Jump to content

fixitagaintony

Members
  • Posts

    10
  • Joined

  • Last visited

Reputation

0 Neutral
  1. MBRCheck, version 1.2.3 © 2010, AD Command-line: Windows Version: Windows XP Home Edition Windows Information: Service Pack 3 (build 2600) Logical Drives Mask: 0x0000000c \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS) Size Device Name MBR Status -------------------------------------------- 596 GB \\.\PhysicalDrive0 Windows XP MBR code detected SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A Done! Press ENTER to exit...
  2. The system doesn't seem to have a problem now. There is very little process activity in task manager when it's idle. TDSSKiller starts to load but at 80% it causes my system to reboot and report a serious error. I don't see anything in the windows logs to explain the crash. Because the PC was reinfected with XP Security 2012 after I initially cleared it up, I am trying to backtrack and see where the infection came from. It might have been a website visited today, not sure yet.
  3. My latest disinfection log with the malwarebytes scanner _______________________________________________________________________ Malwarebytes Anti-Malware 1.60.0.1800 www.malwarebytes.org Database version: v2011.12.29.04 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Tony :: TOTORO [limited] 12/29/2011 8:30:14 AM mbam-log-2011-12-29 (08-30-14).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 335743 Time elapsed: 5 minute(s), 41 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 1 HKCR\.exe\shell\open\command| (Hijack.ExeFile) -> Data: "C:\Documents and Settings\Tony.TOTORO\Local Settings\Application Data\nxr.exe" -a "%1" %* -> Quarantined and deleted successfully. Registry Data Items Detected: 6 HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Tony.TOTORO\Local Settings\Application Data\nxr.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and repaired successfully. HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Tony.TOTORO\Local Settings\Application Data\nxr.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and repaired successfully. HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Tony.TOTORO\Local Settings\Application Data\nxr.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and repaired successfully. HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully. HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully. HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully. Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Documents and Settings\Tony.TOTORO\Local Settings\Application Data\nxr.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully. (end)
  4. Combofix was able to complete and save a log after a reboot on my third attempt _______________________________________________________________________________ ComboFix 11-12-29.04 - Tony 12/29/2011 9:32.5.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2793 [GMT -8:00] Running from: c:\documents and settings\Tony.TOTORO\My Documents\downloads\ComboFix.exe AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 ))))))))))))))))))))))))))))))) . . 2011-12-29 17:28 . 2011-12-29 17:28 29904 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{64F37446-CA16-4E8E-8372-683A72A2448E}\MpKslcfeff38c.sys 2011-12-29 17:20 . 2011-12-29 17:20 29904 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{64F37446-CA16-4E8E-8372-683A72A2448E}\MpKslfaf05e52.sys 2011-12-29 17:19 . 2011-12-29 17:19 29904 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{64F37446-CA16-4E8E-8372-683A72A2448E}\MpKsl10902741.sys 2011-12-29 16:59 . 2011-12-29 16:59 29904 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{64F37446-CA16-4E8E-8372-683A72A2448E}\MpKsl8b858a8c.sys 2011-12-29 16:56 . 2011-12-29 17:28 56200 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{64F37446-CA16-4E8E-8372-683A72A2448E}\offreg.dll 2011-12-29 13:44 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{64F37446-CA16-4E8E-8372-683A72A2448E}\mpengine.dll 2011-12-22 05:35 . 2011-12-22 05:35 -------- d-----w- c:\documents and settings\Tony.TOTORO\Application Data\Malwarebytes 2011-12-22 05:35 . 2011-12-22 05:35 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes 2011-12-22 05:35 . 2011-12-29 16:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-12-22 05:35 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-12-22 04:00 . 2011-07-15 13:29 456320 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys 2011-12-22 04:00 . 2011-07-15 13:29 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-11-23 13:25 . 2001-08-23 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-21 10:47 . 2011-10-16 18:22 6823496 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-11-12 14:15 . 