:\sar_15_sfx.exe

[2011/04/03 18:39:54 | 008,104,967 | ---- | M] (McAfee Inc.) -- C:\stinger10101504.exe

 

[color=#A23BEC]< %systemroot%\system32\drivers\*.sys /90 >[/color]

[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys

[2012/04/03 15:48:34 | 000,102,384 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) -- C:\WINDOWS\system32\drivers\meiudf.sys

[2012/04/16 12:53:57 | 000,127,096 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS

[2012/02/15 11:01:50 | 000,043,520 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\system32\drivers\usbaapl.sys

[2012/04/16 12:52:50 | 000,032,208 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\WGX.SYS

 

[color=#A23BEC]< %systemroot%\*. /mp /s >[/color]

 

[color=#A23BEC]< c:\$recycle.bin\*.* /s >[/color]

 

[color=#A23BEC]< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >[/color]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2012-04-16 19:32:57

 

[color=#A23BEC]< MD5 for: AGP440.SYS  >[/color]

[2004/08/10 05:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

[2010/04/07 21:16:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

[2004/08/10 05:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys

[2010/04/07 21:16:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys

[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys

[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys

[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

 

[color=#A23BEC]< MD5 for: ATAPI.SYS  >[/color]

[2004/08/10 05:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys

[2010/04/07 21:16:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys

[2004/08/10 05:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys

[2010/04/07 21:16:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys

[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\MGtools\temp\ERDNT\atapi.sys

[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\MGtools\temp\SPF\atapi.sys

[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys

[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys

[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\MGtools\temp\NTSPU\atapi.sys

[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

[2004/08/10 05:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

 

[color=#A23BEC]< MD5 for: AUTOCHK.EXE  >[/color]

[2008/04/13 17:12:12 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=23043C91A0F9DFB4B9E9F87B680863B4 -- C:\cmdcons\autochk.exe

[2008/04/13 17:12:12 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=23043C91A0F9DFB4B9E9F87B680863B4 -- C:\WINDOWS\ServicePackFiles\i386\autochk.exe

[2008/04/13 17:12:12 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=23043C91A0F9DFB4B9E9F87B680863B4 -- C:\WINDOWS\system32\autochk.exe

[2004/08/10 05:00:00 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=B3415B9D6026F65E43089ABED096C38C -- C:\WINDOWS\$NtServicePackUninstall$\autochk.exe

[2004/08/10 05:00:00 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=B3415B9D6026F65E43089ABED096C38C -- C:\WINDOWS\I386\AUTOCHK.EXE

 

[color=#A23BEC]< MD5 for: BEEP.SYS  >[/color]

[2004/08/10 05:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\ERDNT\cache\beep.sys

[2004/08/10 05:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\drivers\beep.sys

 

[color=#A23BEC]< MD5 for: EVENTLOG.DLL  >[/color]

[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll

[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll

[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

[2004/08/10 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

 

[color=#A23BEC]< MD5 for: EXPLORER.EXE  >[/color]

[2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe

[2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe

[2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe

[2004/08/10 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

 

[color=#A23BEC]< MD5 for: KERNEL32.DLL  >[/color]

[2009/03/21 06:54:07 | 000,989,184 | ---- | M] (Microsoft Corporation) MD5=80202858D245FF07DAA1739C57A3E19B -- C:\WINDOWS\$hf_mig$\KB959426\SP2QFE\kernel32.dll

[2004/08/10 05:00:00 | 000,983,552 | ---- | M] (Microsoft Corporation) MD5=888190E31455FAD793312F8D087146EB -- C:\WINDOWS\$NtUninstallKB959426_0$\kernel32.dll

[2009/03/21 07:18:57 | 000,986,112 | ---- | M] (Microsoft Corporation) MD5=B6ACAED7588295129791E0E6A2B0FADE -- C:\WINDOWS\$NtServicePackUninstall$\kernel32.dll

[2009/03/21 07:06:58 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=B921FB870C9AC0D509B2CCABBBBE95F3 -- C:\WINDOWS\$hf_mig$\KB959426\SP3GDR\kernel32.dll

