Jump to content

bunruh

Honorary Members
 View Profile  See their activity

  • Posts

    23

  • Joined

  • Last visited

Reputation

0 Neutral
  1. bunruh
    Is there anything new here, it found 7 infected items: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 5064 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 11/6/2010 9:01:08 PM mbam-log-2010-11-06 (21-01-08).txt Scan type: Full scan (C:\|H:\|) Objects scanned: 260692 Time elapsed: 1 hour(s), 32 minute(s), 29 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{11522865-037b-4e24-99d6-b43a3782302f} (Password.Stealer) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1dfc0cb0-ce09-4e94-bd01-91c2e9d2a7ca} (Password.Stealer) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{3513a6a1-9e64-411e-a763-be8cf8f8f1bc} (Password.Stealer) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{7d94fe9d-0031-4911-9d51-2a24cb88120c} (Password.Stealer) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\4dw4r3 (Rootkit.TDSS) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\kirenalo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\yehifuni.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\TDSSKiller_Quarantine\06.11.2010_11.49.41\susp0001\svc0000\tsk0000.dta (Trojan.Agent) -> Quarantined and deleted successfully.
  2. bunruh
    LD, I just reran mbam-setup and did an update and am doing a full system scan on C: & H:. So far it has found several objects infected. I will post the log when completed. Do I delete or quarantine infected objects?
  3. bunruh
    LD, I just reread your post more carefully and I think you answered the question about deleting something, but want to make sure. Thanks for your help ALL DAY LONG!!!
  4. bunruh
    Looks like it worked, see log below. What about your comments on Post 31: "Make sure you delete it. [NOTE] The file was moved to the quarantine directory under the name '4f9a7460.qua'." Do I still need to delete something? exeHelper by Raktor Build 20100414 Run at 19:06:02 on 11/06/10 Now searching... Checking for numerical processes... Checking for sysguard processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished--
  5. bunruh
    Hey LDTate, thanks for all the help . I do have some questions as we finish up. We did some changes to the Registry, do any of them need to be undone. There was something a few steps back (Post #31) that you said we needed to change back later. Also, it appears that something happened to my registry because I can't directly click on some links to *.exe files and run them; I get an error message when I try to run mbam.exe from the desktop shortcut that says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." In these cases I've used the CACLS work around: cacls "C:\path\prog.exe" /G Everyone:F . In the past I found this registry code and have added it (do you approve?): xp_exe_fix.reg Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\.exe] @="exefile" "Content Type"="application/x-msdownload" [HKEY_CLASSES_ROOT\.exe\PersistentHandler] @="{098f2470-bae0-11cd-b579-08002b30bfeb}" [HKEY_CLASSES_ROOT\exefile] @="Application" "EditFlags"=hex:38,07,00,00 "TileInfo"="prop:FileDescription;Company;FileVersion" "InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size" [HKEY_CLASSES_ROOT\exefile\DefaultIcon] @="%1" [HKEY_CLASSES_ROOT\exefile\shell] [HKEY_CLASSES_ROOT\exefile\shell\open] "EditFlags"=hex:00,00,00,00 [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\exefile\shell\runas] [HKEY_CLASSES_ROOT\exefile\shell\runas\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\exefile\shellex] [HKEY_CLASSES_ROOT\exefile\shellex\DropHandler] @="{86C86720-42A0-1069-A2E8-08002B30309D}" [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers] [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser] @="{09A63660-16F9-11d0-B1DF-004F56001CA7}" [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps] @="{86F19A00-42A0-1069-A2E9-08002B30309D}" [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page] @="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
  6. bunruh
