Jump to content

GeeWhiz00

Honorary Members
  • Posts

    30
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Thanks. If the computer is clean, why did I get the rootkit warning popups in the last CF scan? Are they caused by code remnants of the rootkits?
  2. Thought I had posted before, but don't see it now. Here's the MalwareBytes log: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.18.08 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 aida :: ADMIN [administrator] 6/18/2012 5:40:46 PM mbam-log-2012-06-18 (17-40-46).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 246770 Time elapsed: 10 hour(s), 45 minute(s), 41 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
  3. Don't see anything unusual otherwise. Doing Malwarebytes scan now.
  4. ComboFix 12-06-16.02 - aida 06/18/2012 4:12.24.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.224 [GMT -4:00] Running from: c:\documents and settings\aida\Desktop\ComboFix.exe AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393} . . ((((((((((((((((((((((((( Files Created from 2012-05-18 to 2012-06-18 ))))))))))))))))))))))))))))))) . . 2012-06-16 19:23 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll 2012-06-07 23:14 . 2011-03-15 00:07 73216 -c--a-w- c:\program files\Mozilla Firefox\FirefoxPortableLegacy36\Data\profile\extensions\screencaptureelite@plugin\components\windows\SCEFF4Client.dll 2012-06-07 23:14 . 2010-11-30 00:56 72192 -c--a-w- c:\program files\Mozilla Firefox\FirefoxPortableLegacy36\Data\profile\extensions\screencaptureelite@plugin\platform\WINNT_x86-msvc\components\SCEFF3Client.dll 2012-06-07 23:13 . 2011-04-16 16:18 647168 -c--a-w- c:\program files\Mozilla Firefox\FirefoxPortableLegacy36\Data\profile\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe 2012-06-07 23:13 . 2009-11-25 20:33 517632 -c--a-w- c:\program files\Mozilla Firefox\FirefoxPortableLegacy36\Data\profile\extensions\capturefoxmovie@advancity.net\components\capturefoxxpi_win32.dll 2012-06-07 23:13 . 2008-09-21 06:30 1060864 -c--a-w- c:\program files\Mozilla Firefox\FirefoxPortableLegacy36\Data\profile\extensions\capturefoxmovie@advancity.net\components\lame_enc.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-10 06:53 . 2012-04-09 17:56 426184 -c--a-w- c:\windows\system32\FlashPlayerApp.exe 2012-06-10 06:53 . 2011-05-30 17:49 70344 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-05-31 13:22 . 2002-09-23 22:10 599040 -c--a-w- c:\windows\system32\crypt32.dll 2012-05-16 15:08 . 2006-06-23 18:33 916992 -c--a-w- c:\windows\system32\wininet.dll 2012-05-15 13:20 . 2001-08-23 12:00 1863168 -c--a-w- c:\windows\system32\win32k.sys 2012-05-11 14:42 . 2004-07-16 23:51 43520 -c----w- c:\windows\system32\licmgr10.dll 2012-05-11 14:42 . 2004-07-16 23:49 1469440 -c----w- c:\windows\system32\inetcpl.cpl 2012-05-11 11:38 . 2010-03-11 07:54 385024 -c----w- c:\windows\system32\html.iec 2012-05-07 22:04 . 2001-08-23 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys 2012-05-04 13:12 . 2001-08-23 12:00 2192640 -c--a-w- c:\windows\system32\ntoskrnl.exe 2012-05-04 12:32 . 2001-08-17 13:48 2069120 -c--a-w- c:\windows\system32\ntkrnlpa.exe 2012-05-02 13:46 . 2003-09-16 07:19 139656 -c--a-w- c:\windows\system32\drivers\rdpwd.sys 2012-04-13 18:01 . 2012-03-25 17:34 102400 -c--a-w- c:\windows\RegBootClean.exe 2012-04-11 17:55 . 2010-03-26 01:57 22032 -c--a-w- c:\windows\DCEBoot.exe 2012-04-04 19:56 . 2009-01-17 20:38 22344 -c--a-w- c:\windows\system32\drivers\mbam.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter] @="{D25B32FE-CB96-491A-98FF-AD59DA382D69}" [HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}] 2010-02-09 07:12 681472 -c--a-w- c:\program files\Zecter\ZumoDrive\ShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter] @="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}" [HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}] 2010-02-09 07:12 681472 -c--a-w- c:\program files\Zecter\ZumoDrive\ShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter] @="{B3C78E40-6B64-47C3-AE34-60B770881EB8}" [HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}] 2010-02-09 07:12 681472 -c--a-w- c:\program files\Zecter\ZumoDrive\ShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter] @="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}" [HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}] 2010-02-09 07:12 681472 -c--a-w- c:\program files\Zecter\ZumoDrive\ShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter] @="{855156F0-2A0F-11DE-8C30-0800200C9A66}" [HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}] 2010-02-09 07:12 681472 -c--a-w- c:\program files\Zecter\ZumoDrive\ShellExt.