Jump to content

wholefoodsfool2

Members
  • Posts

    19
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Oh - and can I delete/uninstall the programs we used? Combofix, TDDSkiller.exe, GMER, Defogger.exe, DDS.scr, etc.?
  2. Followup questions: What about Defogger? Turn back on/off? Where did this nasty stuff originate and how did I get it? Would MB upgrades have prevented this nonsense? Will I ever know if the comp is 100% secure? FYI- going to donate when I get to work - when I can access PayPal without wondering if it is safe. :-) Thanks again for the support, great job! Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4172 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6/6/2010 11:38:15 AM mbam-log-2010-06-06 (11-38-15).txt Scan type: Quick scan Objects scanned: 160518 Time elapsed: 18 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  3. Things are running smoothly I suppose, I have been able to run all the tasks you requested and post my results here without interruption. What would indicate that there are still issues to wrestle with? As unpleasant an experience this has been, it has been comforting - knowing that this forum has such outstanding contributors such as you Borislav.
  4. Just got your request to delete the items - did so successfully. Should I empty the recycle bin?
  5. Is it odd that ComboFix has twice today prompted me to update to a newer version, restart the comp, then run? ComboFix 10-06-05.03 - Dan 06/06/2010 9:57.4.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.22 [GMT -5:00] Running from: c:\documents and settings\Dan\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {1034070B-4EA4-4718-BC1F-D8D80E09FDE7} FILE :: "c:\windows\Dfuhaxu.bin" "c:\windows\Nkopefayo.dat" . ((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 ))))))))))))))))))))))))))))))) . 2010-06-04 18:21 . 2010-06-04 19:01 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\blxfeemyf 2010-06-04 00:20 . 2010-06-04 00:27 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\V-Safe 100 2010-06-02 14:36 . 2010-06-02 14:36 0 ----a-w- c:\windows\nsreg.dat 2010-06-02 14:36 . 2010-06-02 14:36 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Mozilla 2010-05-29 16:42 . 2010-05-29 16:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2010-05-27 16:00 . 2010-05-27 17:31 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\ismfshcjo 2010-05-27 11:46 . 2010-05-27 11:46 -------- d-sh--w- c:\documents and settings\Dan\IECompatCache 2010-05-25 02:06 . 2010-05-25 04:46 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\jvgwydunn 2010-05-20 22:05 . 2010-05-20 22:28 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Deployment 2010-05-18 16:26 . 2010-05-18 16:26 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes 2010-05-18 16:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-18 16:26 . 2010-05-18 19:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-18 16:26 . 2010-05-18 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-05-18 16:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-18 15:53 . 2010-05-18 20:14 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\ekhmtawrq 2010-05-14 02:28 . 2010-05-14 02:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-05-12 05:39 . 2010-05-18 20:14 -------- d-----w- c:\windows\system32\msapps 2010-05-09 00:02 . 2010-05-09 00:02 -------- d-----w- c:\documents and settings\Dan\Application Data\Leadertech 2010-05-08 23:55 . 2010-05-09 00:02 -------- d-----w- c:\program files\palmOne . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-05 22:41 . 2004-08-24 08:23 17153 ----a-w- c:\windows\system32\drivers\omci.sys 2010-06-05 18:46 . 2004-09-16 18:25 -------- d-----w- c:\program files\Common Files\Adobe 2010-06-04 00:35 . 2010-06-04 00:35 388096 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-06-04 00:35 . 2004-09-15 20:25 -------- d-----w- c:\program files\Trend Micro 2010-05-20 21:51 . 2010-03-01 20:10 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint 2010-05-08 23:55 . 2010-05-08 23:55 65536 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\PalmDesktopShortcut.exe 2010-05-08 23:55 . 2010-05-08 23:55 65536 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\ARPPRODUCTICON.exe 2010-05-08 23:55 . 2010-05-08 23:55 45056 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\BluetoothShortcut.exe 2010-04-29 13:07 . 2010-04-29 13:07 -------- d-----w- c:\documents and settings\Dan\Application Data\NewSoft 2010-04-22 23:36 . 2006-03-29 16:25 -------- d-----w- c:\program files\LoneStar 2010-04-14 22:22 . 2010-04-14 22:22 -------- d-----r- c:\program files\Centricity 2010-04-14 03:42 . 2007-12-03 18:19 -------- d-----w- c:\program files\Citrix 2010-04-13 01:26 . 2010-04-13 01:26 -------- d-----w- c:\documents and settings\Dan\Application Data\Lexmark Productivity Studio . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\Dan\Local Settings\Application Data\blxfeemyf ---- ---- Directory of c:\documents and settings\Dan\Local Settings\Application Data\ekhmtawrq ---- ---- Directory of c:\documents and settings\Dan\Local Settings\Application Data\ismfshcjo ---- ---- Directory of c:\documents and settings\Dan\Local Settings\Application Data\jvgwydunn ---- ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-03 155648] "ATIModeChange"="Ati2mdxx.exe" [2001-09-05 28672] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 86016] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872] "DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672] "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032] "OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-09 356429] "SMPClient"="c:\windows\SMPClient.exe" [2002-10-15 184320] "Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2002-08-11 20530] "Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2002-08-11 24626] "Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2002-08-11 45056] "Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2002-08-11 20480] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416] "lxdomon.exe"="c:\program files\Lexmark 9500 Series\lxdomon.exe" [2008-01-02 455336] "lxdoamon"="c:\program files\Lexmark 9500 Series\lxdoamon.exe" [2008-01-02 25256] "Lexmark 9500 Series Fax Server"="c:\program files\Lexmark 9500 Series\fm3032.exe" [2008-01-02 311976] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801] c:\documents and settings\Dan\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008] PowerReg Scheduler.exe [2010-5-8 233472] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-8-24 24576] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] 2004-01-13 20:17 110592 ----a-w- c:\windows\system32\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"= "c:\\Program Files\\Lexmark 9500 Series\\lxdoamon.exe"= "c:\\Program Files\\Lexmark 9500 Series\\frun.exe"= "c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"= "c:\\Program Files\\Lexmark 9500 Series\\lxdomon.exe"= "c:\\windows\\system32\\lxdocfg.exe"= "c:\\windows\\system32\\lxdocoms.exe"= "c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdopswx.exe"= "c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdotime.exe"= "c:\\Program Files\\Lexmark 9500 Series\\lxdoFax.exe"= "c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdojswx.