_willow_
-
Posts
9 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by _willow_
-
-
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org
Database version: v2012.10.19.01
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
User :: SR1602HM [administrator]
10/18/2012 7:39:15 PM
mbam-log-2012-10-18 (19-39-15).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 197548
Time elapsed: 5 minute(s), 25 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-
Chin Up & Carry On with cleanup, is my decision. I'm rolling with you, Mr. C.
I will reformat and reinstall OS once scrubbed.
The amount of cash a hacker could get from my hippy credit card should disabuse them of any lofty notions.
Combofix txt:
ComboFix 12-10-18.03 - User 10/18/2012 9:55.1.1 - x86
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\857806u6a536h330w210q4bgt1u2
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\windows\system\system32
c:\windows\system\system32\Drivers\kbcam.inf
c:\windows\system\system32\Drivers\kbcam.sys
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
.
.
((((((((((((((((((((((((( Files Created from 2012-09-18 to 2012-10-18 )))))))))))))))))))))))))))))))
.
.
2012-10-18 03:55 . 2012-10-18 14:33 -------- d-----w- C:\TDSSKiller_Quarantine
2012-10-11 14:29 . 2012-10-11 14:29 -------- d-----w- C:\9cade25de7a102557e66b6a177
2012-10-11 13:57 . 2012-09-07 23:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-11 13:52 . 2012-07-04 14:05 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-10-11 13:36 . 2012-10-11 13:36 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-10 22:56 . 2012-10-11 13:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-09 02:19 . 2012-08-28 15:14 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-10-09 02:08 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-10-03 23:28 . 2012-10-03 23:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-10-03 23:23 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-10-03 23:23 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-10-03 23:23 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-10-03 23:20 . 2003-04-21 21:18 77824 ----a-r- c:\windows\system32\nvuenet.exe
2012-10-03 23:20 . 2003-04-21 21:18 54784 ----a-r- c:\windows\system32\drivers\NVENET.sys
2012-10-03 23:14 . 2012-10-03 23:14 -------- d-----w- c:\program files\HP
2012-10-03 23:14 . 2012-10-03 23:14 -------- d-----w- c:\program files\Hewlett-Packard
2012-10-03 22:15 . 2012-10-03 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Geek Squad
2012-10-03 20:19 . 2011-03-30 06:22 1034240 ----a-r- c:\windows\system32\drivers\AE2500xp.sys
2012-10-03 20:18 . 2007-11-06 19:22 34064 ----a-r- c:\windows\system32\drivers\npf.sys
2012-10-03 19:52 . 2004-08-04 04:31 32384 -c--a-w- c:\windows\system32\dllcache\usb101et.sys
2012-10-03 19:52 . 2004-08-04 04:31 32384 ----a-w- c:\windows\system32\drivers\usb101et.sys
2012-10-03 19:14 . 2012-10-11 13:36 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-18 03:56 . 2004-08-04 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-10-11 14:14 . 2012-03-31 13:31 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-11 14:14 . 2011-07-15 21:50 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-28 15:14 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2004-08-04 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 20:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-01-16 08:12 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"MatSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/11/2012 7:57 AM 399432]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/11/2012 7:57 AM 676936]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/11/2012 7:57 AM 22856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/31/2012 7:31 AM 250808]
S3 KBCAM;JamC@m USB service;c:\windows\system32\drivers\KBCAM.sys [12/11/2008 5:15 AM 16384]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [10/3/2012 1:52 PM 32384]
S3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\drivers\AE2500xp.sys [10/3/2012 2:19 PM 1034240]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
scramby
arrayssl_vpn_service3,0,1,9
nmwcdc
icm10blk
acedrv07
IFP700
pimsgss
ilicensesvc
knobserv
tapvpn
pmem
obvious
A4S2600
SiSRaid2
WINFLASH
mbackmonitor
FireTDI
rtm
ofcservice
MSMQ
tmcomm
tmmbd
pdengine
eliservice
trufos
papyjoy
avc
ultra66
RTLE8023xp
mssql$microsoftsmlbiz
siswlsvc
Cardex
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 14:14]
.
2012-10-18 c:\windows\Tasks\User_Feed_Synchronization-{F016FBAB-93A5-4668-BF1E-65AB09A30CE6}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: thejamcam.com\www
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-AtiExtEvent - (no file)
Notify-NavLogon - (no file)
SafeBoot-30164547.sys
SafeBoot-54314066.sys
SafeBoot-61403485.sys
SafeBoot-82675482.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-18 10:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1078081533-1482476501-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3772)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2012-10-18 10:09:23 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-18 16:08
.