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZumoDrive"="c:\program files\Zecter\ZumoDrive\ZumoLauncher.lnk" [2010-04-17 1673] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952] "MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392] "PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848] . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Zecter\\ZumoDrive\\zumodrive.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= . R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [4/12/2010 9:28 PM 147416] R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [5/4/2010 8:36 AM 129928] R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [5/27/2010 6:39 PM 141384] R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/30/2010 1:46 PM 97032] R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/30/2010 1:46 PM 111624] R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [5/12/2010 10:58 AM 110920] R3 KTC111;Kingston EtherRx KNE111TX NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\KTC111.SYS [9/15/2003 7:06 PM 19016] S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/29/2007 4:30 PM 20160] S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?] S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2/5/2008 3:53 AM 44928] . Contents of the 'Scheduled Tasks' folder . 2012-06-18 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 06:54] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 TCP: DhcpNameServer = 10.0.0.1 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-06-18 04:56 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AMDPCI] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\backupexecagentaccelerator] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cpqarry2] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LPDSVC] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NETw3x32] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pmsveh] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SGHIDI] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\trayman] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\utscsi] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vcomm] "ServiceDll"="" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,bf,6d,df,a7,6c,2f,45,bf,f4,3e,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,bf,6d,df,a7,6c,2f,45,bf,f4,3e,\ . Completion time: 2012-06-18 05:15:09 ComboFix-quarantined-files.txt 2012-06-18 09:14 ComboFix2.txt 2012-06-16 23:40 ComboFix3.txt 2012-06-16 21:22 ComboFix4.txt 2012-06-16 19:38 ComboFix5.txt 2012-06-16 23:54 . Pre-Run: 490,909,696 bytes free Post-Run: 512,507,904 bytes free . - - End Of File - - DEF85FA14DA8E03BAF6BC523F4567CF1
  5. SystemLook 30.07.11 by jpshortstuff Log created at 23:38 on 15/06/2012 by aida Administrator - Elevation successful ========== reg ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost] "LocalService"="Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV" "NetworkService"="DnsCache" "netsvcs"="6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov napagent hkmsvc BITS wuauserv ShellHWDetection helpsvc" "rpcss"="RpcSs" "imgsvc"="StiSvc" "termsvcs"="TermService" "eapsvcs"="eaphost" "dot3svc"="dot3svc" "HTTPFilter"="HTTPFilter" "DcomLaunch"="DcomLaunch TermService" "NecUsb3Sevic"="NecUsb3" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\DComLaunch] "CoInitializeSecurityParam"= 0x0000000001 (1) "DefaultRpcStackSize"= 0x0000000008 (8) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\dot3svc] "AuthenticationCapabilities"= 0x0000003020 (12320) "CoInitializeSecurityParam"= 0x0000000001 (1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\eapsvcs] "AuthenticationCapabilities"= 0x0000003020 (12320) "CoInitializeSecurityParam"= 0x0000000001 (1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\HTTPFilter] "CoInitializeSecurityParam"= 0x0000000001 (1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalService] "CoInitializeSecurityParam"= 0x0000000001 (1) "AuthenticationCapabilities"= 0x0000002000 (8192) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalServiceNetworkRestricted] "DefaultRpcStackSize"= 0x0000000040 (64) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalSystemNetworkRestricted] "CoInitializeSecurityParam"= 0x0000000001 (1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs] "CoInitializeSecurityParam"= 0x0000000001 (1) "AuthenticationCapabilities"= 0x0000003020 (12320) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService] "CoInitializeSecurityParam"= 0x0000000001 (1) "DefaultRpcStackSize"= 0x000000001c (28) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\PCHealth] "CoInitializeSecurityParam"= 0x0000000002 (2) "AuthenticationCapabilities"= 0x0000000040 (64) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\termsvcs] "CoInitializeSecurityParam"= 0x0000000001 (1) "DefaultRpcStackSize"= 0x0000000008 (8) -= EOF =-