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdowbgw.exe"= R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?] R2 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [12/3/2007 1:25 PM 78640] R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [9/15/2004 3:25 PM 203024] R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [9/15/2004 3:25 PM 36112] S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdoserv.exe --> c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdoserv.exe [?] S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [12/3/2007 1:24 PM 23180] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\7k16rbkb.default\ FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-06 10:06 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(984) c:\windows\system32\Ati2evxx.dll c:\windows\System32\LgNotify.dll - - - - - - - > 'explorer.exe'(1004) c:\windows\system32\WININET.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\Ati2evxx.exe c:\windows\System32\S24EvMon.exe c:\windows\system32\ZCfgSvc.exe c:\windows\System32\SCardSvr.exe c:\windows\system32\Ati2evxx.exe c:\windows\System32\basfipm.exe c:\windows\system32\lxdocoms.exe c:\program files\Apoint\Apntex.exe c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe c:\windows\System32\RegSrvc.exe c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe c:\program files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe c:\windows\TEMP\IKE33B.EXE . ************************************************************************** . Completion time: 2010-06-06 10:15:28 - machine was rebooted ComboFix-quarantined-files.txt 2010-06-06 15:15 ComboFix2.txt 2010-06-06 14:39 ComboFix3.txt 2010-06-05 23:25 ComboFix4.txt 2010-06-05 22:22 Pre-Run: 17,015,525,376 bytes free Post-Run: 16,979,132,416 bytes free - - End Of File - - 4BDD00C527F10CA226BCDD9137BB3A58
  6. Thanks for getting back to me so frequently, you guys rock! ComboFix 10-06-05.02 - Dan 06/06/2010 9:22.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.162 [GMT -5:00] Running from: c:\documents and settings\Dan\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {1034070B-4EA4-4718-BC1F-D8D80E09FDE7} FILE :: "c:\windows\Dfuhaxu.bin" "c:\windows\Nkopefayo.dat" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Dfuhaxu.bin c:\windows\Nkopefayo.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_KLMDB ((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 ))))))))))))))))))))))))))))))) . 2010-06-04 18:21 . 2010-06-04 19:01 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\blxfeemyf 2010-06-04 00:20 . 2010-06-04 00:27 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\V-Safe 100 2010-06-02 14:36 . 2010-06-02 14:36 0 ----a-w- c:\windows\nsreg.dat 2010-06-02 14:36 . 2010-06-02 14:36 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Mozilla 2010-05-29 16:42 . 2010-05-29 16:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2010-05-27 16:00 . 2010-05-27 17:31 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\ismfshcjo 2010-05-27 11:46 . 2010-05-27 11:46 -------- d-sh--w- c:\documents and settings\Dan\IECompatCache 2010-05-25 02:06 . 2010-05-25 04:46 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\jvgwydunn 2010-05-20 22:05 . 2010-05-20 22:28 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Deployment 2010-05-18 16:26 . 2010-05-18 16:26 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes 2010-05-18 16:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-18 16:26 . 2010-05-18 19:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-18 16:26 . 2010-05-18 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-05-18 16:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-18 15:53 . 2010-05-18 20:14 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\ekhmtawrq 2010-05-14 02:28 . 2010-05-14 02:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-05-12 05:39 . 2010-05-18 20:14 -------- d-----w- c:\windows\system32\msapps 2010-05-09 00:02 . 2010-05-09 00:02 -------- d-----w- c:\documents and settings\Dan\Application Data\Leadertech 2010-05-08 23:55 . 2010-05-09 00:02 -------- d-----w- c:\program files\palmOne . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-05 22:41 . 2004-08-24 08:23 17153 ----a-w- c:\windows\system32\drivers\omci.sys 2010-06-05 18:46 . 2004-09-16 18:25 -------- d-----w- c:\program files\Common Files\Adobe 2010-06-04 00:35 . 2010-06-04 00:35 388096 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-06-04 00:35 . 2004-09-15 20:25 -------- d-----w- c:\program files\Trend Micro 2010-05-20 21:51 . 2010-03-01 20:10 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint 2010-05-08 23:55 . 2010-05-08 23:55 65536 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\PalmDesktopShortcut.exe 2010-05-08 23:55 . 2010-05-08 23:55 65536 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\ARPPRODUCTICON.exe 2010-05-08 23:55 . 2010-05-08 23:55 45056 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\BluetoothShortcut.exe 2010-04-29 13:07 . 2010-04-29 13:07 -------- d-----w- c:\documents and settings\Dan\Application Data\NewSoft 2010-04-22 23:36 . 2006-03-29 16:25 -------- d-----w- c:\program files\LoneStar 2010-04-14 22:22 . 2010-04-14 22:22 -------- d-----r- c:\program files\Centricity 2010-04-14 03:42 . 2007-12-03 18:19 -------- d-----w- c:\program files\Citrix 2010-04-13 01:26 . 2010-04-13 01:26 -------- d-----w- c:\documents and settings\Dan\Application Data\Lexmark Productivity Studio 2010-03-14 20:24 . 2004-08-24 07:55 89739 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\Dan\Local Settings\Application Data\blxfeemyf ---- ---- Directory of c:\documents and settings\Dan\Local Settings\Application Data\ekhmtawrq ---- ---- Directory of c:\documents and settings\Dan\Local Settings\Application Data\ismfshcjo ---- ---- Directory of c:\documents and settings\Dan\Local Settings\Application Data\jvgwydunn ---- ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-03 155648] "ATIModeChange"="Ati2mdxx.exe" [2001-09-05 28672] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 86016] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872] "DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672] "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032] "OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-09 356429] "SMPClient"="c:\windows\SMPClient.exe" [2002-10-15 184320] "Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2002-08-11 20530] "Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2002-08-11 24626] "Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2002-08-11 45056] "Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2002-08-11 20480] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416] "lxdomon.exe"="c:\program files\Lexmark 9500 Series\lxdomon.exe" [2008-01-02 455336] "lxdoamon"="c:\program files\Lexmark 9500 Series\lxdoamon.exe" [2008-01-02 25256] "Lexmark 9500 Series Fax Server"="c:\program files\Lexmark 9500 Series\fm3032.exe" [2008-01-02 311976] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801] c:\documents and settings\Dan\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008] PowerReg Scheduler.exe [2010-5-8 233472] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-8-24 24576] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] 2004-01-13 20:17 110592 ----a-w- c:\windows\system32\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"= "c:\\Program Files\\Lexmark 9500 Series\\lxdoamon.exe"= "c:\\Program Files\\Lexmark 9500 Series\\frun.exe"= "c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"= "c:\\Program Files\\Lexmark 9500 Series\\lxdomon.exe"= "c:\\windows\\system32\\lxdocfg.exe"= "c:\\windows\\system32\\lxdocoms.exe"= "c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdopswx.exe"= "c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdotime.exe"= "c:\\Program Files\\Lexmark 9500 Series\\lxdoFax.exe"= "c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdojswx.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdowbgw.exe"= R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?] R2 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [12/3/2007 1:25 PM 78640] R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [9/15/2004 3:25 PM 203024] R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [9/15/2004 3:25 PM 36112] S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdoserv.exe --> c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdoserv.exe [?] S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [12/3/2007 1:24 PM 23180] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\7k16rbkb.default\ FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-06 09:30 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(984) c:\windows\system32\Ati2evxx.dll c:\windows\System32\LgNotify.dll - - - - - - - > 'explorer.exe'(1832) c:\windows\system32\WININET.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\Ati2evxx.exe c:\windows\System32\S24EvMon.exe c:\windows\System32\SCardSvr.exe c:\windows\system32\ZCfgSvc.exe c:\windows\system32\Ati2evxx.exe c:\windows\System32\basfipm.exe c:\windows\system32\lxdocoms.exe c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe c:\windows\System32\RegSrvc.exe c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe c:\program files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe c:\program files\Apoint\Apntex.exe c:\windows\TEMP\WV233D.EXE c:\program files\Trend Micro\OfficeScan Client\pccntupd.exe . ************************************************************************** . Completion time: 2010-06-06 09:39:45 - machine was rebooted ComboFix-quarantined-files.txt 2010-06-06 14:39 ComboFix2.txt 2010-06-05 23:25 ComboFix3.txt 2010-06-05 22:22 Pre-Run: 17,121,271,808 bytes free Post-Run: 17,016,664,064 bytes free - - End Of File - - 674C83BA5E38E380BD51C362B4EC63FD
  7. ComboFix 10-06-05.01 - Dan 06/05/2010 18:13:49.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.127 [GMT -5:00] Running from: c:\documents and settings\Dan\Desktop\Combo-Fix.exe FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {1034070B-4EA4-4718-BC1F-D8D80E09FDE7} . ((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 ))))))))))))))))))))))))))))))) . 2010-06-05 22:44 . 2010-06-05 22:44 -------- d-----w- c:\windows\LastGood 2010-06-04 18:21 . 2010-06-04 19:01 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\blxfeemyf 2010-06-04 00:20 . 2010-06-04 00:27 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\V-Safe 100 2010-06-02 14:36 . 2010-06-02 14:36 0 ----a-w- c:\windows\nsreg.dat 2010-06-02 14:36 . 2010-06-02 14:36 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Mozilla 2010-05-29 16:42 . 2010-05-29 16:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2010-05-27 16:00 . 2010-05-27 17:31 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\ismfshcjo 2010-05-27 11:46 . 2010-05-27 11:46 -------- d-sh--w- c:\documents and settings\Dan\IECompatCache 2010-05-25 02:06 . 2010-05-25 04:46 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\jvgwydunn 2010-05-20 22:05 . 2010-05-20 22:28 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Deployment 2010-05-18 16:26 . 2010-05-18 16:26 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes 2010-05-18 16:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-18 16:26 . 2010-05-18 19:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-18 16:26 . 2010-05-18 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-05-18 16:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-18 15:53 . 2010-05-18 20:14 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\ekhmtawrq 2010-05-14 02:28 . 2010-05-14 02:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-05-12 05:42 . 2010-06-05 20:51 120 ----a-w- c:\windows\Nkopefayo.dat 2010-05-12 05:42 . 2010-06-05 19:31 0 ----a-w- c:\windows\Dfuhaxu.bin 2010-05-12 05:39 . 2010-05-18 20:14 -------- d-----w- c:\windows\system32\msapps 2010-05-09 00:02 . 2010-05-09 00:02 -------- d-----w- c:\documents and settings\Dan\Application Data\Leadertech 2010-05-08 23:55 . 2010-05-09 00:02 -------- d-----w- c:\program files\palmOne . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-05 22:41 . 2004-08-24 08:23 17153 ----a-w- c:\windows\system32\drivers\omci.sys 2010-06-05 18:46 . 2004-09-16 18:25 -------- d-----w- c:\program files\Common Files\Adobe 2010-06-04 00:35 . 2010-06-04 00:35 388096 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-06-04 00:35 . 2004-09-15 20:25 -------- d-----w- c:\program files\Trend Micro 2010-05-20 21:51 . 2010-03-01 20:10 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint 2010-05-08 23:55 . 2010-05-08 23:55 65536 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\PalmDesktopShortcut.exe 2010-05-08 23:55 . 2010-05-08 23:55 65536 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\ARPPRODUCTICON.exe 2010-05-08 23:55 . 2010-05-08 23:55 45056 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\BluetoothShortcut.exe 2010-04-29 13:07 . 2010-04-29 13:07 -------- d-----w- c:\documents and settings\Dan\Application Data\NewSoft 2010-04-22 23:36 . 2006-03-29 16:25 -------- d-----w- c:\program files\LoneStar 2010-04-14 22:22 . 2010-04-14 22:22 -------- d-----r- c:\program files\Centricity 2010-04-14 03:42 . 2007-12-03 18:19 -------- d-----w- c:\program files\Citrix 2010-04-13 01:26 . 2010-04-13 01:26 -------- d-----w- c:\documents and settings\Dan\Application Data\Lexmark Productivity Studio 2010-03-14 20:24 . 2004-08-24 07:55 89739 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-03 155648] "ATIModeChange"="Ati2mdxx.exe" [2001-09-05 28672] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 86016] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872] "DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672] "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032] "OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-09 356429] "SMPClient"="c:\windows\SMPClient.exe" [2002-10-15 184320] "Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2002-08-11 20530] "Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2002-08-11 24626] "Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2002-08-11 45056] "Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2002-08-11 20480] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416] "lxdomon.exe"="c:\program files\Lexmark 9500 Series\lxdomon.exe" [2008-01-02 455336] "lxdoamon"="c:\program files\Lexmark 9500 Series\lxdoamon.exe" [2008-01-02 25256] "Lexmark 9500 Series Fax Server"="c:\program files\Lexmark 9500 Series\fm3032.exe" [2008-01-02 311976] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801] c:\documents and settings\Dan\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008] PowerReg Scheduler.exe [2010-5-8 233472] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-8-24 24576] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] 2004-01-13 20:17 110592 ----a-w- c:\windows\system32\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"= "c:\\Program Files\\Lexmark 9500 Series\\lxdoamon.exe"= "c:\\Program Files\\Lexmark 9500 Series\\frun.exe"= "c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"= "c:\\Program Files\\Lexmark 9500 Series\\lxdomon.exe"= "c:\\windows\\system32\\lxdocfg.exe"= "c:\\windows\\system32\\lxdocoms.exe"= "c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdopswx.exe"= "c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdotime.exe"= "c:\\Program Files\\Lexmark 9500 Series\\lxdoFax.exe"= "c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdojswx.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdowbgw.exe"= R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?] R2 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [12/3/2007 1:25 PM 78640] R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [9/15/2004 3:25 PM 203024] R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [9/15/2004 3:25 PM 36112] S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdoserv.exe --> c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdoserv.exe [?] S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [12/3/2007 1:24 PM 23180] --- Other Services/Drivers In Memory --- *NewlyCreated* - KLMDB *Deregistered* - klmdb . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\7k16rbkb.default\ FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . - - - - ORPHANS REMOVED - - - - SafeBoot-klmdb.sys ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-05 18:20 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(984) c:\windows\system32\Ati2evxx.dll c:\windows\System32\LgNotify.dll - - - - - - - > 'explorer.exe'(204) c:\windows\system32\WININET.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-06-05 18:25:49 ComboFix-quarantined-files.txt 2010-06-05 23:25 ComboFix2.txt 2010-06-05 22:22 Pre-Run: 17,108,643,840 bytes free Post-Run: 17,096,462,336 bytes free - - End Of File - - FCB1DD8A94D278522EFBE1E0DE6C90DA
  8. 17:39:42:530 3428 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48 17:39:42:530 3428 ================================================================================ 17:39:42:530 3428 SystemInfo: 17:39:42:530 3428 OS Version: 5.1.2600 ServicePack: 3.0 17:39:42:530 3428 Product type: Workstation 17:39:42:530 3428 ComputerName: KITCHENCOMPUTER 17:39:42:530 3428 UserName: Dan 17:39:42:530 3428 Windows directory: C:\WINDOWS 17:39:42:530 3428 Processor architecture: Intel x86 17:39:42:530 3428 Number of processors: 1 17:39:42:530 3428 Page size: 0x1000 17:39:42:530 3428 Boot type: Normal boot 17:39:42:530 3428 ================================================================================ 17:39:42:830 3428 Initialize success 17:39:42:830 3428 17:39:42:830 3428 Scanning Services ... 17:39:43:531 3428 Raw services enum returned 369 services 17:39:43:541 3428 17:39:43:541 3428 Scanning Drivers ... 17:39:45:814 3428 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS 17:39:46:085 3428 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 17:39:46:275 3428 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 17:39:46:345 3428 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys 17:39:46:495 3428 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 17:39:46:766 3428 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 17:39:46:986 3428 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys 17:39:47:136 3428 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys 17:39:47:286 3428 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys 17:39:47:437 3428 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys 17:39:47:687 3428 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys 17:39:47:897 3428 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys 17:39:48:047 3428 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys 17:39:48:208 3428 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys 17:39:48:358 3428 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys 17:39:48:538 3428 ApfiltrService (42860ba463d5c9c58a91d1ad208169a9) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys 17:39:48:799 3428 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys 17:39:48:939 3428 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys 17:39:49:099 3428 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys 17:39:49:259 3428 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 17:39:49:439 3428 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 17:39:49:670 3428 ati2mtag (1ca68bc171e299636026ee9656217d27) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 17:39:49:870 3428 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 17:39:50:030 3428 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 17:39:50:181 3428 b57w2k (b9543b0c771feab7ca095303007a159c) C:\WINDOWS\system32\DRIVERS\b57xp32.sys 17:39:50:321 3428 BASFND (3d87b0484be1093c6614062701f375c5) C:\WINDOWS\system32\Drivers\BASFND.sys 17:39:50:391 3428 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 17:39:50:481 3428 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys 17:39:50:601 3428 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 17:39:50:791 3428 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys 17:39:50:962 3428 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 17:39:51:112 3428 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 17:39:51:262 3428 Cdr4_xp (297acc7d7c66ec86ee0b4eb5af9a8fd3) C:\WINDOWS\system32\drivers\Cdr4_xp.sys 17:39:51:412 3428 Cdralw2k (5e31abf467a6fd857710c0927c88ee4c) C:\WINDOWS\system32\drivers\Cdralw2k.sys 17:39:51:492 3428 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 17:39:51:763 3428 cdudf_xp (cfd81f2140193fc7f1812e6d6eaf6795) C:\WINDOWS\system32\drivers\cdudf_xp.sys 17:39:51:973 3428 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys 17:39:52:113 3428 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys 17:39:52:274 3428 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys 17:39:52:434 3428 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys 17:39:52:644 3428 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys 17:39:52:914 3428 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys 17:39:53:095 3428 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 17:39:53:335 3428 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 17:39:53:686 3428 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 17:39:53:886 3428 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 17:39:54:046 3428 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 17:39:54:196 3428 DNE (c86fbf607445bf693450d84b775f168c) C:\WINDOWS\system32\DRIVERS\dne2000.sys 17:39:54:357 3428 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys 17:39:54:547 3428 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys 17:39:54:637 3428 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys 17:39:54:837 3428 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys 17:39:54:997 3428 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 17:39:55:148 3428 dvd_2K (677829f7010768eeeed8d0083e510dab) C:\WINDOWS\system32\drivers\dvd_2K.sys 