2011-06-03 00:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-11-04 19:20 . 2001-08-23 12:00 916992 ----a-w- c:\windows\system32\wininet.dll 2011-11-04 19:20 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-11-04 19:20 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec 2011-11-01 16:07 . 2001-08-23 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll 2011-10-28 05:31 . 2001-08-23 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2011-10-25 13:37 . 2001-08-23 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2011-10-25 12:52 . 2001-08-17 13:48 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe 2011-10-18 11:13 . 2002-10-11 08:23 186880 ------w- c:\windows\system32\encdec.dll 2011-10-10 14:22 . 2003-03-03 23:57 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-11-10 00:31 . 2011-03-22 20:20 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OpenHardwareMonitor"="c:\documents and settings\Tony.TOTORO\My Documents\openhardwaremonitor-v0.2.1-beta\OpenHardwareMonitor\OpenHardwareMonitor.exe" [2011-03-13 190464] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416] "RTHDCPL"="RTHDCPL.EXE" [2007-05-10 16342528] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-10 98304] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544] . c:\documents and settings\Tony.TOTORO\Start Menu\Programs\Startup\ Dropbox.lnk - c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\Dropbox.exe [2011-8-17 24182160] . c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-10 434176] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-24 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-22 16:38 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service] 2010-06-08 00:48 362488 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0] 2011-03-16 01:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager] 2011-01-12 15:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2005-05-12 06:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2006-01-12 22:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2010-07-09 23:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2010-07-09 23:24 110696 ----a-w- c:\windows\system32\nvmctray.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-05-27 17:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler] 2003-04-07 15:16 77824 ----a-w- c:\program files\Logitech\Profiler\LWEMon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2011-06-09 20:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] 2010-07-12 00:37 2403568 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard] 2010-02-19 21:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe] 2010-06-08 00:47 2605424 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\game.dat"= "c:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"= "c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Steam\\SteamApps\\spyvspy459\\source sdk base\\hl2.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\TmUnitedForever\\TmForever.exe"= "c:\\Program Files\\Steam\\SteamApps\\spyvspy459\\source sdk base 2007\\hl2.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\mp_tool.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Unity\\Editor\\Unity.exe"= "c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"= "c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"= "c:\\Documents and Settings\\Tony.TOTORO\\Application Data\\Dropbox\\bin\\Dropbox.exe"= "c:\\Program Files\\Steam\\SteamApps\\spyvspy459\\half-life\\hl.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\iron grip warlord\\igwarlord.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\iron grip warlord\\dedicated server\\igwarlord.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\iron grip marauders\\prism.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\bin\\SDKLauncher.exe"= "c:\\Program Files\\Steam\\SteamApps\\spyvspy459\\synergy\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\spyvspy459\\sourcesdk\\bin\\SDKLauncher.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 . R1 MpKsl10902741;MpKsl10902741;c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{64F37446-CA16-4E8E-8372-683A72A2448E}\MpKsl10902741.sys [12/29/2011 9:19 AM 29904] R1 MpKsl8b858a8c;MpKsl8b858a8c;c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{64F37446-CA16-4E8E-8372-683A72A2448E}\MpKsl8b858a8c.sys [12/29/2011 8:59 AM 29904] R1 MpKslcfeff38c;MpKslcfeff38c;c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{64F37446-CA16-4E8E-8372-683A72A2448E}\MpKslcfeff38c.sys [12/29/2011 9:28 AM 29904] R1 MpKslfaf05e52;MpKslfaf05e52;c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{64F37446-CA16-4E8E-8372-683A72A2448E}\MpKslfaf05e52.sys [12/29/2011 9:20 AM 29904] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 67656] R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [10/7/2011 8:58 PM 101904] S0 ifp500;iRiver Internet Audio Player IFP-500;c:\windows\system32\Drivers\ifp500.sys --> c:\windows\system32\Drivers\ifp500.sys [?] S1 MpKslcea36744;MpKslcea36744;\??