  6. Yes, got the same.warnings and had to reboot to complete the scan.
  7. ComboFix 12-06-13.05 - aida 06/14/2012 4:40.19.1 - x86 Running from: c:\documents and settings\aida\Desktop\ComboFix.exe AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393} . . ((((((((((((((((((((((((( Files Created from 2012-05-14 to 2012-06-14 ))))))))))))))))))))))))))))))) . . 2012-06-07 23:14 . 2011-03-15 00:07 73216 -c--a-w- c:\program files\Mozilla Firefox\FirefoxPortableLegacy36\Data\profile\extensions\screencaptureelite@plugin\components\windows\SCEFF4Client.dll 2012-06-07 23:14 . 2010-11-30 00:56 72192 -c--a-w- c:\program files\Mozilla Firefox\FirefoxPortableLegacy36\Data\profile\extensions\screencaptureelite@plugin\platform\WINNT_x86-msvc\components\SCEFF3Client.dll 2012-06-07 23:13 . 2011-04-16 16:18 647168 -c--a-w- c:\program files\Mozilla Firefox\FirefoxPortableLegacy36\Data\profile\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe 2012-06-07 23:13 . 2009-11-25 20:33 517632 -c--a-w- c:\program files\Mozilla Firefox\FirefoxPortableLegacy36\Data\profile\extensions\capturefoxmovie@advancity.net\components\capturefoxxpi_win32.dll 2012-06-07 23:13 . 2008-09-21 06:30 1060864 -c--a-w- c:\program files\Mozilla Firefox\FirefoxPortableLegacy36\Data\profile\extensions\capturefoxmovie@advancity.net\components\lame_enc.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-10 06:53 . 2012-04-09 17:56 426184 -c--a-w- c:\windows\system32\FlashPlayerApp.exe 2012-06-10 06:53 . 2011-05-30 17:49 70344 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-05-31 13:22 . 2002-09-23 22:10 599040 -c--a-w- c:\windows\system32\crypt32.dll 2012-05-07 22:04 . 2001-08-23 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys 2012-04-13 18:01 . 2012-03-25 17:34 102400 -c--a-w- c:\windows\RegBootClean.exe 2012-04-11 17:55 . 2010-03-26 01:57 22032 -c--a-w- c:\windows\DCEBoot.exe 2012-04-11 13:12 . 2001-08-23 12:00 1862272 -c--a-w- c:\windows\system32\win32k.sys 2012-04-11 13:10 . 2001-08-23 12:00 2192640 -c--a-w- c:\windows\system32\ntoskrnl.exe 2012-04-11 12:35 . 2001-08-17 13:48 2069120 -c--a-w- c:\windows\system32\ntkrnlpa.exe 2012-04-04 19:56 . 2009-01-17 20:38 22344 -c--a-w- c:\windows\system32\drivers\mbam.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter] @="{D25B32FE-CB96-491A-98FF-AD59DA382D69}" [HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}] 2010-02-09 07:12 681472 -c--a-w- c:\program files\Zecter\ZumoDrive\ShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter] @="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}" [HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}] 2010-02-09 07:12 681472 -c--a-w- c:\program files\Zecter\ZumoDrive\ShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter] @="{B3C78E40-6B64-47C3-AE34-60B770881EB8}" [HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}] 2010-02-09 07:12 681472 -c--a-w- c:\program files\Zecter\ZumoDrive\ShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter] @="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}" [HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}] 2010-02-09 07:12 681472 -c--a-w- c:\program files\Zecter\ZumoDrive\ShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter] @="{855156F0-2A0F-11DE-8C30-0800200C9A66}" [HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}] 2010-02-09 07:12 681472 -c--a-w- c:\program files\Zecter\ZumoDrive\ShellExt.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZumoDrive"="c:\program files\Zecter\ZumoDrive\ZumoLauncher.lnk" [2010-04-17 1673] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952] "MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392] "PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848] . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Zecter\\ZumoDrive\\zumodrive.