    DDS: DDS (Ver_10-11-03.01) - NTFSx86 Run by Compaq_Owner at 17:32:08.70 on Sat 11/06/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.415 [GMT -5:00] AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\windows\system\hpsysdrv.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\WINDOWS\AGRSMMSG.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Compaq_Owner.COMPAQ\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://start.facemoods.com/?a=antn uInternet Settings,ProxyServer = http=127.0.0.1 mURLSearchHooks: H - No File BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [KBD] c:\hp\kbd\KBD.EXE mRun: [TkBellExe] //~c:\program files\common files\real\update_ob\realsched.exe -osboot mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE mRun: [PS2] c:\windows\system32\ps2.exe mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe mRun: [Reminder] "c:\windows\creator\Remind_XP.exe" mRun: [AlcxMonitor] ALCXMNTR.EXE mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab ============= SERVICES / DRIVERS =============== R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-11-2 11608] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-11-2 135336] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-11-2 267944] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-11-2 60936] =============== Created Last 30 ================ 2010-11-06 21:44:59 -------- d-----w- C:\ComboFix 2010-11-06 17:44:57 78040 ----a-w- c:\windows\system32\drivers\klmdb.sys 2010-11-06 16:50:19 -------- d-----w- C:\TDSSKiller_Quarantine 2010-11-02 20:59:40 -------- d-----w- c:\docume~1\compaq~1.com\applic~1\Avira 2010-11-02 20:55:03 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2010-11-02 20:55:02 -------- d-----w- c:\program files\Avira 2010-11-02 20:55:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira 2010-11-02 17:50:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-02 17:50:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-01 23:41:17 -------- d-----w- c:\docume~1\compaq~1.com\applic~1\Malwarebytes 2010-11-01 23:41:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-01 23:41:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-11-01 23:26:40 -------- d-----w- c:\docume~1\compaq~1.com\applic~1\SurfSecret Privacy Suite 2010-11-01 23:21:57 -------- d-----w- c:\docume~1\compaq~1.com\applic~1\Panda Security 2010-11-01 23:21:12 -------- d-----w- c:\docume~1\compaq~1.com\locals~1\applic~1\panda2_0dn 2010-11-01 23:20:17 -------- d-----w- c:\program files\Panda Security 2010-11-01 23:20:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Panda Security 2010-10-25 16:58:36 -------- d-----w- c:\docume~1\compaq~1.com\applic~1\AskToolbar 2010-10-25 04:52:43 -------- d-----w- c:\docume~1\compaq~1.com\locals~1\applic~1\AskToolbar 2010-10-13 01:26:57 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll 2010-10-13 01:26:56 974848 ------w- c:\windows\system32\dllcache\mfc42.dll 2010-10-13 01:26:44 617472 ------w- c:\windows\system32\dllcache\comctl32.dll ==================== Find3M ==================== 2010-11-06 02:15:49 88576 ----a-w- c:\windows\MBR.exe 2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll 2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2005-06-22 00:40:56 774144 ----a-w- c:\program files\RngInterstitial.dll ============= FINISH: 17:33:26.23 ===============
  7. bunruh
    Will run new DDS scan. FYI here is the log from Avira: Avira AntiVir Personal Report file date: Saturday, November 06, 2010 17:20 Scanning for 3020684 virus strains and unwanted programs. The program is running as an unrestricted full version. Online services are available: Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 3) [5.1.2600] Boot mode : Normally booted Username : SYSTEM Computer name : COMPAQ Version information: BUILD.DAT : 10.0.0.592 31823 Bytes 8/9/2010 11:00:00 AVSCAN.EXE : 10.0.3.1 434344 Bytes 11/6/2010 19:22:28 AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 18:57:04 LUKE.DLL : 10.0.2.3 104296 Bytes 8/2/2010 21:10:00 LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 05:40:49 VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:05:36 VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 01:27:49 VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 23:37:42 VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 22:37:42 VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 17:29:03 VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 21:10:03 VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 21:10:04 VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 21:10:06 VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 20:56:51 VBASE009.VDF : 7.10.13.80 2265600 Bytes 11/2/2010 20:57:03 VBASE010.VDF : 7.10.13.81 2048 Bytes 11/2/2010 20:57:03 VBASE011.VDF : 7.10.13.82 2048 Bytes 11/2/2010 20:57:03 VBASE012.VDF : 7.10.13.83 2048 Bytes 