Pre-Run: 70,938,075,136 bytes free
Post-Run: 71,050,035,200 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 39DFD4AB0469DD787C14EFADD64F3AB9
-
TDSSKiller.2.8.13.0_17.10.2012_21.51.39_log.txt
Above, is large Log #2, as an attachment.
Below, Log #3:
21:57:32.0359 0580 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47
21:57:32.0953 0580 ============================================================
21:57:32.0953 0580 Current date / time: 2012/10/17 21:57:32.0953
21:57:32.0953 0580 SystemInfo:
21:57:32.0953 0580
21:57:32.0953 0580 OS Version: 5.1.2600 ServicePack: 3.0
21:57:32.0953 0580 Product type: Workstation
21:57:32.0953 0580 ComputerName: SR1602HM
21:57:32.0953 0580 UserName: User
21:57:32.0953 0580 Windows directory: C:\WINDOWS
21:57:32.0953 0580 System windows directory: C:\WINDOWS
21:57:32.0953 0580 Processor architecture: Intel x86
21:57:32.0953 0580 Number of processors: 1
21:57:32.0953 0580 Page size: 0x1000
21:57:32.0953 0580 Boot type: Normal boot
21:57:32.0953 0580 ============================================================
21:57:36.0875 0580 BG loaded
21:57:37.0312 0580 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:57:37.0359 0580 ============================================================
21:57:37.0359 0580 \Device\Harddisk0\DR0:
21:57:37.0359 0580 MBR partitions:
21:57:37.0359 0580 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950A5C1
21:57:37.0359 0580 ============================================================
21:57:37.0406 0580 C: <-> \Device\Harddisk0\DR0\Partition1
21:57:37.0515 0580 ============================================================
21:57:37.0515 0580 Initialize success
21:57:37.0515 0580 ============================================================
-
21:41:13.0359 0740 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47
21:41:13.0828 0740 ============================================================
21:41:13.0828 0740 Current date / time: 2012/10/17 21:41:13.0828
21:41:13.0828 0740 SystemInfo:
21:41:13.0828 0740
21:41:13.0828 0740 OS Version: 5.1.2600 ServicePack: 3.0
21:41:13.0828 0740 Product type: Workstation
21:41:13.0828 0740 ComputerName: SR1602HM
21:41:13.0828 0740 UserName: User
21:41:13.0828 0740 Windows directory: C:\WINDOWS
21:41:13.0828 0740 System windows directory: C:\WINDOWS
21:41:13.0828 0740 Processor architecture: Intel x86
21:41:13.0828 0740 Number of processors: 1
21:41:13.0828 0740 Page size: 0x1000
21:41:13.0828 0740 Boot type: Normal boot
21:41:13.0828 0740 ============================================================
21:41:16.0406 0740 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:41:16.0421 0740 ============================================================
21:41:16.0421 0740 \Device\Harddisk0\DR0:
21:41:16.0421 0740 MBR partitions:
21:41:16.0421 0740 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950A5C1
21:41:16.0421 0740 ============================================================
21:41:16.0468 0740 C: <-> \Device\Harddisk0\DR0\Partition1
21:41:16.0515 0740 ============================================================
21:41:16.0515 0740 Initialize success
21:41:16.0515 0740 ============================================================
21:42:28.0406 0908 Deinitialize success
-
Mr. Charlie, I am humbled by the fumble with the messaging font. Thank you for your patience.
On a positive note: Thanks to your instruction, I'm looking pretty good over here.
First, the Listparts log:
ListParts by Farbar Version: 16-10-2012
Ran by User (administrator) on 17-10-2012 at 21:24:08
Windows XP (X86)
Running From: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\5800MX3B
Language: 0409
************************************************************
========================= Memory info ======================
Percentage of memory in use: 94%
Total physical RAM: 447.36 MB
Available physical RAM: 24.14 MB
Total Pagefile: 722.53 MB
Available Pagefile: 365.43 MB
Total Virtual: 2047.88 MB
Available Virtual: 2000.08 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:74.52 GB) (Free:66.17 GB) NTFS ==>[Drive with boot components (Windows XP)]
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 75 GB 0 B
Partitions of Disk 0:
===============
The disk management services could not complete the operation.
======================================================================================================
****** End Of Log ******
-
Zipfile success!