\c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F1961528-EA75-4296-BD25-EBD46D33FF79}\MpKslcea36744.sys --> c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F1961528-EA75-4296-BD25-EBD46D33FF79}\MpKslcea36744.sys [?] S1 MpKsld87cab43;MpKsld87cab43;\??\c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F2DA5950-F525-48C4-B3F1-5EB6342C9E7F}\MpKsld87cab43.sys --> c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F2DA5950-F525-48C4-B3F1-5EB6342C9E7F}\MpKsld87cab43.sys [?] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/15/2010 2:51 PM 136176] S2 MKEUSB01;%MKEUSB01.SvcDesc%;c:\windows\system32\drivers\MkeUsb01.sys [2/9/2003 5:17 PM 26288] S3 DCamUSBBVI;SiPix StyleCam BlinkII Dual Mode Camera;c:\windows\system32\Drivers\biomini.sys --> c:\windows\system32\Drivers\biomini.sys [?] S3 DCamUSBGT892x;Digital Camera - PC Camera;c:\windows\system32\drivers\GT892xV.SYS [5/24/2003 7:07 AM 336504] S3 DPIUSB;iRiver DataPlay Device;c:\windows\system32\drivers\DPIUSB.sys [1/11/2003 8:39 PM 26269] S3 DPX;DPX;c:\windows\system32\drivers\DPX.sys [1/11/2003 8:39 PM 16370] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/15/2010 2:51 PM 136176] S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\DRIVERS\imhidusb.sys --> c:\windows\system32\DRIVERS\imhidusb.sys [?] S3 iteio;iteio;\??\c:\windows\System32\drivers\iteio.sys --> c:\windows\System32\drivers\iteio.sys [?] S3 MSICDSetup;MSICDSetup;\??\d:\cdriver.sys --> d:\CDriver.sys [?] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [3/29/2011 10:27 AM 91496] S3 SaiH3509;SaiH3509;c:\windows\system32\drivers\SaiH3509.sys [6/4/2005 6:47 PM 55808] S3 SaiU3509;SaiU3509;c:\windows\system32\drivers\SaiU3509.sys [6/4/2005 6:47 PM 19456] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 12872] S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?] S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096] S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\documents and settings\Tony.TOTORO\My Documents\openhardwaremonitor-v0.2.1-beta\OpenHardwareMonitor\WinRing0.sys [7/26/2008 11:30 PM 14416] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MPKSLCFEFF38C . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] EventSystem REG_MULTI_SZ EventSystem . Contents of the 'Scheduled Tasks' folder . 2011-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:51] . 2011-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:51] . 2011-12-29 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Settings,ProxyOverride = 127.0.0.1 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 Trusted Zone: bankofamerica.com TCP: DhcpNameServer = 192.168.1.1 192.168.1.1 TCP: Interfaces\{2B7E6746-81CE-4F7F-88DA-7A5806C0F1CD}: NameServer = 8.8.8.8,8.8.4.4 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} FF - ProfilePath - c:\documents and settings\Tony.TOTORO\Application Data\Mozilla\Firefox\Profiles\oljaxy0t.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - about:blank . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-12-29 09:48 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1645522239-1957994488-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . [HKEY_USERS\S-1-5-21-1645522239-1957994488-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Electronic Arts\C*o*m*m*a*n*d* *&* *C*o*n*q*u*e*r* *3* *T*i*b*e*r*i*u*m* *W*a*r*s*"!\Support] "Order"=hex:08,00,00,00,02,00,00,00,8a,02,00,00,01,00,00,00,04,00,00,00,98,00, 00,00,00,00,00,00,8a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,78,00,32,\ . [HKEY_USERS\S-1-5-21-1645522239-1957994488-1343024091-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:a1,0b,2a,5a,1a,48,1b,75,ab,d6,21,90,60,d8,f8,fd,01,52,d5,31,0c,ff,7f, cc,a2,be,0a,06,12,3b,1c,39,a1,af,92,6f,33,e3,4b,89,76,16,19,54,08,ff,64,e2,\ "??"=hex:d2,8a,3d,7f,d6,ee,ff,ab,38,51,7b,8c,dc,d7,d2,0c . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(604) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll c:\windows\system32\atiadlxx.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll . Completion time: 2011-12-29 10:02:15 ComboFix-quarantined-files.txt 2011-12-29 18:02 ComboFix2.txt 2011-12-24 21:37 ComboFix3.txt 2011-12-22 05:04 . Pre-Run: 485,747,552,256 bytes free Post-Run: 485,744,566,272 bytes free . - - End Of File - - C6B501AD6D7923FE74C48CA9548FAEB8
  5. I am unable to get a new scan with combofix to complete. There is rootkit activity detected during the scan. After a reboot it tries to continue but the system crashes and no new logfile is saved.
  6. ComboFix 11-12-24.01 - Tony 12/24/2011 13:00:54.3.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2764 [GMT -8:00] Running from: c:\documents and settings\Tony.TOTORO\My Documents\downloads\ComboFix.exe AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((( Files Created from 2011-11-24 to 2011-12-24 ))))))))))))))))))))))))))))))) . . 2011-12-24 14:35 . 2011-12-24 14:35 29904 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4363D2E2-004F-4D1E-ABD8-86891D459684}\MpKsl5a665fce.sys 2011-12-24 14:26 . 2011-12-24 14:26 29904 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4363D2E2-004F-4D1E-ABD8-86891D459684}\MpKsl95c22126.sys 2011-12-24 14:25 . 2011-12-24 14:25 29904 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4363D2E2-004F-4D1E-ABD8-86891D459684}\MpKsladea4750.sys 2011-12-24 14:02 . 2011-12-24 14:02 29904 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4363D2E2-004F-4D1E-ABD8-86891D459684}\MpKsle1c7838e.sys 2011-12-24 14:02 . 2011-12-24 14:35 56200 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4363D2E2-004F-4D1E-ABD8-86891D459684}\offreg.dll 2011-12-23 17:26 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4363D2E2-004F-4D1E-ABD8-86891D459684}\mpengine.dll 2011-12-22 05:35 . 2011-12-22 05:35 -------- d-----w- c:\documents and settings\Tony.TOTORO\Application Data\Malwarebytes 2011-12-22 05:35 . 2011-12-22 05:35 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes 2011-12-22 05:35 . 2011-12-22 22:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-12-22 05:35 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-12-22 04:00 . 2011-07-15 13:29 456320 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys 2011-12-22 04:00 . 2011-07-15 13:29 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-11-23 13:25 . 2001-08-23 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-21 10:47 . 2011-10-16 18:22 6823496 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-11-12 14:15 . 2011-06-03 00:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-11-04 19:20 . 2001-08-23 12:00 916992 ----a-w- c:\windows\system32\wininet.dll 2011-11-04 19:20 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-11-04 19:20 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec 2011-11-01 16:07 . 2001-08-23 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll 2011-10-28 05:31 . 2001-08-23 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2011-10-25 13:37 . 2001-08-23 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2011-10-25 12:52 . 2001-08-17 13:48 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe 2011-10-18 11:13 . 2002-10-11 08:23 186880 ------w- c:\windows\system32\encdec.dll 2011-10-10 14:22 . 2003-03-03 23:57 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-09-28 07:06 . 2001-08-23 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-26 18:41 . 2007-10-09 21:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 18:41 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 18:41 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-11-10 00:31 . 2011-03-22 20:20 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OpenHardwareMonitor"="c:\documents and settings\Tony.TOTORO\My Documents\openhardwaremonitor-v0.2.1-beta\OpenHardwareMonitor\OpenHardwareMonitor.exe" [2011-03-13 190464] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416] "RTHDCPL"="RTHDCPL.EXE" [2007-05-10 16342528] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-10 98304] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544] . c:\documents and settings\Tony.TOTORO\Start Menu\Programs\Startup\ Dropbox.lnk - c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\Dropbox.exe [2011-8-17 24182160] . c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-10 434176] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-24 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-22 16:38 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service] 2010-06-08 00:48 362488 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0] 2011-03-16 01:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager] 2011-01-12 15:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2005-05-12 06:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2006-01-12 22:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2010-07-09 23:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2010-07-09 23:24 110696 ----a-w- c:\windows\system32\nvmctray.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-05-27 17:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler] 2003-04-07 15:16 77824 ----a-w- c:\program files\Logitech\Profiler\LWEMon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2011-06-09 20:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] 2010-07-12 00:37 2403568 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard] 2010-02-19 21:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe] 2010-06-08 00:47 2605424 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\game.dat"= "c:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"= "c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Steam\\SteamApps\\spyvspy459\\source sdk base\\hl2.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\TmUnitedForever\\TmForever.exe"= "c:\\Program Files\\Steam\\SteamApps\\spyvspy459\\source sdk base 2007\\hl2.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\mp_tool.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Unity\\Editor\\Unity.exe"= "c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"= "c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"= "c:\\Documents and Settings\\Tony.TOTORO\\Application Data\\Dropbox\\bin\\Dropbox.exe"= "c:\\Program Files\\Steam\\SteamApps\\spyvspy459\\half-life\\hl.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\iron grip warlord\\igwarlord.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\iron grip warlord\\dedicated server\\igwarlord.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\iron grip marauders\\prism.