11/2/2010 20:57:03 VBASE013.VDF : 7.10.13.116 147968 Bytes 11/4/2010 14:32:42 VBASE014.VDF : 7.10.13.117 2048 Bytes 11/4/2010 14:32:42 VBASE015.VDF : 7.10.13.118 2048 Bytes 11/4/2010 14:32:42 VBASE016.VDF : 7.10.13.119 2048 Bytes 11/4/2010 14:32:42 VBASE017.VDF : 7.10.13.120 2048 Bytes 11/4/2010 14:32:42 VBASE018.VDF : 7.10.13.121 2048 Bytes 11/4/2010 14:32:43 VBASE019.VDF : 7.10.13.122 2048 Bytes 11/4/2010 14:32:43 VBASE020.VDF : 7.10.13.123 2048 Bytes 11/4/2010 14:32:43 VBASE021.VDF : 7.10.13.124 2048 Bytes 11/4/2010 14:32:43 VBASE022.VDF : 7.10.13.125 2048 Bytes 11/4/2010 14:32:43 VBASE023.VDF : 7.10.13.126 2048 Bytes 11/4/2010 14:32:43 VBASE024.VDF : 7.10.13.127 2048 Bytes 11/4/2010 14:32:43 VBASE025.VDF : 7.10.13.128 2048 Bytes 11/4/2010 14:32:43 VBASE026.VDF : 7.10.13.129 2048 Bytes 11/4/2010 14:32:43 VBASE027.VDF : 7.10.13.130 2048 Bytes 11/4/2010 14:32:44 VBASE028.VDF : 7.10.13.131 2048 Bytes 11/4/2010 14:32:44 VBASE029.VDF : 7.10.13.132 2048 Bytes 11/4/2010 14:32:44 VBASE030.VDF : 7.10.13.133 2048 Bytes 11/4/2010 14:32:44 VBASE031.VDF : 7.10.13.145 130048 Bytes 11/5/2010 19:22:27 Engineversion : 8.2.4.92 AEVDF.DLL : 8.1.2.1 106868 Bytes 8/2/2010 21:09:54 AESCRIPT.DLL : 8.1.3.46 1364347 Bytes 11/4/2010 14:32:52 AESCN.DLL : 8.1.6.1 127347 Bytes 8/2/2010 21:09:53 AESBX.DLL : 8.1.3.1 254324 Bytes 8/2/2010 21:09:53 AERDL.DLL : 8.1.9.2 635252 Bytes 11/2/2010 20:57:27 AEPACK.DLL : 8.2.3.11 471416 Bytes 11/2/2010 20:57:25 AEOFFICE.DLL : 8.1.1.8 201081 Bytes 8/2/2010 21:09:52 AEHEUR.DLL : 8.1.2.38 2990455 Bytes 11/4/2010 14:32:49 AEHELP.DLL : 8.1.14.0 246134 Bytes 11/2/2010 20:57:12 AEGEN.DLL : 8.1.3.24 401781 Bytes 11/4/2010 14:32:45 AEEMU.DLL : 8.1.2.0 393588 Bytes 8/2/2010 21:09:49 AECORE.DLL : 8.1.17.0 196982 Bytes 11/2/2010 20:57:10 AEBB.DLL : 8.1.1.0 53618 Bytes 8/2/2010 21:09:48 AVWINLL.DLL : 10.0.0.0 19304 Bytes 8/2/2010 21:09:56 AVPREF.DLL : 10.0.0.0 44904 Bytes 8/2/2010 21:09:55 AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 20:27:13 AVREG.DLL : 10.0.3.2 53096 Bytes 8/2/2010 21:09:55 AVSCPLR.DLL : 10.0.3.1 83816 Bytes 8/2/2010 21:09:56 AVARKT.DLL : 10.0.0.14 227176 Bytes 8/2/2010 21:09:54 AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 8/2/2010 21:09:55 SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 20:27:22 AVSMTP.DLL : 10.0.0.17 63848 Bytes 8/2/2010 21:09:56 NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 20:27:21 RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 19:10:20 RCTEXT.DLL : 10.0.58.0 97128 Bytes 8/2/2010 21:10:08 Configuration settings for the scan: Jobname.............................: avguard_async_scan Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4d125531\guard_slideup.avp Logging.............................: low Primary action......................: repair Secondary action....................: quarantine Scan master boot sector.............: on Scan boot sector....................: off Process scan........................: on Scan registry.......................: off Search for rootkits.................: off Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: high Start of the scan: Saturday, November 06, 2010 17:20 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'wuauclt.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'KBD.EXE' - '1' Module(s) have been scanned Scan process 'avshadow.exe' - '1' Module(s) have been scanned Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned Scan process 'MDM.EXE' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'Explorer.EXE' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned Starting the file scan: Begin scan in 'C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP126\A0041748.sys' C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP126\A0041748.sys [DETECTION] Is the TR/Rootkit.Gen Trojan [NOTE] The file was moved to the quarantine directory under the name '4f9a7460.qua'. End of the scan: Saturday, November 06, 2010 17:21 Used time: 00:26 Minute(s) The scan has been done completely. 0 Scanned directories 29 Files were scanned 1 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 1 Files were moved to quarantine 0 Files were renamed 0 Files cannot be scanned 28 Files not concerned 0 Archives were scanned 0 Warnings 1 Notes The scan results will be transferred to the Guard.
  8. bunruh
    Before I could do the steps above, Avira said it found something and asked to delete it. I approved and rebooted. Then I did your steps above and another boot. Now what?