RogueKiller V8.1.1 [10/01/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : User [Admin rights]
Mode : Scan -- Date : 10/17/2012 10:44:49
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: HDS728080PLAT20 +++++
--- User ---
[MBR] 25b6f7f00ee924d129722e33c877ea12
[bSP] 6ab81512ed7b103b5f7d01d89b81ec91 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt
-
Hi Mr. Charlie. What a comfort it is to co-pilot with a deity.
I'm unable to download the roguekiller.
A popup states that it is not a valid Win32 application.
I have exited my malwarebytes program & have no known programs running when I attempt to download, however I do have a USB optical mouse, no other USBs or externals connected.
-
I have a ping.exe popup about every 100 seconds.
MalwareBytes detects 2 rootkits in \System Volume Information\
but only when I ran the scan in safe mode.
Disinfect did not last. I do not have audio.
It prevents me from installing Microsoft Security Essentials, and does not allow me to look at my firewall. However, I can see I have a firewall by moving about in safe mode.
Attached is my DDS text. Thank you for helping me! ~willow~
DDS (Ver_2012-10-14.05) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by User at 23:40:05 on 2012-10-16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.38 [GMT -6:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect119b.cab
TCP: NameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{18858CE0-7C46-4096-94BA-2794DAD47486} : DHCPNameServer = 192.168.15.1
TCP: Interfaces\{A6C89752-2FA4-4916-B0BE-03494BD3880D} : DHCPNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{B4139F04-C7AE-4233-B996-227482E15FB1} : DHCPNameServer = 192.168.0.1 205.171.3.25
Notify: AtiExtEvent - <no file>
Notify: NavLogon - <no file>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-11 399432]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-11 676936]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-11 22856]
S2 ofcservice;Ccpwdsvc;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-31 250808]
S3 KBCAM;JamC@m USB service;c:\windows\system32\drivers\KBCAM.sys [2008-12-11 16384]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2012-10-3 32384]
S3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\drivers\AE2500xp.sys [2012-10-3 1034240]
.
=============== Created Last 30 ================
.
2012-10-11 14:29:36 -------- d-----w- C:\9cade25de7a102557e66b6a177
2012-10-11 13:57:07 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-11 13:52:25 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-10-11 13:36:09 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-10-11 13:36:09 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-10 22:56:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-09 02:19:38 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-10-09 02:08:49 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-10-03 23:23:19 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-10-03 23:23:17 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-10-03 23:23:17 3072 ------w- c:\windows\system32\iacenc.dll
2012-10-03 23:20:21 77824 ----a-r- c:\windows\system32\nvuenet.exe
2012-10-03 23:20:21 54784 ----a-r- c:\windows\system32\drivers\NVENET.sys
2012-10-03 23:14:59 -------- d-----w- c:\program files\HP
2012-10-03 22:15:56 -------- d-----w- c:\documents and settings\all users\application data\Geek Squad
2012-10-03 20:19:04 1034240 ----a-r- c:\windows\system32\drivers\AE2500xp.sys
2012-10-03 20:18:23 88696 ----a-r- c:\windows\system32\packet.dll
2012-10-03 20:18:23 68224 ----a-r- c:\windows\system32\WanPacket.dll
2012-10-03 20:18:23 53299 ----a-r- c:\windows\system32\pthreadVC.dll
2012-10-03 20:18:23 34064 ----a-r- c:\windows\system32\drivers\npf.sys
2012-10-03 20:18:23 240248 ----a-r- c:\windows\system32\wpcap.dll
2012-10-03 19:52:51 32384 -c--a-w- c:\windows\system32\dllcache\usb101et.sys
2012-10-03 19:52:51 32384 ----a-w- c:\windows\system32\drivers\usb101et.sys
.
==================== Find3M ====================
.
2012-10-17 00:04:29 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-10-11 14:14:08 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-11 14:14:08 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
.
============= FINISH: 23:41:22.95 ===============
Thanks for helping. ping.exe
in Resolved Malware Removal Logs
Posted
Mr. C, the RogueKiller found 2 objects. However, I'm ignoring that and only posting the RK log, as instructed:
RogueKiller V8.1.1 [10/01/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : User [Admin rights]
Mode : Scan -- Date : 10/18/2012 20:37:41
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: HDS728080PLAT20 +++++
--- User ---
[MBR] 25b6f7f00ee924d129722e33c877ea12
[bSP] 6ab81512ed7b103b5f7d01d89b81ec91 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt