_willow_
-
Posts
9 -
Joined
-
Last visited
Recent Profile Visitors
960 profile views
-
Mr. C, the RogueKiller found 2 objects. However, I'm ignoring that and only posting the RK log, as instructed: RogueKiller V8.1.1 [10/01/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website: http://tigzy.geekstogo.com/roguekiller.php Blog: http://tigzyrk.blogspot.com Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : User [Admin rights] Mode : Scan -- Date : 10/18/2012 20:37:41 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 2 ¤¤¤ [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: HDS728080PLAT20 +++++ --- User --- [MBR] 25b6f7f00ee924d129722e33c877ea12 [bSP] 6ab81512ed7b103b5f7d01d89b81ec91 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[2].txt >> RKreport[1].txt ; RKreport[2].txt
-
Malwarebytes Anti-Malware 1.65.1.1000 www.malwarebytes.org Database version: v2012.10.19.01 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 User :: SR1602HM [administrator] 10/18/2012 7:39:15 PM mbam-log-2012-10-18 (19-39-15).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 197548 Time elapsed: 5 minute(s), 25 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
-
Chin Up & Carry On with cleanup, is my decision. I'm rolling with you, Mr. C. I will reformat and reinstall OS once scrubbed. The amount of cash a hacker could get from my hippy credit card should disabuse them of any lofty notions. Combofix txt: ComboFix 12-10-18.03 - User 10/18/2012 9:55.1.1 - x86 Running from: c:\documents and settings\User\Desktop\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\857806u6a536h330w210q4bgt1u2 c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP c:\windows\system\system32 c:\windows\system\system32\Drivers\kbcam.inf c:\windows\system\system32\Drivers\kbcam.sys c:\windows\system32\dds_trash_log.cmd c:\windows\system32\Packet.dll c:\windows\system32\pthreadVC.dll c:\windows\system32\WanPacket.dll c:\windows\system32\wpcap.dll . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_6TO4 . . ((((((((((((((((((((((((( Files Created from 2012-09-18 to 2012-10-18 ))))))))))))))))))))))))))))))) . . 2012-10-18 03:55 . 2012-10-18 14:33 -------- d-----w- C:\TDSSKiller_Quarantine 2012-10-11 14:29 . 2012-10-11 14:29 -------- d-----w- C:\9cade25de7a102557e66b6a177 2012-10-11 13:57 . 2012-09-07 23:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-10-11 13:52 . 2012-07-04 14:05 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys 2012-10-11 13:36 . 2012-10-11 13:36 -------- d-----w- c:\windows\system32\wbem\Repository 2012-10-10 22:56 . 2012-10-11 13:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-10-09 02:19 . 2012-08-28 15:14 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll 2012-10-09 02:08 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys 2012-10-03 23:28 . 2012-10-03 23:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth 2012-10-03 23:23 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys 2012-10-03 23:23 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll 2012-10-03 23:23 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll 2012-10-03 23:20 . 2003-04-21 21:18 77824 ----a-r- c:\windows\system32\nvuenet.exe 2012-10-03 23:20 . 2003-04-21 21:18 54784 ----a-r- c:\windows\system32\drivers\NVENET.sys 2012-10-03 23:14 . 2012-10-03 23:14 -------- d-----w- c:\program files\HP 2012-10-03 23:14 . 2012-10-03 23:14 -------- d-----w- c:\program files\Hewlett-Packard 2012-10-03 22:15 . 2012-10-03 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Geek Squad 2012-10-03 20:19 . 2011-03-30 06:22 1034240 ----a-r- c:\windows\system32\drivers\AE2500xp.sys 2012-10-03 20:18 . 2007-11-06 19:22 34064 ----a-r- c:\windows\system32\drivers\npf.sys 2012-10-03 19:52 . 2004-08-04 04:31 32384 -c--a-w- c:\windows\system32\dllcache\usb101et.sys 2012-10-03 19:52 . 2004-08-04 04:31 32384 ----a-w- c:\windows\system32\drivers\usb101et.sys 2012-10-03 19:14 . 2012-10-11 13:36 -------- d-----w- c:\documents and settings\Administrator . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-10-18 03:56 . 2004-08-04 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys 2012-10-11 14:14 . 2012-03-31 13:31 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-10-11 14:14 . 2011-07-15 21:50 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-08-28 15:14 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-08-28 15:14 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-08-28 15:14 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-08-28 12:07 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec 2012-08-24 13:53 . 2004-08-04 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor] 2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2012-01-18 20:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2010-01-16 08:12 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) "MatSvc"=3 (0x3) "JavaQuickStarterService"=2 (0x2) "idsvc"=3 (0x3) "gusvc"=3 (0x3) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= . R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/11/2012 7:57 AM 399432] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/11/2012 7:57 AM 676936] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/11/2012 7:57 AM 22856] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/31/2012 7:31 AM 250808] S3 KBCAM;JamC@m USB service;c:\windows\system32\drivers\KBCAM.sys [12/11/2008 5:15 AM 16384] S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [10/3/2012 1:52 PM 32384] S3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\drivers\AE2500xp.sys [10/3/2012 2:19 PM 1034240] . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs scramby arrayssl_vpn_service3,0,1,9 nmwcdc icm10blk acedrv07 IFP700 pimsgss ilicensesvc knobserv tapvpn pmem obvious A4S2600 SiSRaid2 WINFLASH mbackmonitor FireTDI rtm ofcservice MSMQ tmcomm tmmbd pdengine eliservice trufos papyjoy avc ultra66 RTLE8023xp mssql$microsoftsmlbiz siswlsvc Cardex . Contents of the 'Scheduled Tasks' folder . 2012-10-18 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 14:14] . 2012-10-18 c:\windows\Tasks\User_Feed_Synchronization-{F016FBAB-93A5-4668-BF1E-65AB09A30CE6}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 10:31] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: thejamcam.com\www TCP: DhcpNameServer = 192.168.0.1 205.171.3.25 . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) Notify-AtiExtEvent - (no file) Notify-NavLogon - (no file) SafeBoot-30164547.sys SafeBoot-54314066.sys SafeBoot-61403485.sys SafeBoot-82675482.sys . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-10-18 10:06 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1078081533-1482476501-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(3772) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\rundll32.exe c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe c:\windows\system32\imapi.exe . ************************************************************************** . Completion time: 2012-10-18 10:09:23 - machine was rebooted ComboFix-quarantined-files.txt 2012-10-18 16:08 . Pre-Run: 70,938,075,136 bytes free Post-Run: 71,050,035,200 bytes free . WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect . - - End Of File - - 39DFD4AB0469DD787C14EFADD64F3AB9
-
TDSSKiller.2.8.13.0_17.10.2012_21.51.39_log.txt Above, is large Log #2, as an attachment. Below, Log #3: 21:57:32.0359 0580 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47 21:57:32.0953 0580 ============================================================ 21:57:32.0953 0580 Current date / time: 2012/10/17 21:57:32.0953 21:57:32.0953 0580 SystemInfo: 21:57:32.0953 0580 21:57:32.0953 0580 OS Version: 5.1.2600 ServicePack: 3.0 21:57:32.0953 0580 Product type: Workstation 21:57:32.0953 0580 ComputerName: SR1602HM 21:57:32.0953 0580 UserName: User 21:57:32.0953 0580 Windows directory: C:\WINDOWS 21:57:32.0953 0580 System windows directory: C:\WINDOWS 21:57:32.0953 0580 Processor architecture: Intel x86 21:57:32.0953 0580 Number of processors: 1 21:57:32.0953 0580 Page size: 0x1000 21:57:32.0953 0580 Boot type: Normal boot 21:57:32.0953 0580 ============================================================ 21:57:36.0875 0580 BG loaded 21:57:37.0312 0580 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054 21:57:37.0359 0580 ============================================================ 21:57:37.0359 0580 \Device\Harddisk0\DR0: 21:57:37.0359 0580 MBR partitions: 21:57:37.0359 0580 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950A5C1 21:57:37.0359 0580 ============================================================ 21:57:37.0406 0580 C: <-> \Device\Harddisk0\DR0\Partition1 21:57:37.0515 0580 ============================================================ 21:57:37.0515 0580 Initialize success 21:57:37.0515 0580 ============================================================