  9. bunruh
    Ran the batch file and then checked to make sure IE worked. Ran CoboFix; here's the log: ComboFix 10-11-07.01 - Compaq_Owner 11/06/2010 16:48:07.4.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.312 [GMT -5:00] Running from: c:\documents and settings\Compaq_Owner.COMPAQ\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((( Files Created from 2010-10-06 to 2010-11-06 ))))))))))))))))))))))))))))))) . 2010-11-06 17:44 . 2010-11-06 17:47 78040 ----a-w- c:\windows\system32\drivers\klmdb.sys 2010-11-06 16:50 . 2010-11-06 16:50 -------- d-----w- C:\TDSSKiller_Quarantine 2010-11-02 20:59 . 2010-11-02 20:59 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Avira 2010-11-02 20:55 . 2010-08-02 21:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2010-11-02 20:55 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys 2010-11-02 20:55 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2010-11-02 20:55 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2010-11-02 20:55 . 2010-11-02 20:55 -------- d-----w- c:\program files\Avira 2010-11-02 20:55 . 2010-11-02 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2010-11-02 17:50 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-02 17:50 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-01 23:41 . 2010-11-01 23:41 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Malwarebytes 2010-11-01 23:41 . 2010-11-02 17:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-01 23:41 . 2010-11-01 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-11-01 23:26 . 2010-11-01 23:26 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\SurfSecret Privacy Suite 2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Panda Security 2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Local Settings\Application Data\panda2_0dn 2010-11-01 23:20 . 2010-11-06 20:40 -------- d-----w- c:\program files\Panda Security 2010-11-01 23:20 . 2010-11-01 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security 2010-10-31 02:35 . 2010-10-31 02:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities 2010-10-26 06:48 . 2010-10-26 06:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities 2010-10-25 16:58 . 2010-10-25 16:58 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\AskToolbar 2010-10-25 04:52 . 2010-11-06 19:53 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Local Settings\Application Data\AskToolbar 2010-10-13 01:26 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll 2010-10-13 01:26 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll 2010-10-13 01:26 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-06 18:43 . 2005-01-28 08:53 138496 ----a-w- c:\windows\system32\drivers\afd.sys 2010-09-18 17:23 . 2004-08-04 18:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-04 18:00 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-04 18:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-04 18:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2004-08-04 18:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2004-08-04 18:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2004-08-04 18:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2004-08-04 18:00 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2004-08-04 18:00 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2004-08-04 18:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2004-08-04 18:00 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 13:39 . 2005-01-28 08:56 357248 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-12-12 04:14 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2004-08-04 18:00 617472 ----a-w- c:\windows\system32\comctl32.dll 2010-08-17 13:17 . 2004-08-04 18:00 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-16 08:45 . 2004-08-04 18:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2005-06-22 00:40 . 2005-06-22 00:41 774144 ----a-w- c:\program files\RngInterstitial.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="files\common files\real\update_ob\realsched.exe -osboot" [X] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472] "PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344] "SiSPower"="SiSPower.dll" [2005-04-12 49152] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-28 98304] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/2/2010 3:55 PM 135336] . . ------- Supplementary Scan ------- . uStart Page = hxxp://start.facemoods.com/?a=antn uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-06 16:53 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2256) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2010-11-06 16:56:25 ComboFix-quarantined-files.txt 2010-11-06 21:56 ComboFix2.txt 2010-11-06 21:07 ComboFix3.txt 2010-11-06 20:17 ComboFix4.txt 2010-11-06 19:09 ComboFix5.txt 2010-11-06 21:45 Pre-Run: 37,472,468,992 bytes free Post-Run: 37,466,943,488 bytes free - - End Of File - - 003BC494152B13EFF92539B3BCC7AA8D
  10. bunruh
    LD, I uninstalled Panda Cloud AV and all its various components, then restarted and did the above script. Here's the log file: ComboFix 10-11-07.01 - Compaq_Owner 11/06/2010 15:53:00.3.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.399 [GMT -5:00] Running from: c:\documents and settings\Compaq_Owner.COMPAQ\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Compaq_Owner.COMPAQ\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((( Files Created from 2010-10-06 to 2010-11-06 ))))))))))))))))))))))))))))))) . 2010-11-06 17:44 . 2010-11-06 17:47 78040 ----a-w- c:\windows\system32\drivers\klmdb.sys 2010-11-06 16:50 . 2010-11-06 16:50 -------- d-----w- C:\TDSSKiller_Quarantine 2010-11-02 20:59 . 2010-11-02 20:59 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Avira 2010-11-02 20:55 . 2010-08-02 21:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2010-11-02 20:55 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys 2010-11-02 20:55 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2010-11-02 20:55 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2010-11-02 20:55 . 2010-11-02 20:55 -------- d-----w- c:\program files\Avira 2010-11-02 20:55 . 2010-11-02 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2010-11-02 17:50 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-02 17:50 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-01 23:41 . 2010-11-01 23:41 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Malwarebytes 2010-11-01 23:41 . 2010-11-02 17:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-01 23:41 . 2010-11-01 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-11-01 23:26 . 2010-11-01 23:26 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\SurfSecret Privacy Suite 2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Panda Security 2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Local Settings\Application Data\panda2_0dn 2010-11-01 23:20 . 2010-11-06 20:40 -------- d-----w- c:\program files\Panda Security 2010-11-01 23:20 . 2010-11-01 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security 2010-10-31 02:35 . 2010-10-31 02:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities 2010-10-26 06:48 . 2010-10-26 06:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities 2010-10-25 16:58 . 2010-10-25 16:58 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\AskToolbar 2010-10-25 04:52 . 2010-11-06 19:53 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Local Settings\Application Data\AskToolbar 2010-10-13 01:26 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll 2010-10-13 01:26 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll 2010-10-13 01:26 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-06 18:43 . 2005-01-28 08:53 138496 ----a-w- c:\windows\system32\drivers\afd.sys 2010-09-18 17:23 . 2004-08-04 18:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-04 18:00 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-04 18:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-04 18:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2004-08-04 18:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2004-08-04 18:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2004-08-04 18:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2004-08-04 18:00 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2004-08-04 18:00 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2004-08-04 18:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2004-08-04 18:00 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 13:39 . 2005-01-28 08:56 357248 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-12-12 04:14 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2004-08-04 18:00 617472 ----a-w- c:\windows\system32\comctl32.dll 2010-08-17 13:17 . 2004-08-04 18:00 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-16 08:45 . 2004-08-04 18:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2005-06-22 00:40 . 2005-06-22 00:41 774144 ----a-w- c:\program files\RngInterstitial.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="files\common files\real\update_ob\realsched.exe -osboot" [X] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472] "PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344] "SiSPower"="SiSPower.dll" [2005-04-12 49152] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-28 98304] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/2/2010 3:55 PM 135336] . . ------- Supplementary Scan ------- . uStart Page = hxxp://start.facemoods.com/?a=antn uInternet Settings,ProxyOverride = <local> uInternet Settings,ProxyServer = http=127.0.0.1:5555 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-06 16:02 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3196) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\wdfmgr.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\windows\AGRSMMSG.exe c:\windows\ALCXMNTR.EXE . ************************************************************************** . Completion time: 2010-11-06 16:07:38 - machine was rebooted ComboFix-quarantined-files.txt 2010-11-06 21:07 ComboFix2.txt 2010-11-06 20:17 ComboFix3.txt 2010-11-06 19:09 ComboFix4.txt 2009-12-12 02:24 Pre-Run: 36,284,334,080 bytes free Post-Run: 36,275,482,624 bytes free - - End Of File - - 8C8C6E696C7B51F4C821149D4FE28C57
  11. bunruh
    LD, upon restart ComboFix restarted its scan and the following log: ComboFix 10-11-07.01 - Compaq_Owner 11/06/2010 15:00:36.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.458 [GMT -5:00] Running from: c:\documents and settings\Compaq_Owner.COMPAQ\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Compaq_Owner.COMPAQ\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: Panda Cloud Antivirus *On-access scanning disabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Ask.com c:\program files\Ask.com\btn_search.png c:\program files\Ask.com\cobrand.ico c:\program files\Ask.com\config.xml c:\program files\Ask.com\favicon.ico c:\program files\Ask.com\GenericAskToolbar.dll c:\program files\Ask.com\limewire_logo.png c:\program files\Ask.com\mupcfg.xml c:\program files\Ask.com\SaUpdate.exe c:\program files\Ask.com\UpdateTask.exe c:\windows\system32\config\bjyeyaiy . ((((((((((((((((((((((((( Files Created from 2010-10-06 to 2010-11-06 ))))))))))))))))))))))))))))))) . 2010-11-06 17:44 . 2010-11-06 17:47 78040 ----a-w- c:\windows\system32\drivers\klmdb.sys 2010-11-06 16:50 . 2010-11-06 16:50 -------- d-----w- C:\TDSSKiller_Quarantine 2010-11-02 20:59 . 2010-11-02 20:59 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Avira 2010-11-02 20:55 . 2010-08-02 21:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2010-11-02 20:55 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys 2010-11-02 20:55 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2010-11-02 20:55 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2010-11-02 20:55 . 2010-11-02 20:55 -------- d-----w- c:\program files\Avira 2010-11-02 20:55 . 