17:39:55:208 3428 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys 17:39:55:358 3428 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 17:39:55:518 3428 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 17:39:55:678 3428 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 17:39:55:859 3428 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 17:39:56:119 3428 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 17:39:56:329 3428 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 17:39:56:550 3428 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 17:39:56:740 3428 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 17:39:56:920 3428 gv3 (01cdb5b4649fae249e787a83be22916a) C:\WINDOWS\system32\DRIVERS\gv3.sys 17:39:57:070 3428 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 17:39:57:121 3428 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys 17:39:57:291 3428 HSFHWICH (dd33c6b441ca381f8fc82b06be2e2cac) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys 17:39:57:531 3428 HSF_DP (272914d8e356bbbffbe7e88871a188ef) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 17:39:57:791 3428 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 17:39:58:012 3428 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys 17:39:58:152 3428 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys 17:39:58:222 3428 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 17:39:58:432 3428 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys 17:39:58:623 3428 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys 17:39:58:833 3428 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys 17:39:59:003 3428 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys 17:39:59:163 3428 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys 17:39:59:324 3428 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys 17:39:59:484 3428 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys 17:39:59:654 3428 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys 17:39:59:905 3428 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys 17:40:00:055 3428 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys 17:40:00:205 3428 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 17:40:00:355 3428 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys 17:40:00:515 3428 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 17:40:00:696 3428 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 17:40:00:846 3428 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 17:40:01:036 3428 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 17:40:01:196 3428 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 17:40:01:246 3428 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 17:40:01:477 3428 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 17:40:01:677 3428 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 17:40:01:847 3428 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 17:40:02:038 3428 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 17:40:02:178 3428 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 17:40:02:328 3428 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys 17:40:02:398 3428 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 17:40:02:699 3428 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 17:40:02:879 3428 MDC8021X (0f528e44cdc78365be693ae723e3801c) C:\WINDOWS\system32\DRIVERS\mdc8021x.sys 17:40:03:069 3428 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 17:40:03:219 3428 mmc_2K (9b90303a9c9405a6ce1466ff4aa20fdd) C:\WINDOWS\system32\drivers\mmc_2K.sys 17:40:03:369 3428 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 17:40:03:430 3428 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 17:40:03:570 3428 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 17:40:03:760 3428 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 17:40:03:910 3428 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 17:40:03:990 3428 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys 17:40:04:191 3428 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 17:40:04:401 3428 MRxSmb (421f7b922cec5a5f340e7574a98f7b7c) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 17:40:04:601 3428 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 17:40:04:772 3428 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 17:40:04:922 3428 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 17:40:04:952 3428 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 17:40:05:182 3428 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 17:40:05:312 3428 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 17:40:05:362 3428 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 17:40:05:543 3428 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 17:40:05:723 3428 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 17:40:05:763 3428 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 17:40:05:893 3428 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys 17:40:05:973 3428 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 17:40:06:214 3428 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 17:40:06:414 3428 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 17:40:06:594 3428 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 17:40:06:804 3428 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 17:40:06:965 3428 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 17:40:07:055 3428 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 17:40:07:115 3428 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 17:40:07:275 3428 O2SCBUS (7f8d43fd4159b16ebfd65e13ee34677f) C:\WINDOWS\system32\DRIVERS\ozscr.sys 17:40:07:315 3428 omci (faa1aba995eeea9f68ac87dc36f64b2d) C:\WINDOWS\system32\DRIVERS\omci.sys 17:40:07:315 3428 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\omci.sys. Real md5: faa1aba995eeea9f68ac87dc36f64b2d, Fake md5: b17228142cec9b3c222239fd935a37ca 17:40:07:315 3428 File "C:\WINDOWS\system32\DRIVERS\omci.sys" infected by TDSS rootkit ... 17:40:11:291 3428 Backup copy not found, trying to cure infected file.. 17:40:11:291 3428 Cure success, using it.. 17:40:11:311 3428 will be cured on next reboot 17:40:11:501 3428 PalmUSBD (803cf09c795290825607505d37819135) C:\WINDOWS\system32\drivers\PalmUSBD.sys 17:40:11:752 3428 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 17:40:12:082 3428 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 17:40:12:142 3428 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 17:40:12:342 3428 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 17:40:12:513 3428 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 17:40:12:833 3428 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys 17:40:13:073 3428 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys 17:40:13:244 3428 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys 17:40:13:404 3428 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 17:40:13:554 3428 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys 17:40:13:794 3428 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 17:40:13:945 3428 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 17:40:14:095 3428 pwd_2k (d8b90616a8bd53de281dbdb664c0984a) C:\WINDOWS\system32\drivers\pwd_2k.sys 17:40:14:255 3428 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys 17:40:14:415 3428 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys 17:40:14:455 3428 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys 17:40:14:706 3428 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys 17:40:14:906 3428 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys 17:40:15:056 3428 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 17:40:15:116 3428 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 17:40:15:347 3428 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 17:40:15:497 3428 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 17:40:15:697 3428 RCFOX (e09a2360727cbc2cc8a611f29cb3ce66) C:\WINDOWS\system32\Drivers\RCFOX.sys 17:40:15:898 3428 rcvpn (808b237c0b31327be1dbd72f14787f7e) C:\WINDOWS\system32\DRIVERS\rcvpn.sys 17:40:16:108 3428 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 17:40:16:338 3428 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 17:40:16:518 3428 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 17:40:16:709 3428 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 17:40:16:939 3428 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 17:40:17:129 3428 s24trans (41cf7128424f3bdc35b05be3cc8ce7ec) C:\WINDOWS\system32\DRIVERS\s24trans.sys 17:40:17:310 3428 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 17:40:17:540 3428 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 17:40:17:900 3428 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 17:40:18:141 3428 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 17:40:18:421 3428 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys 17:40:18:571 3428 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys 17:40:18:762 3428 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 17:40:18:942 3428 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 17:40:19:162 3428 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys 17:40:19:393 3428 STAC97 (b3034de9020cde2c46f653d972446bf2) C:\WINDOWS\system32\drivers\stac97.sys 17:40:19:573 3428 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 17:40:19:763 3428 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 17:40:19:913 3428 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys 17:40:20:063 3428 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys 17:40:20:224 3428 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys 17:40:20:394 3428 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys 17:40:20:564 3428 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 17:40:20:835 3428 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 17:40:21:105 3428 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 17:40:21:275 3428 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 17:40:21:476 3428 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 17:40:21:566 3428 TmFilter (e588e930ecc0c579d3114a63fce4de12) C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys 17:40:21:766 3428 TmPreFilter (249e50e41a89f2d82a054dad4b2376ee) C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys 17:40:21:936 3428 TM_CFW (6ebec57eb4b4b29c8a90d3c32a588f3e) C:\Program Files\Trend Micro\OfficeScan Client\tm_cfw.sys 17:40:22:277 3428 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys 17:40:22:447 3428 UdfReadr_xp (4e75005b74be901c30f2636df40b0c15) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys 17:40:22:667 3428 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 17:40:22:868 3428 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys 17:40:23:058 3428 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 17:40:23:278 3428 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 17:40:23:458 3428 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 17:40:23:599 3428 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 17:40:23:799 3428 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 17:40:23:959 3428 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 17:40:24:129 3428 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 17:40:24:270 3428 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 17:40:24:430 3428 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys 17:40:24:600 3428 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys 17:40:24:920 3428 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 17:40:25:101 3428 VSApiNt (eca1a1effb1e5cac6f933fd42480345e) C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys 17:40:25:401 3428 w22n51 (4fed83668f087ecbe810ea90beceb765) C:\WINDOWS\system32\DRIVERS\w22n51.sys 17:40:26:122 3428 w29n51 (f0608f3b5b6d16f4870e867f9d069b6b) C:\WINDOWS\system32\DRIVERS\w29n51.sys 17:40:26:453 3428 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 17:40:26:743 3428 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 17:40:27:003 3428 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 17:40:27:184 3428 winachsf (8d4f833289e769dca80c0067cc2e40d8) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 17:40:27:414 3428 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 17:40:27:674 3428 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 17:40:27:684 3428 Reboot required for cure complete.. 17:40:28:285 3428 Cure on reboot scheduled successfully 17:40:28:285 3428 17:40:28:285 3428 Completed 17:40:28:285 3428 17:40:28:285 3428 Results: 17:40:28:285 3428 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 17:40:28:285 3428 File objects infected / cured / cured on reboot: 1 / 0 / 1 17:40:28:285 3428 17:40:28:285 3428 KLMD(ARK) unloaded successfully
  9. ComboFix 10-06-03.01 - Dan 06/05/2010 16:50:57.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.219 [GMT -5:00] Running from: c:\documents and settings\Dan\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Dan\g2mdlhlpx.exe c:\documents and settings\Dan\Local Settings\Application Data\{89892EBC-214E-459C-8AAB-784F19B9598C} c:\documents and settings\Dan\Local Settings\Application Data\{89892EBC-214E-459C-8AAB-784F19B9598C}\chrome.manifest c:\documents and settings\Dan\Local Settings\Application Data\{89892EBC-214E-459C-8AAB-784F19B9598C}\chrome\content\_cfg.js c:\documents and settings\Dan\Local Settings\Application Data\{89892EBC-214E-459C-8AAB-784F19B9598C}\chrome\content\overlay.xul c:\documents and settings\Dan\Local Settings\Application Data\{89892EBC-214E-459C-8AAB-784F19B9598C}\install.rdf C:\setup.exe c:\windows\ayoqanedevacuq.dll c:\windows\idocuwus.dll c:\windows\oxerosuloro.dll c:\windows\suiclacr.dll c:\windows\system32\drivers\etc\lmhosts c:\windows\system32\drivers\fad.sys c:\windows\system32\VB40032.DLL c:\windows\uhahopir.dll c:\windows\uvipavur.dll Infected copy of c:\windows\system32\drivers\omci.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 ))))))))))))))))))))))))))))))) . 2010-06-04 18:21 . 2010-06-04 19:01 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\blxfeemyf 2010-06-04 00:20 . 2010-06-04 00:27 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\V-Safe 100 2010-06-02 14:36 . 2010-06-02 14:36 0 ----a-w- c:\windows\nsreg.dat 2010-06-02 14:36 . 2010-06-02 14:36 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Mozilla 2010-05-29 16:42 . 2010-05-29 16:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2010-05-27 16:00 . 2010-05-27 17:31 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\ismfshcjo 2010-05-27 11:46 . 