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= . R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [4/12/2010 9:28 PM 147416] R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [5/4/2010 8:36 AM 129928] R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [5/27/2010 6:39 PM 141384] R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/30/2010 1:46 PM 97032] R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/30/2010 1:46 PM 111624] R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [5/12/2010 10:58 AM 110920] R3 KTC111;Kingston EtherRx KNE111TX NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\KTC111.SYS [9/15/2003 7:06 PM 19016] S1 tdx;@%SystemRoot%\system32\tcpipcfg.dll,-50004;c:\windows\system32\DRIVERS\tdx.sys --> c:\windows\system32\DRIVERS\tdx.sys [?] S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/29/2007 4:30 PM 20160] S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?] S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2/5/2008 3:53 AM 44928] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] NecUsb3Sevic REG_MULTI_SZ NecUsb3 . Contents of the 'Scheduled Tasks' folder . 2012-06-14 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 06:54] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 TCP: DhcpNameServer = 10.0.0.1 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-06-14 05:27 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AMDPCI] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\backupexecagentaccelerator] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cpqarry2] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LPDSVC] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NETw3x32] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pmsveh] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SGHIDI] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\trayman] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\utscsi] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vcomm] "ServiceDll"="" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,bf,6d,df,a7,6c,2f,45,bf,f4,3e,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,bf,6d,df,a7,6c,2f,45,bf,f4,3e,\ . Completion time: 2012-06-14 05:49:38 ComboFix-quarantined-files.txt 2012-06-14 09:49 ComboFix2.txt 2012-06-14 07:48 ComboFix3.txt 2012-06-05 16:41 ComboFix4.txt 2012-06-05 00:17 ComboFix5.txt 2012-06-14 07:59 . Pre-Run: 351,731,712 bytes free Post-Run: 335,880,192 bytes free . - - End Of File - - E06E5132252F42B6CB5C53F61F76A26F
  8. SystemLook 30.07.11 by jpshortstuff Log created at 19:52 on 13/06/2012 by aida Administrator - Elevation successful ========== reg ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost] "LocalService"="Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV" "NetworkService"="DnsCache" "netsvcs"="6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman cpqarry2 backupexecagentaccelerator AMDPCI WinHttpAutoProxySvc pcx1unic LPDSVC mcpromgr mwlsvc tosrfusb CYGF32X dsncservice lpx anbmservice PSSdk23 v124 OsaFsLoc RR2Vbi db2licd spbbcsvc trayman adsexpb mfesmfk oracleservicelocalora emproxy websensepolicyserver clientservice vet-filt SRTSPL bdpredir s217unic nsm1bus QV2KUX hdaudaddservice bantext se59bus basfipm symfw wampmysqld emAudio se45mdfl CTEAPSFX.DLL RTL8023xp slimsvc xfactorae1 siside incdfs se45mdm REVO NVR0Dev co_mon TOSHIBASoftModem akshasp MaVctrl eSettingsService crystalinputfileserver slssvc cobbmservice sentinel McciCMService atinrvxx nmwcdcm zfdwm se27unic slip roxliveshare9 mcafeeframework genmcmn winpppoverethernet LVBulk amdppm UCTblHid CTERFXFX.DLL clisvc avinitnt CADlink SimpTcp appdrv pdlndqll ctxhttp usbbus elot "rpcss"="RpcSs" "imgsvc"="StiSvc" "termsvcs"="TermService" "eapsvcs"="eaphost" "dot3svc"="dot3svc" "HTTPFilter"="HTTPFilter" "DcomLaunch"="DcomLaunch