2010-11-02 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2010-11-02 17:50 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-02 17:50 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-02 02:41 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys 2010-11-01 23:41 . 2010-11-01 23:41 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Malwarebytes 2010-11-01 23:41 . 2010-11-02 17:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-01 23:41 . 2010-11-01 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-11-01 23:26 . 2010-11-01 23:26 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\SurfSecret Privacy Suite 2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Panda Security 2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Local Settings\Application Data\panda2_0dn 2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security Toolbar Antiphishing 2010-11-01 23:21 . 2010-11-01 23:31 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\pandasecuritytb 2010-11-01 23:20 . 2010-11-02 02:40 -------- d-----w- c:\program files\Panda Security 2010-11-01 23:20 . 2010-11-01 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security 2010-10-31 02:35 . 2010-10-31 02:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities 2010-10-26 06:48 . 2010-10-26 06:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities 2010-10-25 16:58 . 2010-10-25 16:58 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\AskToolbar 2010-10-25 04:52 . 2010-11-06 19:53 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Local Settings\Application Data\AskToolbar 2010-10-13 01:26 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll 2010-10-13 01:26 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll 2010-10-13 01:26 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-06 18:43 . 2005-01-28 08:53 138496 ----a-w- c:\windows\system32\drivers\afd.sys 2010-09-18 17:23 . 2004-08-04 18:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-04 18:00 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-04 18:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-04 18:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2004-08-04 18:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2004-08-04 18:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2004-08-04 18:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2004-08-04 18:00 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2004-08-04 18:00 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2004-08-04 18:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2004-08-04 18:00 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 13:39 . 2005-01-28 08:56 357248 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-12-12 04:14 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2004-08-04 18:00 617472 ----a-w- c:\windows\system32\comctl32.dll 2010-08-17 13:17 . 2004-08-04 18:00 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-16 08:45 . 2004-08-04 18:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2005-06-22 00:40 . 2005-06-22 00:41 774144 ----a-w- c:\program files\RngInterstitial.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}] 2010-10-25 13:34 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2010-10-25 86696] [HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon] @="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}" [HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}] 2010-05-14 20:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon] @="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}" [HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}] 2010-05-14 20:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="files\common files\real\update_ob\realsched.exe -osboot" [X] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472] "PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344] "SiSPower"="SiSPower.dll" [2005-04-12 49152] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-28 98304] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848] "Panda Security Toolbar Antiphishing"="c:\documents and settings\All Users\Application Data\Panda Security Toolbar Antiphishing\panda2_0dn.exe" [2010-10-24 449192] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/1/2010 9:41 PM 28552] R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [6/17/2010 1:41 PM 129992] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/2/2010 3:55 PM 135336] R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [5/27/2010 6:39 PM 141384] R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [7/21/2010 10:02 PM 97096] R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/30/2010 1:46 PM 111624] R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [7/21/2010 10:02 PM 112456] S2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [8/9/2010 2:53 PM 140608] . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uStart Page = hxxp://start.facemoods.com/?a=antn uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-06 15:11 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3604) c:\windows\system32\WININET.dll c:\documents and settings\All Users\Application Data\Panda Security Toolbar Antiphishing\panda2_0dn.dll c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\wdfmgr.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\windows\AGRSMMSG.exe c:\windows\ALCXMNTR.EXE . ************************************************************************** . Completion time: 2010-11-06 15:17:20 - machine was rebooted ComboFix-quarantined-files.txt 2010-11-06 20:17 ComboFix2.txt 2010-11-06 19:09 ComboFix3.txt 2009-12-12 02:24 Pre-Run: 36,098,134,016 bytes free Post-Run: 36,099,694,592 bytes free - - End Of File - - D2E5D3B5710AC03B623A339482B5609E
  12. bunruh
    LD, I went through above steps and the first time though it went to a black screen with the following message: K error ss any key to restart I am restarting now.