-
21:41:13.0359 0740 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47 21:41:13.0828 0740 ============================================================ 21:41:13.0828 0740 Current date / time: 2012/10/17 21:41:13.0828 21:41:13.0828 0740 SystemInfo: 21:41:13.0828 0740 21:41:13.0828 0740 OS Version: 5.1.2600 ServicePack: 3.0 21:41:13.0828 0740 Product type: Workstation 21:41:13.0828 0740 ComputerName: SR1602HM 21:41:13.0828 0740 UserName: User 21:41:13.0828 0740 Windows directory: C:\WINDOWS 21:41:13.0828 0740 System windows directory: C:\WINDOWS 21:41:13.0828 0740 Processor architecture: Intel x86 21:41:13.0828 0740 Number of processors: 1 21:41:13.0828 0740 Page size: 0x1000 21:41:13.0828 0740 Boot type: Normal boot 21:41:13.0828 0740 ============================================================ 21:41:16.0406 0740 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054 21:41:16.0421 0740 ============================================================ 21:41:16.0421 0740 \Device\Harddisk0\DR0: 21:41:16.0421 0740 MBR partitions: 21:41:16.0421 0740 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950A5C1 21:41:16.0421 0740 ============================================================ 21:41:16.0468 0740 C: <-> \Device\Harddisk0\DR0\Partition1 21:41:16.0515 0740 ============================================================ 21:41:16.0515 0740 Initialize success 21:41:16.0515 0740 ============================================================ 21:42:28.0406 0908 Deinitialize success
-
Mr. Charlie, I am humbled by the fumble with the messaging font. Thank you for your patience. On a positive note: Thanks to your instruction, I'm looking pretty good over here. First, the Listparts log: ListParts by Farbar Version: 16-10-2012 Ran by User (administrator) on 17-10-2012 at 21:24:08 Windows XP (X86) Running From: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\5800MX3B Language: 0409 ************************************************************ ========================= Memory info ====================== Percentage of memory in use: 94% Total physical RAM: 447.36 MB Available physical RAM: 24.14 MB Total Pagefile: 722.53 MB Available Pagefile: 365.43 MB Total Virtual: 2047.88 MB Available Virtual: 2000.08 MB ======================= Partitions ========================= 1 Drive c: () (Fixed) (Total:74.52 GB) (Free:66.17 GB) NTFS ==>[Drive with boot components (Windows XP)] Disk ### Status Size Free Dyn Gpt -------- ---------- ------- ------- --- --- Disk 0 Online 75 GB 0 B Partitions of Disk 0: =============== The disk management services could not complete the operation. ====================================================================================================== ****** End Of Log ******
-
Zipfile success! RogueKiller V8.1.1 [10/01/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website: http://tigzy.geekstogo.com/roguekiller.php Blog: http://tigzyrk.blogspot.com Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : User [Admin rights] Mode : Scan -- Date : 10/17/2012 10:44:49 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 2 ¤¤¤ [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: HDS728080PLAT20 +++++ --- User --- [MBR] 25b6f7f00ee924d129722e33c877ea12 [bSP] 6ab81512ed7b103b5f7d01d89b81ec91 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1].txt >> RKreport[1].txt
-
Hi Mr. Charlie. What a comfort it is to co-pilot with a deity. I'm unable to download the roguekiller. A popup states that it is not a valid Win32 application. I have exited my malwarebytes program & have no known programs running when I attempt to download, however I do have a USB optical mouse, no other USBs or externals connected.