[2009/03/21 07:06:58 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=B921FB870C9AC0D509B2CCABBBBE95F3 -- C:\WINDOWS\ERDNT\cache\kernel32.dll

[2009/03/21 07:06:58 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=B921FB870C9AC0D509B2CCABBBBE95F3 -- C:\WINDOWS\system32\dllcache\kernel32.dll

[2009/03/21 07:06:58 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=B921FB870C9AC0D509B2CCABBBBE95F3 -- C:\WINDOWS\system32\kernel32.dll

[2008/04/13 17:11:56 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=C24B983D211C34DA8FCC1AC38477971D -- C:\WINDOWS\$NtUninstallKB959426$\kernel32.dll

[2008/04/13 17:11:56 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=C24B983D211C34DA8FCC1AC38477971D -- C:\WINDOWS\ServicePackFiles\i386\kernel32.dll

[2009/03/21 06:59:23 | 000,991,744 | ---- | M] (Microsoft Corporation) MD5=DA11D9D6ECBDF0F93436A4B7C13F7BEC -- C:\WINDOWS\$hf_mig$\KB959426\SP3QFE\kernel32.dll

 

[color=#A23BEC]< MD5 for: MSWSOCK.DLL  >[/color]

[2008/06/20 10:41:10 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=097722F235A1FB698BF9234E01B52637 -- C:\WINDOWS\$NtServicePackUninstall$\mswsock.dll

[2008/06/20 10:36:11 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=1DFCA7713EA5A70D5D93B436AEA0317A -- C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\mswsock.dll

[2004/08/10 05:00:00 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=4E74AF063C3271FBEA20DD940CFD1184 -- C:\WINDOWS\$NtUninstallKB951748_0$\mswsock.dll

[2008/06/20 10:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=832E4DD8964AB7ACC880B2837CB1ED20 -- C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\mswsock.dll

[2008/06/20 10:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=832E4DD8964AB7ACC880B2837CB1ED20 -- C:\WINDOWS\$NtUninstallKB2509553$\mswsock.dll

[2008/06/20 09:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=943337D786A56729263071623BBB9DE5 -- C:\WINDOWS\ERDNT\cache\mswsock.dll

[2008/06/20 09:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=943337D786A56729263071623BBB9DE5 -- C:\WINDOWS\system32\dllcache\mswsock.dll

[2008/06/20 09:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=943337D786A56729263071623BBB9DE5 -- C:\WINDOWS\system32\mswsock.dll

[2008/04/13 17:12:01 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=B4138E99236F0F57D4CF49BAE98A0746 -- C:\WINDOWS\$NtUninstallKB951748$\mswsock.dll

[2008/04/13 17:12:01 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=B4138E99236F0F57D4CF49BAE98A0746 -- C:\WINDOWS\ServicePackFiles\i386\mswsock.dll

[2008/06/20 10:43:05 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=FCEE5FCB99F7C724593365C706D28388 -- C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\mswsock.dll

[2008/06/20 10:43:05 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=FCEE5FCB99F7C724593365C706D28388 -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll

 

[color=#A23BEC]< MD5 for: NDIS.SYS  >[/color]

[2008/04/13 12:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\MGtools\temp\ERDNT\ndis.sys

[2008/04/13 12:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\MGtools\temp\SPF\ndis.sys

[2008/04/13 12:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\ERDNT\cache\ndis.sys

[2008/04/13 12:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\ServicePackFiles\i386\ndis.sys

[2008/04/13 12:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\system32\drivers\ndis.sys

[2004/08/10 05:00:00 | 000,182,912 | ---- | M] (Microsoft Corporation) MD5=558635D3AF1C7546D26067D5D9B6959E -- C:\MGtools\temp\NTSPU\ndis.sys

[2004/08/10 05:00:00 | 000,182,912 | ---- | M] (Microsoft Corporation) MD5=558635D3AF1C7546D26067D5D9B6959E -- C:\WINDOWS\$NtServicePackUninstall$\ndis.sys