  13. bunruh
    LD, the first run of ComboFix found a root kit infection and asked me to reboot the computer. I did reboot and ComboFix automatically restarted a scan and ran to completion and finished a log file: ComboFix 10-11-07.01 - Compaq_Owner 11/06/2010 13:49:01.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.440 [GMT -5:00] Running from: J:\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: Panda Cloud Antivirus *On-access scanning disabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\.wtav c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\facemoods.com c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\facemoods.com\facemoods\Online Games.ico C:\feed.txt c:\program files\skynet.dat c:\windows\assembly\GAC\__AssemblyInfo__.ini c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf c:\windows\explorer(2).exe c:\windows\herjek.config c:\windows\system32\fsc.txt c:\windows\system32\ide.txt c:\windows\system32\klgd.bmp c:\windows\system32\lpd.txt c:\windows\system32\lpe.txt c:\windows\system32\lrg.txt c:\windows\system32\qks.txt c:\windows\system32\xef.txt c:\windows\Tasks\bxqogdrq.job c:\windows\Tasks\dpgetlyt.job Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected Restored copy from - The cat found it . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_6TO4 -------\Legacy_ADBUPD -------\Legacy_USERINIT -------\Service_6to4 -------\Service_AdbUpd -------\Service_userinit ((((((((((((((((((((((((( Files Created from 2010-10-06 to 2010-11-06 ))))))))))))))))))))))))))))))) . 2010-11-06 17:44 . 2010-11-06 17:47 78040 ----a-w- c:\windows\system32\drivers\klmdb.sys 2010-11-06 16:50 . 2010-11-06 16:50 -------- d-----w- C:\TDSSKiller_Quarantine 2010-11-02 20:59 . 2010-11-02 20:59 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Avira 2010-11-02 20:55 . 2010-08-02 21:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2010-11-02 20:55 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys 2010-11-02 20:55 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2010-11-02 20:55 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2010-11-02 20:55 . 2010-11-02 20:55 -------- d-----w- c:\program files\Avira 2010-11-02 20:55 . 2010-11-02 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2010-11-02 17:50 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-02 17:50 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-02 02:41 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys 2010-11-01 23:41 . 2010-11-01 23:41 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Malwarebytes 2010-11-01 23:41 . 2010-11-02 17:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-01 23:41 . 2010-11-01 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-11-01 23:26 . 2010-11-01 23:26 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\SurfSecret Privacy Suite 2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\Panda Security 2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Local Settings\Application Data\panda2_0dn 2010-11-01 23:21 . 2010-11-01 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security Toolbar Antiphishing 2010-11-01 23:21 . 2010-11-01 23:31 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\pandasecuritytb 2010-11-01 23:20 . 2010-11-02 02:40 -------- d-----w- c:\program files\Panda Security 2010-11-01 23:20 . 2010-11-01 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security 2010-10-31 02:35 . 2010-10-31 02:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities 2010-10-26 06:48 . 2010-10-26 06:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities 2010-10-25 16:58 . 2010-10-25 16:58 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Application Data\AskToolbar 2010-10-25 04:52 . 2010-11-02 02:42 -------- d-----w- c:\documents and settings\Compaq_Owner.COMPAQ\Local Settings\Application Data\AskToolbar 2010-10-25 04:21 . 2010-10-25 04:21 -------- d-----w- c:\program files\Ask.com 2010-10-13 01:26 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll 2010-10-13 01:26 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll 2010-10-13 01:26 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-06 18:43 . 2005-01-28 08:53 138496 ----a-w- c:\windows\system32\drivers\afd.sys 2010-09-18 17:23 . 2004-08-04 18:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-04 18:00 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-04 18:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-04 18:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2004-08-04 18:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2004-08-04 18:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2004-08-04 18:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2004-08-04 18:00 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2004-08-04 18:00 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2004-08-04 18:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2004-08-04 18:00 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 13:39 . 2005-01-28 08:56 357248 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-12-12 04:14 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2004-08-04 18:00 617472 ----a-w- c:\windows\system32\comctl32.dll 2010-08-17 13:17 . 2004-08-04 18:00 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-16 08:45 . 2004-08-04 18:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2005-06-22 00:40 . 2005-06-22 00:41 774144 ----a-w- c:\program files\RngInterstitial.dll . ------- Sigcheck ------- [7] 2009-04-25 . C0503FD8D163652735C1EE900672A75C . 636088 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\iexplore.exe [7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe [7] 2009-02-28 . BCD8E48709BE4A79606F0B6E8E9A6162 . 636088 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe [7] 2009-02-28 . A251068640DDB69FD7805B57D89D7FF7 . 