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\bin\\SDKLauncher.exe"= "c:\\Program Files\\Steam\\SteamApps\\spyvspy459\\synergy\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\spyvspy459\\sourcesdk\\bin\\SDKLauncher.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 . R1 MpKsl5a665fce;MpKsl5a665fce;c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4363D2E2-004F-4D1E-ABD8-86891D459684}\MpKsl5a665fce.sys [12/24/2011 6:35 AM 29904] R1 MpKsl95c22126;MpKsl95c22126;c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4363D2E2-004F-4D1E-ABD8-86891D459684}\MpKsl95c22126.sys [12/24/2011 6:26 AM 29904] R1 MpKsladea4750;MpKsladea4750;c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4363D2E2-004F-4D1E-ABD8-86891D459684}\MpKsladea4750.sys [12/24/2011 6:25 AM 29904] R1 MpKsle1c7838e;MpKsle1c7838e;c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4363D2E2-004F-4D1E-ABD8-86891D459684}\MpKsle1c7838e.sys [12/24/2011 6:02 AM 29904] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 67656] R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [10/7/2011 8:58 PM 101904] R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\documents and settings\Tony.TOTORO\My Documents\openhardwaremonitor-v0.2.1-beta\OpenHardwareMonitor\WinRing0.sys [7/26/2008 11:30 PM 14416] S0 ifp500;iRiver Internet Audio Player IFP-500;c:\windows\system32\Drivers\ifp500.sys --> c:\windows\system32\Drivers\ifp500.sys [?] S1 MpKsld87cab43;MpKsld87cab43;\??\c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F2DA5950-F525-48C4-B3F1-5EB6342C9E7F}\MpKsld87cab43.sys --> c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F2DA5950-F525-48C4-B3F1-5EB6342C9E7F}\MpKsld87cab43.sys [?] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/15/2010 2:51 PM 136176] S2 MKEUSB01;%MKEUSB01.SvcDesc%;c:\windows\system32\drivers\MkeUsb01.sys [2/9/2003 5:17 PM 26288] S3 DCamUSBBVI;SiPix StyleCam BlinkII Dual Mode Camera;c:\windows\system32\Drivers\biomini.sys --> c:\windows\system32\Drivers\biomini.sys [?] S3 DCamUSBGT892x;Digital Camera - PC Camera;c:\windows\system32\drivers\GT892xV.SYS [5/24/2003 7:07 AM 336504] S3 DPIUSB;iRiver DataPlay Device;c:\windows\system32\drivers\DPIUSB.sys [1/11/2003 8:39 PM 26269] S3 DPX;DPX;c:\windows\system32\drivers\DPX.sys [1/11/2003 8:39 PM 16370] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/15/2010 2:51 PM 136176] S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\DRIVERS\imhidusb.sys --> c:\windows\system32\DRIVERS\imhidusb.sys [?] S3 iteio;iteio;\??\c:\windows\System32\drivers\iteio.sys --> c:\windows\System32\drivers\iteio.sys [?] S3 MSICDSetup;MSICDSetup;\??\d:\cdriver.sys --> d:\CDriver.sys [?] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [3/29/2011 10:27 AM 91496] S3 SaiH3509;SaiH3509;c:\windows\system32\drivers\SaiH3509.sys [6/4/2005 6:47 PM 55808] S3 SaiU3509;SaiU3509;c:\windows\system32\drivers\SaiU3509.sys [6/4/2005 6:47 PM 19456] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 12872] S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?] S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - GTNDIS5 *NewlyCreated* - MPKSL5A665FCE . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] EventSystem REG_MULTI_SZ EventSystem . Contents of the 'Scheduled Tasks' folder . 2011-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:51] . 2011-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:51] . 2011-12-24 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Settings,ProxyOverride = 127.0.0.1 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 Trusted Zone: bankofamerica.com TCP: DhcpNameServer = 192.168.1.1 192.168.1.1 TCP: Interfaces\{2B7E6746-81CE-4F7F-88DA-7A5806C0F1CD}: NameServer = 8.8.8.8,8.8.4.4 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} FF - ProfilePath - c:\documents and settings\Tony.TOTORO\Application Data\Mozilla\Firefox\Profiles\oljaxy0t.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - about:blank . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-12-24 13:21 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1645522239-1957994488-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . [HKEY_USERS\S-1-5-21-1645522239-1957994488-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Electronic Arts\C*o*m*m*a*n*d* *&* *C*o*n*q*u*e*r* *3* *T*i*b*e*r*i*u*m* *W*a*r*s*"!\Support] "Order"=hex:08,00,00,00,02,00,00,00,8a,02,00,00,01,00,00,00,04,00,00,00,98,00, 00,00,00,00,00,00,8a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,78,00,32,\ . [HKEY_USERS\S-1-5-21-1645522239-1957994488-1343024091-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:a1,0b,2a,5a,1a,48,1b,75,ab,d6,21,90,60,d8,f8,fd,01,52,d5,31,0c,ff,7f, cc,a2,be,0a,06,12,3b,1c,39,a1,af,92,6f,33,e3,4b,89,76,16,19,54,08,ff,64,e2,\ "??"=hex:d2,8a,3d,7f,d6,ee,ff,ab,38,51,7b,8c,dc,d7,d2,0c . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(604) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll c:\windows\system32\atiadlxx.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll . - - - - - - - > 'explorer.exe'(1760) c:\windows\system32\WININET.dll c:\program files\Logitech\SetPoint\GameHook.dll c:\program files\Logitech\SetPoint\lgscroll.dll c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\DropboxExt.14.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2011-12-24 13:37:33 ComboFix-quarantined-files.txt 2011-12-24 21:37 ComboFix2.txt 2011-12-22 05:04 . Pre-Run: 482,749,128,704 bytes free Post-Run: 482,721,996,800 bytes free . - - End Of File - - 80427B128DB02F5387A48CFE662DC0FB
  7. I completed a full scan again, but nothing found ___________________________________________________________________ Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org Database version: 911122309 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/23/2011 7:30:56 PM mbam-log-2011-12-23 (19-30-56).txt Scan type: Full scan (C:\|) Objects scanned: 570924 Time elapsed: 4 hour(s), 31 minute(s), 2 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Task manager shows some 5%-10% cpu activity for WMP54Gv4.exe (Linksys Wireless Monitor) all of the time now since the infection.