-
I have a ping.exe popup about every 100 seconds. MalwareBytes detects 2 rootkits in \System Volume Information\ but only when I ran the scan in safe mode. Disinfect did not last. I do not have audio. It prevents me from installing Microsoft Security Essentials, and does not allow me to look at my firewall. However, I can see I have a firewall by moving about in safe mode. Attached is my DDS text. Thank you for helping me! ~willow~ DDS (Ver_2012-10-14.05) - NTFS_x86 Internet Explorer: 8.0.6001.18702 Run by User at 23:40:05 on 2012-10-16 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.38 [GMT -6:00] . . ============== Running Processes ================ . C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\System32\svchost.exe -k eapsvcs C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\System32\svchost.exe -k dot3svc C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\System32\svchost.exe -k netsvcs . ============== Pseudo HJT Report =============== . uStart Page = about:blank uProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t uPolicies-Explorer: NoDriveTypeAutoRun = dword:145 mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1 mPolicies-Explorer: NoDriveTypeAutoRun = dword:145 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe LSP: mswsock.dll DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect119b.cab TCP: NameServer = 192.168.0.1 205.171.3.25 TCP: Interfaces\{18858CE0-7C46-4096-94BA-2794DAD47486} : DHCPNameServer = 192.168.15.1 TCP: Interfaces\{A6C89752-2FA4-4916-B0BE-03494BD3880D} : DHCPNameServer = 192.168.0.1 205.171.3.25 TCP: Interfaces\{B4139F04-C7AE-4233-B996-227482E15FB1} : DHCPNameServer = 192.168.0.1 205.171.3.25 Notify: AtiExtEvent - <no file> Notify: NavLogon - <no file> SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ============= SERVICES / DRIVERS =============== . R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-11 399432] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-11 676936] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-11 22856] S2 ofcservice;Ccpwdsvc;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-31 250808] S3 KBCAM;JamC@m USB service;c:\windows\system32\drivers\KBCAM.sys [2008-12-11 16384] S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2012-10-3 32384] S3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\drivers\AE2500xp.sys [2012-10-3 1034240] . =============== Created Last 30 ================ . 2012-10-11 14:29:36 -------- d-----w- C:\9cade25de7a102557e66b6a177 2012-10-11 13:57:07 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-10-11 13:52:25 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys 2012-10-11 13:36:09 -------- d-----w- c:\windows\system32\wbem\repository\FS 2012-10-11 13:36:09 -------- d-----w- c:\windows\system32\wbem\Repository 2012-10-10 22:56:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-10-09 02:19:38 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll 2012-10-09 02:08:49 105472 -c----w- c:\windows\system32\dllcache\mup.sys 2012-10-03 23:23:19 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys 2012-10-03 23:23:17 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll 2012-10-03 23:23:17 3072 ------w- c:\windows\system32\iacenc.dll 2012-10-03 23:20:21 77824 ----a-r- c:\windows\system32\nvuenet.exe 2012-10-03 23:20:21 54784 ----a-r- c:\windows\system32\drivers\NVENET.sys 2012-10-03 23:14:59 -------- d-----w- c:\program files\HP 2012-10-03 22:15:56 -------- d-----w- c:\documents and settings\all users\application data\Geek Squad 2012-10-03 20:19:04 1034240 ----a-r- c:\windows\system32\drivers\AE2500xp.sys 2012-10-03 20:18:23 88696 ----a-r- c:\windows\system32\packet.dll 2012-10-03 20:18:23 68224 ----a-r- c:\windows\system32\WanPacket.dll 2012-10-03 20:18:23 53299 ----a-r- c:\windows\system32\pthreadVC.dll 2012-10-03 20:18:23 34064 ----a-r- c:\windows\system32\drivers\npf.sys 2012-10-03 20:18:23 240248 ----a-r- c:\windows\system32\wpcap.dll 2012-10-03 19:52:51 32384 -c--a-w- c:\windows\system32\dllcache\usb101et.sys 2012-10-03 19:52:51 32384 ----a-w- c:\windows\system32\drivers\usb101et.sys . ==================== Find3M ==================== . 2012-10-17 00:04:29 0 --sha-w- c:\windows\system32\dds_trash_log.cmd 2012-10-11 14:14:08 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-10-11 14:14:08 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll 2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec 2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll . ============= FINISH: 23:41:22.95 ===============