 

[color=#A23BEC]< MD5 for: NETLOGON.DLL  >[/color]

[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll

[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll

[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll

[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll

[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtUninstallKB975467_1$\netlogon.dll

[2004/08/10 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389_1$\netlogon.dll

 

[color=#A23BEC]< MD5 for: NTFS.SYS  >[/color]

[2008/04/13 12:15:53 | 000,574,976 | ---- | M] (Microsoft Corporation) MD5=78A08DD6A8D65E697C18E1DB01C5CDCA -- C:\MGtools\temp\ERDNT\ntfs.sys

[2008/04/13 12:15:53 | 000,574,976 | ---- | M] (Microsoft Corporation) MD5=78A08DD6A8D65E697C18E1DB01C5CDCA -- C:\MGtools\temp\SPF\ntfs.sys

[2008/04/13 12:15:53 | 000,574,976 | ---- | M] (Microsoft Corporation) MD5=78A08DD6A8D65E697C18E1DB01C5CDCA -- C:\WINDOWS\ERDNT\cache\ntfs.sys

[2008/04/13 12:15:53 | 000,574,976 | ---- | M] (Microsoft Corporation) MD5=78A08DD6A8D65E697C18E1DB01C5CDCA -- C:\WINDOWS\ServicePackFiles\i386\ntfs.sys

[2008/04/13 12:15:53 | 000,574,976 | ---- | M] (Microsoft Corporation) MD5=78A08DD6A8D65E697C18E1DB01C5CDCA -- C:\WINDOWS\system32\drivers\ntfs.sys

[2004/08/03 23:15:10 | 000,574,592 | ---- | M] (Microsoft Corporation) MD5=B78BE402C3F63DD55521F73876951CDD -- C:\cmdcons\NTFS.SYS

[2004/08/10 05:00:00 | 000,574,592 | ---- | M] (Microsoft Corporation) MD5=B78BE402C3F63DD55521F73876951CDD -- C:\MGtools\temp\NTSPU\ntfs.sys

[2004/08/10 05:00:00 | 000,574,592 | ---- | M] (Microsoft Corporation) MD5=B78BE402C3F63DD55521F73876951CDD -- C:\WINDOWS\$NtServicePackUninstall$\ntfs.sys

[2004/08/10 05:00:00 | 000,574,592 | ---- | M] (Microsoft Corporation) MD5=B78BE402C3F63DD55521F73876951CDD -- C:\WINDOWS\I386\NTFS.SYS

 

[color=#A23BEC]< MD5 for: NTMSSVC.DLL  >[/color]

[2008/04/13 17:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=156F64A3345BD23C600655FB4D10BC08 -- C:\WINDOWS\ERDNT\cache\ntmssvc.dll

[2008/04/13 17:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=156F64A3345BD23C600655FB4D10BC08 -- C:\WINDOWS\ServicePackFiles\i386\ntmssvc.dll

[2008/04/13 17:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=156F64A3345BD23C600655FB4D10BC08 -- C:\WINDOWS\system32\ntmssvc.dll

[2004/08/10 05:00:00 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=B62F29C00AC55A761B2E45877D85EA0F -- C:\WINDOWS\$NtServicePackUninstall$\ntmssvc.dll

 

[color=#A23BEC]< MD5 for: PROQUOTA.EXE  >[/color]

[2004/08/10 05:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=4D9D45A4370E0C2AD00C362B7118E2A4 -- C:\WINDOWS\$NtServicePackUninstall$\proquota.exe

[2008/04/13 17:12:32 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\ServicePackFiles\i386\proquota.exe

[2008/04/13 17:12:32 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\system32\proquota.exe

 

[color=#A23BEC]< MD5 for: QMGR.DLL  >[/color]

[2004/08/10 05:00:00 | 000,382,464 | ---- | M] (Microsoft Corporation) MD5=2C69EC7E5A311334D10DD95F338FCCEA -- C:\WINDOWS\$NtServicePackUninstall$\qmgr.dll