TermService" "NecUsb3Sevic"="NecUsb3" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\DComLaunch] "CoInitializeSecurityParam"= 0x0000000001 (1) "DefaultRpcStackSize"= 0x0000000008 (8) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\dot3svc] "AuthenticationCapabilities"= 0x0000003020 (12320) "CoInitializeSecurityParam"= 0x0000000001 (1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\eapsvcs] "AuthenticationCapabilities"= 0x0000003020 (12320) "CoInitializeSecurityParam"= 0x0000000001 (1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\HTTPFilter] "CoInitializeSecurityParam"= 0x0000000001 (1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalService] "CoInitializeSecurityParam"= 0x0000000001 (1) "AuthenticationCapabilities"= 0x0000002000 (8192) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalServiceNetworkRestricted] "DefaultRpcStackSize"= 0x0000000040 (64) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalSystemNetworkRestricted] "CoInitializeSecurityParam"= 0x0000000001 (1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs] "CoInitializeSecurityParam"= 0x0000000001 (1) "AuthenticationCapabilities"= 0x0000003020 (12320) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService] "CoInitializeSecurityParam"= 0x0000000001 (1) "DefaultRpcStackSize"= 0x000000001c (28) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\PCHealth] "CoInitializeSecurityParam"= 0x0000000002 (2) "AuthenticationCapabilities"= 0x0000000040 (64) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\termsvcs] "CoInitializeSecurityParam"= 0x0000000001 (1) "DefaultRpcStackSize"= 0x0000000008 (8) -= EOF =-
  9. I had internet access after running CF once this time. I had to run CF 4 times to restore internet access a few weeks ago..
  10. I'm attaching screenshots of 2 rootkit warnings I got when I ran CF.
  11. ComboFix 12-06-12.03 - aida 06/13/2012 3:27.16.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.300 [GMT -4:00] Running from: c:\documents and settings\aida\Desktop\ComboFix.exe AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393} . . ((((((((((((((((((((((((( Files Created from 2012-05-13 to 2012-06-13 ))))))))))))))))))))))))))))))) . . 2012-06-07 23:14 . 2011-03-15 00:07 73216 -c--a-w- c:\program files\Mozilla Firefox\FirefoxPortableLegacy36\Data\profile\extensions\screencaptureelite@plugin\components\windows\SCEFF4Client.dll 2012-06-07 23:14 . 2010-11-30 00:56 72192 -c--a-w- c:\program files\Mozilla Firefox\FirefoxPortableLegacy36\Data\profile\extensions\screencaptureelite@plugin\platform\WINNT_x86-msvc\components\SCEFF3Client.dll 2012-06-07 23:13 . 2009-11-25 20:33 517632 -c--a-w- c:\program files\Mozilla Firefox\FirefoxPortableLegacy36\Data\profile\extensions\capturefoxmovie@advancity.net\components\capturefoxxpi_win32.dll 2012-06-07 23:13 . 2008-09-21 06:30 1060864 -c--a-w- c:\program files\Mozilla Firefox\FirefoxPortableLegacy36\Data\profile\extensions\capturefoxmovie@advancity.net\components\lame_enc.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-10 06:53 . 2012-04-09 17:56 426184 -c--a-w- c:\windows\system32\FlashPlayerApp.exe 2012-06-10 06:53 . 2011-05-30 17:49 70344 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-05-31 13:22 . 2002-09-23 22:10 599040 -c--a-w- c:\windows\system32\crypt32.dll 2012-05-07 22:04 . 2001-08-23 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys 2012-04-13 18:01 . 2012-03-25 17:34 102400 -c--a-w- c:\windows\RegBootClean.exe 2012-04-11 17:55 . 2010-03-26 01:57 22032 -c--a-w- c:\windows\DCEBoot.exe 2012-04-11 13:12 . 2001-08-23 12:00 1862272 -c--a-w- c:\windows\system32\win32k.sys 2012-04-11 13:10 . 2001-08-23 12:00 2192640 -c--a-w- c:\windows\system32\ntoskrnl.exe 2012-04-11 12:35 . 