2010-05-27 11:46 -------- d-sh--w- c:\documents and settings\Dan\IECompatCache 2010-05-25 02:06 . 2010-05-25 04:46 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\jvgwydunn 2010-05-20 22:05 . 2010-05-20 22:28 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Deployment 2010-05-18 16:26 . 2010-05-18 16:26 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes 2010-05-18 16:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-18 16:26 . 2010-05-18 19:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-18 16:26 . 2010-05-18 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-05-18 16:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-18 15:53 . 2010-05-18 20:14 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\ekhmtawrq 2010-05-14 02:28 . 2010-05-14 02:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-05-12 05:42 . 2010-06-05 20:51 120 ----a-w- c:\windows\Nkopefayo.dat 2010-05-12 05:42 . 2010-06-05 19:31 0 ----a-w- c:\windows\Dfuhaxu.bin 2010-05-12 05:39 . 2010-05-18 20:14 -------- d-----w- c:\windows\system32\msapps 2010-05-09 00:02 . 2010-05-09 00:02 -------- d-----w- c:\documents and settings\Dan\Application Data\Leadertech 2010-05-08 23:55 . 2010-05-09 00:02 -------- d-----w- c:\program files\palmOne . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-05 18:46 . 2004-09-16 18:25 -------- d-----w- c:\program files\Common Files\Adobe 2010-06-04 00:35 . 2010-06-04 00:35 388096 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-06-04 00:35 . 2004-09-15 20:25 -------- d-----w- c:\program files\Trend Micro 2010-05-20 21:51 . 2010-03-01 20:10 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint 2010-05-08 23:55 . 2010-05-08 23:55 65536 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\PalmDesktopShortcut.exe 2010-05-08 23:55 . 2010-05-08 23:55 65536 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\ARPPRODUCTICON.exe 2010-05-08 23:55 . 2010-05-08 23:55 45056 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\BluetoothShortcut.exe 2010-04-29 13:07 . 2010-04-29 13:07 -------- d-----w- c:\documents and settings\Dan\Application Data\NewSoft 2010-04-22 23:36 . 2006-03-29 16:25 -------- d-----w- c:\program files\LoneStar 2010-04-14 22:22 . 2010-04-14 22:22 -------- d-----r- c:\program files\Centricity 2010-04-14 03:42 . 2007-12-03 18:19 -------- d-----w- c:\program files\Citrix 2010-04-13 01:26 . 2010-04-13 01:26 -------- d-----w- c:\documents and settings\Dan\Application Data\Lexmark Productivity Studio 2010-03-14 20:24 . 2004-08-24 07:55 89739 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-03 155648] "ATIModeChange"="Ati2mdxx.exe" [2001-09-05 28672] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 86016] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872] "DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672] "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032] "OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-09 356429] "SMPClient"="c:\windows\SMPClient.exe" [2002-10-15 184320] "Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2002-08-11 20530] "Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2002-08-11 24626] "Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2002-08-11 45056] "Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2002-08-11 20480] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416] "lxdomon.exe"="c:\program files\Lexmark 9500 Series\lxdomon.exe" [2008-01-02 455336] "lxdoamon"="c:\program files\Lexmark 9500 Series\lxdoamon.exe" [2008-01-02 25256] "Lexmark 9500 Series Fax Server"="c:\program files\Lexmark 9500 Series\fm3032.exe" [2008-01-02 311976] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801] c:\documents and settings\Dan\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008] PowerReg Scheduler.exe [2010-5-8 233472] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-8-24 24576] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] 2004-01-13 20:17 110592 ----a-w- c:\windows\system32\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"= "c:\\Program Files\\Lexmark 9500 Series\\lxdoamon.exe"= "c:\\Program Files\\Lexmark 9500 Series\\frun.exe"= "c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"= "c:\\Program Files\\Lexmark 9500 Series\\lxdomon.exe"= "c:\\windows\\system32\\lxdocfg.exe"= "c:\\windows\\system32\\lxdocoms.exe"= "c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdopswx.exe"= "c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdotime.exe"= "c:\\Program Files\\Lexmark 9500 Series\\lxdoFax.exe"= "c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdojswx.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdowbgw.exe"= R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?] R2 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [12/3/2007 1:25 PM 78640] R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [9/15/2004 3:25 PM 203024] R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [9/15/2004 3:25 PM 36112] S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdoserv.exe --> c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdoserv.exe [?] S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [12/3/2007 1:24 PM 23180] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\7k16rbkb.default\ FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . - - - - ORPHANS REMOVED - - - - HKCU-Run-Tzeruje - c:\windows\suiclacr.dll HKLM-Run-bascstray - BascsTray.exe HKLM-Run-Hzumonorapule - c:\windows\oxerosuloro.dll AddRemove-Centricity DICOM Viewer - c:\program files\Centricity\DICOM Viewer\3.1.1\EN-US\setupw2k ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-05 17:09 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82870EE4]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf853af28 \Driver\ACPI -> ACPI.sys @ 0xf84adcb8 \Driver\atapi -> atapi.sys @ 0xf8421852 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(988) c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll c:\windows\System32\LgNotify.dll - - - - - - - > 'lsass.exe'(1056) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(3244) c:\windows\system32\WININET.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\Ati2evxx.exe c:\windows\System32\S24EvMon.exe c:\windows\system32\ZCfgSvc.exe c:\windows\System32\SCardSvr.exe c:\windows\system32\Ati2evxx.exe c:\windows\System32\basfipm.exe c:\windows\system32\lxdocoms.exe c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe c:\windows\System32\RegSrvc.exe c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe c:\program files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe c:\program files\Apoint\Apntex.exe c:\windows\TEMP\LZC8F6.EXE c:\program files\Trend Micro\OfficeScan Client\pccntupd.exe c:\windows\System32\MDM.EXE . ************************************************************************** . Completion time: 2010-06-05 17:22:16 - machine was rebooted ComboFix-quarantined-files.txt 2010-06-05 22:22 Pre-Run: 15,892,234,240 bytes free Post-Run: 17,141,665,792 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn - - End Of File - - 3A9C243A50CCB5A1142556E0076E149F
  10. Should I click 'Yes'? "This machine does not have the 'Microsoft Windows recovery console' installed Without it, ComboFix shall not attempt the fixing of some serious infection. Click 'Yes' to have ComboFix download/install it. NOTE: this requires an active internet connection." Thanks!