[2008/04/13 17:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\ERDNT\cache\qmgr.dll

[2008/04/13 17:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\ServicePackFiles\i386\qmgr.dll

[2008/04/13 17:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\system32\bits\qmgr.dll

[2008/04/13 17:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\system32\qmgr.dll

 

[color=#A23BEC]< MD5 for: SCECLI.DLL  >[/color]

[2004/08/10 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll

[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll

[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

 

[color=#A23BEC]< MD5 for: SFCFILES.DLL  >[/color]

[2004/08/10 05:00:00 | 001,580,544 | ---- | M] (Microsoft Corporation) MD5=30A609E00BD1D4FFC49D6B5A432BE7F2 -- C:\WINDOWS\$NtServicePackUninstall$\sfcfiles.dll

[2008/04/13 17:12:05 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\ERDNT\cache\sfcfiles.dll

[2008/04/13 17:12:05 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\ServicePackFiles\i386\sfcfiles.dll

[2008/04/13 17:12:05 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\system32\sfcfiles.dll

 

[color=#A23BEC]< MD5 for: SPOOLSV.EXE  >[/color]

[2010/08/17 06:19:36 | 000,058,880 | ---- | M] (Microsoft Corporation) MD5=258DD5D4283FD9F9A7166BE9AE45CE73 -- C:\WINDOWS\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe

[2010/08/17 06:17:06 | 000,058,880 | ---- | M] (Microsoft Corporation) MD5=60784F891563FB1B767F70117FC2428F -- C:\WINDOWS\ERDNT\cache\spoolsv.exe

[2010/08/17 06:17:06 | 000,058,880 | ---- | M] (Microsoft Corporation) MD5=60784F891563FB1B767F70117FC2428F -- C:\WINDOWS\system32\dllcache\spoolsv.exe

[2010/08/17 06:17:06 | 000,058,880 | ---- | M] (Microsoft Corporation) MD5=60784F891563FB1B767F70117FC2428F -- C:\WINDOWS\system32\spoolsv.exe

[2004/08/10 05:00:00 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=7435B108B935E42EA92CA94F59C8E717 -- C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe

[2005/06/10 17:17:13 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=AD3D9D191AEA7B5445FE1D82FFBB4788 -- C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

[2008/04/13 17:12:36 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=D8E14A61ACC1D4A6CD0D38AEBAC7FA3B -- C:\WINDOWS\$NtUninstallKB2347290$\spoolsv.exe

[2008/04/13 17:12:36 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=D8E14A61ACC1D4A6CD0D38AEBAC7FA3B -- C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe

[2005/06/10 16:53:32 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=DA81EC57ACD4CDC3D4C51CF3D409AF9F -- C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe

 

[color=#A23BEC]< MD5 for: SRSVC.DLL  >[/color]

[2008/04/13 17:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\ERDNT\cache\srsvc.dll

[2008/04/13 17:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\ServicePackFiles\i386\srsvc.dll

[2008/04/13 17:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\system32\srsvc.dll

[2004/08/10 05:00:00 | 000,170,496 | ---- | M] (Microsoft Corporation) MD5=92BDF74F12D6CBEC43C94D4B7F804838 -- C:\WINDOWS\$NtServicePackUninstall$\srsvc.dll

 

[color=#A23BEC]< MD5 for: SVCHOST.EXE  >[/color]

[2012/04/04 15:56:38 | 000,199,240 | ---- | M] () MD5=097D0E812D7A9A3101CE46CB2BE0474D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

[2008/04/13 17:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe

[2008/04/13 17:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe

[2008/04/13 17:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe

[2004/08/10 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

 

[color=#A23BEC]< MD5 for: TERMSRV.DLL  >[/color]

[2004/08/10 05:00:00 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=B60C877D16D9C880B952FDA04ADF16E6 -- C:\WINDOWS\$NtUninstallKB895961$\termsrv.dll

[2005/03/10 00:49:51 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=C29A5286E64D97385178452D5F307B98 -- C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll

[2008/04/13 17:12:07 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=FF3477C03BE7201C294C35F684B3479F -- C:\WINDOWS\ERDNT\cache\termsrv.dll

[2008/04/13 17:12:07 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=FF3477C03BE7201C294C35F684B3479F -- C:\WINDOWS\ServicePackFiles\i386\termsrv.dll

[2008/04/13 17:12:07 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=FF3477C03BE7201C294C35F684B3479F -- C:\WINDOWS\system32\termsrv.dll

 

[color=#A23BEC]< MD5 for: USERINIT.EXE  >[/color]

[2004/08/10 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe

[2008/04/13 17:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe

[2008/04/13 17:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe

[2008/04/13 17:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

 

[color=#A23BEC]< MD5 for: XMLPROV.DLL  >[/color]

[2008/04/13 17:12:11 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=295D21F14C335B53CB8154E5B1F892B9 -- C:\WINDOWS\ERDNT\cache\xmlprov.dll

[2008/04/13 17:12:11 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=295D21F14C335B53CB8154E5B1F892B9 -- C:\WINDOWS\ServicePackFiles\i386\xmlprov.dll

[2008/04/13 17:12:11 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=295D21F14C335B53CB8154E5B1F892B9 -- C:\WINDOWS\system32\xmlprov.dll

[2004/08/10 05:00:00 | 000,129,536 | ---- | M] (Microsoft Corporation) MD5=EEF46DAB68229A14DA3D8E73C99E2959 -- C:\WINDOWS\$NtServicePackUninstall$\xmlprov.dll



< End of report >



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:56 PM

Posted 19 April 2012 - 08:32 AM

Run OTL - Double-click OTL.exe Posted Image to start it.

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    DRV - (PDRFRAME) --  File not found
    DRV - (PDRELI) --  File not found
    DRV - (PDFRAME) --  File not found
    DRV - (PDCOMP) --  File not found
    DRV - (PCIDump) --  File not found
    DRV - (lbrtfdc) --  File not found
    DRV - (i2omgmt) --  File not found
    DRV - (Changer) --  File not found
    NetSvcs: 6to4 -  File not found
    NetSvcs: Ias -  File not found
    NetSvcs: Iprip -  File not found
    NetSvcs: Irmon -  File not found
    NetSvcs: NWCWorkstation - %systemroot%\system32\tap0901.dll File not found
    NetSvcs: Nwsapagent -  File not found
    NetSvcs: nwcworkstation - %systemroot%\system32\tap0901.dll File not found
    NetSvcs: WmdmPmSp -  File not found
    
    :Commands
    [emptytemp]
    [resethosts]
    [Reboot]
    
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

How is it now?

#14 Dan Kalmick

Dan Kalmick
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 19 April 2012 - 01:36 PM

Hi,

OTL crashed on restart.
And a box popped up saying "Warning" - Cannot Access Volume Control".
And Network Connections dialog popped up with - Network Connections was unable to get into that fold. It went away before I was able to get to it. But now there is are no network adapters in Network Connections
So now I have not audio nor network (wireless or wired)
and OTL crashes Kernel32.dll on launch so I'm unable to post the new log

I'm going to run SFC /scannow and see what I come up with

Then I'm going to run Combofix to see how that turns out. I'll post results shortly.

#15 Dan Kalmick

Dan Kalmick
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 19 April 2012 - 03:00 PM

The AVG Free error with Combofix is now gone. But also is my network connection and audio. I've attached the new combofix log...which did still state that there was the Zero.Access Rootkit. I'm going to attempt to get back the network adapters by removing them and letting Windows re-detect them. ... That did not work.

So a bunch of my network services won't start now. Did we accidently kill some NetSvc we weren't supposed to? When I try to start Network Connections or Audio Services...I get a "Error 1053: The service did not respond to the start or control request in a timely fashion."

It looks like it's missing.

Running SFC /scannow produced a bunch of errors that it couldn't start the service...me thinks that svchost.exe is broken. Is there anything else we can try to get svchost.exe working again?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users