  8. The PC runs fairly well, except MS Security Essentials has detected a threat a few times since the Malwarebytes scan. This appears in the system logs: Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496 Name: Virus:Win32/Sirefef.N ID: 2147652496 Severity: Severe Category: Virus Path: file:_C:\System Volume Information\_restore{2D5905C3-063B-4E7F-B95F-37E0860F729E}\RP695\A0490030.sys Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: TOTORO\Tony Process Name: C:\WINDOWS\system32\svchost.exe Action: Clean Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Signature Version: AV: 1.117.1650.0, AS: 1.117.1650.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. _____________________________________________ I will run another full scan with Malwarebytes, though it takes a few hours to complete.
  9. Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org Database version: 911122201 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/22/2011 2:21:37 PM mbam-log-2011-12-22 (14-21-37).txt Scan type: Full scan (C:\|) Objects scanned: 571339 Time elapsed: 4 hour(s), 21 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 1 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Tony.TOTORO\Local Settings\Application Data\vkt.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully. Folders Infected: c:\RESTORE\s-1-5-21-1482476501-1644491937-682003330-1013 (Backdoor.IRCBot) -> Quarantined and deleted successfully. Files Infected: c:\system volume information\_restore{2d5905c3-063b-4e7f-b95f-37e0860f729e}\RP695\A0490022.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\documents and settings (RiskWare.Tool.CK) -> Quarantined and deleted successfully. c:\RESTORE\s-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Backdoor.IRCBot) -> Quarantined and deleted successfully.
  10. My daughter was using my WinXP PC today and managed to pick up the "XP Security 2012" malware. I ran a scan with MS Security Essentials that found and removed some infected files, but I saw that a new process ping.exe was still running, plus some other odd behavior. I followed this topic: http://forums.malwarebytes.org/index.php?showtopic=101206 which appeared to be the exact same infection as I have. I ran combofix which appears to have removed the infection which MS Security Essentials was not able to detect and remove. My Log: __________________________________________________________________________ ComboFix 11-12-21.02 - Tony 12/21/2011 20:20:22.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2761 [GMT -8:00] Running from: c:\documents and settings\Tony.TOTORO\My Documents\downloads\ComboFix.exe AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\HyperCam Toolbar\tbHElper.dll c:\windows\$NtUninstallKB41772$\226930346\@ c:\windows\$NtUninstallKB41772$\226930346\bckfg.tmp c:\windows\$NtUninstallKB41772$\226930346\cfg.ini c:\windows\$NtUninstallKB41772$\226930346\Desktop.ini c:\windows\$NtUninstallKB41772$\226930346\keywords c:\windows\$NtUninstallKB41772$\226930346\kwrd.dll c:\windows\$NtUninstallKB41772$\226930346\L\akygdmgo c:\windows\$NtUninstallKB41772$\226930346\lsflt7.ver c:\windows\$NtUninstallKB41772$\226930346\U\00000001.@ c:\windows\$NtUninstallKB41772$\226930346\U\00000002.@ c:\windows\$NtUninstallKB41772$\226930346\U\00000004.@ c:\windows\$NtUninstallKB41772$\226930346\U\80000000.@ c:\windows\$NtUninstallKB41772$\226930346\U\80000004.@ c:\windows\$NtUninstallKB41772$\226930346\U\80000032.@ c:\windows\CDAC13BA.EXE c:\windows\CDAC14BA.DLL c:\windows\system32\SET24.tmp c:\windows\system32\SET28.tmp c:\windows\system32\SET5B.tmp c:\windows\system32\SETA7.tmp c:\windows\system32\SETAC.tmp c:\windows\system32\SETB3.tmp c:\windows\system32\SETBC.tmp c:\windows\system32\SETBD.tmp c:\windows\system32\SETBE.tmp c:\windows\system32\SETC1.tmp c:\windows\system32\tmp22.tmp c:\windows\system32\tmp23.tmp c:\windows\$NtUninstallKB41772$\2368151420 . . . . Failed to delete . Infected copy of c:\windows\system32\drivers\mrxsmb.sys was found and disinfected Restored copy from - The cat found it . ((((((((((((((((((((((((( Files Created from 2011-11-22 to 2011-12-22 ))))))))))))))))))))))))))))))) . . 2011-12-22 04:54 . 2011-12-22 04:54 29904 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{20658E7B-DE1D-4BB9-9E70-7DDFCBC1D203}\MpKslbfd00364.sys 2011-12-22 04:54 . 2011-12-22 04:54 56200 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{20658E7B-DE1D-4BB9-9E70-7DDFCBC1D203}\offreg.dll 2011-12-21 01:30 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{20658E7B-DE1D-4BB9-9E70-7DDFCBC1D203}\mpengine.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-11-23 13:25 . 2001-08-23 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-21 10:47 . 2011-10-16 18:22 6823496 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-11-12 14:15 . 2011-06-03 00:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-11-04 19:20 . 2001-08-23 12:00 916992 ----a-w- c:\windows\system32\wininet.dll 2011-11-04 19:20 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-11-04 19:20 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec 2011-11-01 16:07 . 2001-08-23 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll 2011-10-28 05:31 . 2001-08-23 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2011-10-25 13:37 . 2001-08-23 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2011-10-25 12:52 . 2001-08-17 13:48 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe 2011-10-18 11:13 . 2002-10-11 08:23 186880 ------w- c:\windows\system32\encdec.dll 2011-10-10 14:22 . 2003-03-03 23:57 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-09-28 07:06 . 2001-08-23 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-26 18:41 . 2007-10-09 21:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 18:41 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 18:41 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-11-10 00:31 . 2011-03-22 20:20 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OpenHardwareMonitor"="c:\documents and settings\Tony.TOTORO\My Documents\openhardwaremonitor-v0.2.1-beta\OpenHardwareMonitor\OpenHardwareMonitor.exe" [2011-03-13 190464] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416] "RTHDCPL"="RTHDCPL.EXE" [2007-05-10 16342528] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-10 98304] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544] . c:\documents and settings\Tony.TOTORO\Start Menu\Programs\Startup\ Dropbox.lnk - c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\Dropbox.exe [2011-8-17 24182160] . c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-10 434176] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-24 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-22 16:38 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service] 2010-06-08 00:48 362488 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0] 2011-03-16 01:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager] 2011-01-12 15:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2005-05-12 06:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2006-01-12 22:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2010-07-09 23:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2010-07-09 23:24 110696 ----a-w- c:\windows\system32\nvmctray.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-05-27 17:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler] 2003-04-07 15:16 77824 ----a-w- c:\program files\Logitech\Profiler\LWEMon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2011-06-09 20:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] 2010-07-12 00:37 2403568 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard] 2010-02-19 21:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe] 2010-06-08 00:47 2605424 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\game.dat"= "c:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"= "c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Steam\\SteamApps\\spyvspy459\\source sdk base\\hl2.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\TmUnitedForever\\TmForever.exe"= "c:\\Program Files\\Steam\\SteamApps\\spyvspy459\\source sdk base 2007\\hl2.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\mp_tool.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Unity\\Editor\\Unity.exe"= "c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"= "c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"= "c:\\Documents and Settings\\Tony.TOTORO\\Application Data\\Dropbox\\bin\\Dropbox.exe"= "c:\\Program Files\\Steam\\SteamApps\\spyvspy459\\half-life\\hl.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\iron grip warlord\\igwarlord.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\iron grip warlord\\dedicated server\\igwarlord.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\iron grip marauders\\prism.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\bin\\SDKLauncher.exe"= "c:\\Program Files\\Steam\\SteamApps\\spyvspy459\\synergy\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\spyvspy459\\sourcesdk\\bin\\SDKLauncher.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 . R1 MpKslbfd00364;MpKslbfd00364;c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{20658E7B-DE1D-4BB9-9E70-7DDFCBC1D203}\MpKslbfd00364.sys [12/21/2011 8:54 PM 29904] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 67656] R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [10/7/2011 8:58 PM 101904] R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\documents and settings\Tony.TOTORO\My Documents\openhardwaremonitor-v0.2.1-beta\OpenHardwareMonitor\WinRing0.sys [7/26/2008 11:30 PM 14416] S0 ifp500;iRiver Internet Audio Player IFP-500;c:\windows\system32\Drivers\ifp500.sys --> c:\windows\system32\Drivers\ifp500.sys [?] S1 MpKsld87cab43;MpKsld87cab43;\??