  11. "Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. " Ok - Cannot disable TREND MICRO OfficeScan Client. No icon in system tray menu to right click and main console is not same as one pictured in the instructions. http://esupport.trendmicro.com/Pages/How-d...t.aspx#P97_1482
  12. DM you an unzipped or register for WinZip -> attach to topic? Eeek
  13. Thanks for the quick response! Interesting news, WinZip is prompting me to register for a new license or use it for evaluation purposes only - is this legit? What's next?
  14. Hey there Borislav; I'm glad you're here. Removed Adobe. Ran ops per instructions. MBAM & DDS results are below. Should I have attached the zipped "Attachment" results as well? I look forward to your thoughts. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4170 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6/5/2010 2:18:00 PM mbam-log-2010-06-05 (14-18-00).txt Scan type: Quick scan Objects scanned: 171130 Time elapsed: 30 minute(s), 28 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS (Ver_10-03-17.01) - NTFSx86 Run by Dan at 14:43:34.25 on Sat 06/05/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.115 [GMT -5:00] FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {1034070B-4EA4-4718-BC1F-D8D80E09FDE7} ============== Running Processes =============== C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\System32\S24EvMon.exe svchost.exe C:\WINDOWS\system32\ZCfgSvc.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\System32\basfipm.exe C:\WINDOWS\system32\lxdocoms.exe C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe C:\WINDOWS\System32\RegSrvc.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\WINDOWS\System32\DSentry.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\WINDOWS\SMPClient.exe C:\Program Files\Lexmark 9500 Series\lxdoamon.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe C:\Program Files\palmOne\HOTSYNC.EXE C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\TEMP\CKCDE0.EXE C:\WINDOWS\system32\msiexec.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\MDM.EXE C:\WINDOWS\system32\MsiExec.exe C:\WINDOWS\explorer.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Documents and Settings\Dan\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uDefault_Page_URL = hxxp://www.dell.com uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Tzeruje] rundll32.exe "c:\windows\suiclacr.dll",Startup mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [ATIModeChange] Ati2mdxx.exe mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe mRun: [PRONoMgr.exe] c:\program files\intel\prosetwireless\ncs\proset\PRONoMgr.exe mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [bascstray] BascsTray.exe mRun: [DVDSentry] c:\windows\system32\DSentry.exe mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe" mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow mRun: [sMPClient] c:\windows\SMPClient.exe mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe" mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe" mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe" mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe mRun: [lxdomon.exe] "c:\program files\lexmark 9500 series\lxdomon.exe" mRun: [lxdoamon] "c:\program files\lexmark 9500 series\lxdoamon.exe" mRun: [Lexmark 9500 Series Fax Server] "c:\program files\lexmark 9500 series\fm3032.exe" /s mRun: [Hzumonorapule] rundll32.exe "c:\windows\oxerosuloro.dll",Startup dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" StartupFolder: c:\docume~1\dan\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE StartupFolder: c:\documents and settings\dan\start menu\programs\startup\PowerReg Scheduler.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: Sebring - c:\windows\system32\LgNotify.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll Hosts: 192.168.100.2 skilmatch2 Hosts: 192.168.100.3 skilmatchp Hosts: 192.168.100.4 skilmatche ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\dan\applic~1\mozilla\firefox\profiles\7k16rbkb.default\ FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: XULRunner: {89892EBC-214E-459C-8AAB-784F19B9598C} - c:\documents and settings\dan\local settings\application data\{89892EBC-214E-459C-8AAB-784F19B9598C} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?] R2 OfcPfwSvc;OfficeScanNT Personal Firewall;c:\program files\trend micro\officescan client\OfcPfwSvc.exe [2006-3-22 233552] R2 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2007-12-3 78640] R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2004-9-15 203024] R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2004-9-15 36112] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-5-18 38224] S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\\lxdoserv.exe --> c:\windows\system32\spool\drivers\w32x86\3\\lxdoserv.exe [?] S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2007-12-3 23180] =============== Created Last 30 ================ 2010-06-04 22:05:03 0 ----a-w- c:\documents and settings\dan\defogger_reenable 2010-05-27 11:46:10 0 d-sh--w- c:\documents and settings\dan\IECompatCache 2010-05-18 19:21:52 2534 ----a-w- c:\windows\ayoqanedevacuq.dll 2010-05-18 19:07:08 2534 ----a-w- c:\windows\idocuwus.dll 2010-05-18 16:26:26 0 d-----w- c:\docume~1\dan\applic~1\Malwarebytes 2010-05-18 16:26:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-18 16:26:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-18 16:26:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-18 16:26:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-05-18 16:08:11 2534 ----a-w- c:\windows\uvipavur.dll 2010-05-18 16:01:03 2534 ----a-w- c:\windows\uhahopir.dll 2010-05-12 05:42:35 120 ----a-w- c:\windows\Nkopefayo.dat 2010-05-12 05:42:35 0 ----a-w- c:\windows\Dfuhaxu.bin 2010-05-12 05:39:32 0 d-----w- c:\windows\system32\msapps 2010-05-08 23:55:11 0 d-----w- c:\program files\palmOne ==================== Find3M ==================== ============= FINISH: 14:45:20.28 ===============
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.