2001-08-17 13:48 2069120 -c--a-w- c:\windows\system32\ntkrnlpa.exe 2012-04-04 19:56 . 2009-01-17 20:38 22344 -c--a-w- c:\windows\system32\drivers\mbam.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter] @="{D25B32FE-CB96-491A-98FF-AD59DA382D69}" [HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}] 2010-02-09 07:12 681472 -c--a-w- c:\program files\Zecter\ZumoDrive\ShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter] @="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}" [HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}] 2010-02-09 07:12 681472 -c--a-w- c:\program files\Zecter\ZumoDrive\ShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter] @="{B3C78E40-6B64-47C3-AE34-60B770881EB8}" [HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}] 2010-02-09 07:12 681472 -c--a-w- c:\program files\Zecter\ZumoDrive\ShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter] @="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}" [HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}] 2010-02-09 07:12 681472 -c--a-w- c:\program files\Zecter\ZumoDrive\ShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter] @="{855156F0-2A0F-11DE-8C30-0800200C9A66}" [HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}] 2010-02-09 07:12 681472 -c--a-w- c:\program files\Zecter\ZumoDrive\ShellExt.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZumoDrive"="c:\program files\Zecter\ZumoDrive\ZumoLauncher.lnk" [2010-04-17 1673] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952] "MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392] "PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848] . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Zecter\\ZumoDrive\\zumodrive.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= . R1 tdx;@%SystemRoot%\system32\tcpipcfg.dll,-50004;c:\windows\system32\DRIVERS\tdx.sys [x] R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 iphlpsvc;@%SystemRoot%\system32\iphlpsvc.dll,-200;c:\windows\System32\svchost.exe [2008-04-14 14336] R2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe [2008-04-14 14336] R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-10 257224] R3 RkPavproc1;RkPavproc1;c:\windows\system32\drivers\RkPavproc1.sys [x] R3 SDTHOOK;SDTHOOK;c:\windows\system32\DRIVERS\SDTHOOK.sys [2007-06-05 44928] R3 WinDefend;Windows Defender;c:\windows\System32\svchost.exe [2008-04-14 14336] R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504] S1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [2010-04-16 147416] S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys [2010-05-04 129928] S2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [2010-04-30 136448] S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys [2010-05-27 141384] S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys [2010-04-30 97032] S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys [2010-04-30 111624] S2 PSINProt;PSINProt;c:\windows\system32\DRIVERS\PSINProt.sys [2010-05-12 110920] S3 KTC111;Kingston EtherRx KNE111TX NDIS 5.0 Miniport Driver;c:\windows\system32\DRIVERS\KTC111.SYS [2001-08-17 19016] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - IPHLPSVC . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] NecUsb3Sevic REG_MULTI_SZ NecUsb3 . NETSVCS REQUIRES REPAIRS - current entries shown 6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman cpqarry2 backupexecagentaccelerator AMDPCI WinHttpAutoProxySvc pcx1unic LPDSVC mcpromgr mwlsvc tosrfusb CYGF32X dsncservice lpx anbmservice PSSdk23 v124 OsaFsLoc RR2Vbi db2licd spbbcsvc trayman adsexpb mfesmfk oracleservicelocalora emproxy websensepolicyserver clientservice vet-filt SRTSPL bdpredir s217unic nsm1bus QV2KUX hdaudaddservice bantext se59bus basfipm symfw wampmysqld emAudio se45mdfl CTEAPSFX.DLL RTL8023xp slimsvc xfactorae1 siside incdfs se45mdm REVO NVR0Dev co_mon TOSHIBASoftModem akshasp MaVctrl eSettingsService crystalinputfileserver slssvc cobbmservice sentinel McciCMService atinrvxx nmwcdcm zfdwm se27unic slip roxliveshare9 mcafeeframework genmcmn winpppoverethernet LVBulk amdppm UCTblHid CTERFXFX.DLL clisvc avinitnt CADlink SimpTcp appdrv pdlndqll ctxhttp usbbus elotouchscreen sfvfs02 Blfp L8042Kbd savrt sqlagent$sony_mediamgr hmonitor SrvcSSIOMngr zebrsce ctac32k appnnode SE26mdm rppkt ufdsvc StkScan GoogleDesktopManager-010708-104812 viaudio marvinbus adminserver personalsecuredriveservice rtl8023 TestHandler cccredmgr SiS300i padfsvr mcrdsvc ATIBTCAP ptserial antivirservice hap16v2k AN983 avipbb StillCam npkcmsvc mohfilt pnarp iviVD snac mssql$sony_mediamgr hsfhwazl AcronisOSSReinstallSvc MREMPR5 dptrackerd Nsynas32 pacsptisvr tandpl smservaz UsbDiag NWDNS dlaboiom carboniteservice rnadiagreceiver servidor nsvcip tb2launch acrotray dnetc bthenum Afc qserver DSI_SiUSBXp_3_1 ino_flpy crystaloutputfileserver webrootspysweeperservice SGHIDI SE2Bmdfl w200mdfl imagesrv ELmou SISNICXP macformatservice nv WDM_YAMAHAAC97 p2pimsvc AFGMp50 ser2plms GTWModem zumbus icdsptsv protexislicensing acrsch2svc vcomm NETw3x32 pmsveh utscsi Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt TermService wuauserv BITS ShellHWDetection helpsvc Ip6FwHlp WmdmPmSN napagent hkmsvc xmlprov wscsvc . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs . . Contents of the 'Scheduled Tasks' folder . 2012-06-13 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 06:54] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 TCP: DhcpNameServer = 10.0.0.1 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-06-13 04:13 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AMDPCI] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\backupexecagentaccelerator] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cpqarry2] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LPDSVC] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NETw3x32] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pmsveh] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SGHIDI] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\trayman] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\utscsi] "ServiceDll"="" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vcomm] "ServiceDll"="" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,bf,6d,df,a7,6c,2f,45,bf,f4,3e,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,bf,6d,df,a7,6c,2f,45,bf,f4,3e,\ . Completion time: 2012-06-13 04:35:46 ComboFix-quarantined-files.txt 2012-06-13 08:35 ComboFix2.txt 2012-06-05 16:41 ComboFix3.txt 2012-06-05 00:17 ComboFix4.txt 2012-06-04 22:14 ComboFix5.txt 2012-06-13 06:58 . Pre-Run: 430,927,872 bytes free Post-Run: 454,193,152 bytes free . - - End Of File - - 8531EA6CE2BC31D383B2D8DADE98E3EE
  12. Neither I nor Malwarebytes has seen any problems for several weeks. The only reason I'm concerned is that Combofix had reported rootkit activity the last time it ran and had to reboot. There continued to be a notice saying something about the rootkit had inverted itself, had infected the tcp/ip stack, and is difficult to dea. Does this mean that the rootkit is beyond the reach of most antimalware tools?
  13. Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.10.01 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 aida :: ADMIN [administrator] 6/10/2012 2:55:49 AM mbam-log-2012-06-10 (02-55-49).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 245076 Time elapsed: 11 hour(s), 38 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
  14. I updated Malwarebytes and started scanning. I'll post the log after it's finished.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.