\c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F2DA5950-F525-48C4-B3F1-5EB6342C9E7F}\MpKsld87cab43.sys --> c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F2DA5950-F525-48C4-B3F1-5EB6342C9E7F}\MpKsld87cab43.sys [?] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/15/2010 2:51 PM 136176] S2 MKEUSB01;%MKEUSB01.SvcDesc%;c:\windows\system32\drivers\MkeUsb01.sys [2/9/2003 5:17 PM 26288] S3 DCamUSBBVI;SiPix StyleCam BlinkII Dual Mode Camera;c:\windows\system32\Drivers\biomini.sys --> c:\windows\system32\Drivers\biomini.sys [?] S3 DCamUSBGT892x;Digital Camera - PC Camera;c:\windows\system32\drivers\GT892xV.SYS [5/24/2003 7:07 AM 336504] S3 DPIUSB;iRiver DataPlay Device;c:\windows\system32\drivers\DPIUSB.sys [1/11/2003 8:39 PM 26269] S3 DPX;DPX;c:\windows\system32\drivers\DPX.sys [1/11/2003 8:39 PM 16370] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/15/2010 2:51 PM 136176] S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\DRIVERS\imhidusb.sys --> c:\windows\system32\DRIVERS\imhidusb.sys [?] S3 iteio;iteio;\??\c:\windows\System32\drivers\iteio.sys --> c:\windows\System32\drivers\iteio.sys [?] S3 MSICDSetup;MSICDSetup;\??\d:\cdriver.sys --> d:\CDriver.sys [?] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [3/29/2011 10:27 AM 91496] S3 SaiH3509;SaiH3509;c:\windows\system32\drivers\SaiH3509.sys [6/4/2005 6:47 PM 55808] S3 SaiU3509;SaiU3509;c:\windows\system32\drivers\SaiU3509.sys [6/4/2005 6:47 PM 19456] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 12872] S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?] S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - GTNDIS5 *NewlyCreated* - MPKSLBFD00364 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] EventSystem REG_MULTI_SZ EventSystem . Contents of the 'Scheduled Tasks' folder . 2011-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:51] . 2011-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:51] . 2011-12-22 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Settings,ProxyOverride = 127.0.0.1 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 Trusted Zone: bankofamerica.com TCP: DhcpNameServer = 192.168.1.1 192.168.1.1 TCP: Interfaces\{2B7E6746-81CE-4F7F-88DA-7A5806C0F1CD}: NameServer = 8.8.8.8,8.8.4.4 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} FF - ProfilePath - c:\documents and settings\Tony.TOTORO\Application Data\Mozilla\Firefox\Profiles\oljaxy0t.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - about:blank . - - - - ORPHANS REMOVED - - - - . MSConfigStartUp-Steam - c:\documents and settings\All Users.WINDOWS\Documents\FileStorage\Steam\Steam.exe AddRemove-CdaC13Ba - c:\windows\CDAC13BA.EXE AddRemove-Steam App 500 - e:\steam\steam.exe AddRemove-Steam App 513 - e:\steam\steam.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-12-21 20:55 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1645522239-1957994488-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . [HKEY_USERS\S-1-5-21-1645522239-1957994488-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Electronic Arts\C*o*m*m*a*n*d* *&* *C*o*n*q*u*e*r* *3* *T*i*b*e*r*i*u*m* *W*a*r*s*"!\Support] "Order"=hex:08,00,00,00,02,00,00,00,8a,02,00,00,01,00,00,00,04,00,00,00,98,00, 00,00,00,00,00,00,8a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,78,00,32,\ . [HKEY_USERS\S-1-5-21-1645522239-1957994488-1343024091-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:a1,0b,2a,5a,1a,48,1b,75,ab,d6,21,90,60,d8,f8,fd,01,52,d5,31,0c,ff,7f, cc,a2,be,0a,06,12,3b,1c,39,a1,af,92,6f,33,e3,4b,89,76,16,19,54,08,ff,64,e2,\ "??"=hex:d2,8a,3d,7f,d6,ee,ff,ab,38,51,7b,8c,dc,d7,d2,0c . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(608) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll c:\windows\system32\atiadlxx.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll . - - - - - - - > 'explorer.exe'(1320) c:\windows\system32\WININET.dll c:\program files\Logitech\SetPoint\GameHook.dll c:\program files\Logitech\SetPoint\lgscroll.dll c:\documents and settings\Tony.TOTORO\Application Data\Dropbox\bin\DropboxExt.14.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Acronis\Schedule2\schedul2.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\PnkBstrB.exe c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe c:\windows\RTHDCPL.EXE c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe . ************************************************************************** . Completion time: 2011-12-21 21:04:39 - machine was rebooted ComboFix-quarantined-files.txt 2011-12-22 05:04 . Pre-Run: 481,695,330,304 bytes free Post-Run: 482,127,863,808 bytes free . WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn . - - End Of File - - CA282C992A8F5C434C41F8FB4455A0C0
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.