636072 . . [7.00.6000.16827] . . c:\windows\ie7updates\KB969897-IE7\iexplore.exe [7] 2008-12-19 . 15E8A89499741D5CF59A9CF6463A4339 . 634024 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe [7] 2008-12-19 . 030D78FE84A086ED376EFCBD2D72C522 . 634024 . . [7.00.6000.16791] . . c:\windows\ie7updates\KB963027-IE7\iexplore.exe [7] 2008-10-15 . 9D3DB9ADFABD2F0BC778EC03250A3ABB . 633632 . . [7.00.6000.16762] . . c:\windows\ie7updates\KB961260-IE7\iexplore.exe [7] 2008-10-15 . 056C927CF7207857E8B34F7A8FFD9B9E . 633632 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe [7] 2008-08-23 . E8305C30D35E85D6657ED3E9934CB302 . 635848 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe [7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\iexplore.exe [-] 2008-06-23 . 64E376A47763DAEABCDA14BD5B6EA286 . 625664 . . [7.00.6000.16705] . . c:\windows\ie7updates\KB956390-IE7\iexplore.exe [-] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe [-] 2008-04-22 . 197B7E4030CFBD8D2979D375E1787AA2 . 625664 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe [7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe [7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\iexplore.exe [-] 2008-02-29 . 2D0E5592AB5A46C27DAF7CCAFF4F5B59 . 625664 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\iexplore.exe [-] 2008-02-29 . 2D0E5592AB5A46C27DAF7CCAFF4F5B59 . 625664 . . [7.00.6000.16640] . . c:\windows\SoftwareDistribution\Download\574548bb1821009dfc939b99bf38919d\SP2GDR\iexplore.exe [-] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe [-] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\SoftwareDistribution\Download\574548bb1821009dfc939b99bf38919d\SP2QFE\iexplore.exe [-] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\ie7updates\KB947864-IE7\iexplore.exe [-] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2GDR\iexplore.exe [-] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe [-] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2QFE\iexplore.exe [-] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe [-] 2007-08-17 . 3AC2BC667DA0AF2C968E96E1630F5AB5 . 625152 . . [7.00.6000.16544] . . c:\windows\ie7updates\KB942615-IE7\iexplore.exe [-] 2007-08-17 . 5577D0E3AC2F9F035ACD81B44AF5F511 . 625152 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\iexplore.exe [-] 2007-08-13 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB944533-IE7\iexplore.exe [-] 2007-08-13 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB953838-IE7\iexplore.exe [-] 2007-06-27 . BD8502DFD53FC24FB8D6929DC46B8C2C . 625152 . . [7.00.6000.20627] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\iexplore.exe [-] 2007-06-27 . 275CEE268B9E5D82474C43D5D249D111 . 625152 . . [7.00.6000.16512] . . c:\windows\ie7updates\KB939653-IE7\iexplore.exe [-] 2007-04-24 . 10BDB55982586A432A3951EB19A26009 . 625152 . . [7.00.6000.16473] . . c:\windows\ie7updates\KB937143-IE7\iexplore.exe [-] 2007-04-24 . 9B3516C1F30DA17ADD3818573047D63C . 625152 . . [7.00.6000.20583] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\iexplore.exe [-] 2007-02-28 . D321092F8529CDAE843D6E24E3CAC6CB . 625152 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\iexplore.exe [-] 2007-02-21 . 683DDE71BCF03B501B912D20CB93B549 . 623616 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\iexplore.exe [-] 2007-01-09 . 93A6A4F5293AE19E3B37021AABCF0902 . 623616 . . [7.00.6000.16414] . . c:\windows\ie7updates\KB931768-IE7\iexplore.exe [-] 2006-10-17 . 5334D4461AA92A7B008755FE6D13C5F2 . 622080 . . [7.00.5730.11] . . c:\windows\ie7updates\KB928090-IE7\iexplore.exe [7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe [7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie8\iexplore.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}] 2010-10-25 13:34 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}] 2010-09-28 04:40 1244040 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1244040] "{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2010-10-25 86696] [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] [HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1244040] [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon] @="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}" [HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}] 2010-05-14 20:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon] @="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}" [HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}] 2010-05-14 20:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="files\common files\real\update_ob\realsched.exe -osboot" [X] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472] "PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344] "SiSPower"="SiSPower.dll" [2005-04-12 49152] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-28 98304] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848] "Panda Security Toolbar Antiphishing"="c:\documents and settings\All Users\Application Data\Panda Security Toolbar Antiphishing\panda2_0dn.exe" [2010-10-24 449192] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/1/2010 9:41 PM 28552] R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [6/17/2010 1:41 PM 129992] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/2/2010 3:55 PM 135336] R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [5/27/2010 6:39 PM 141384] R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [7/21/2010 10:02 PM 97096] R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/30/2010 1:46 PM 111624] R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [7/21/2010 10:02 PM 112456] S2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [8/9/2010 2:53 PM 140608] . Contents of the 'Scheduled Tasks' folder 2010-10-25 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job - c:\program files\Ask.com\UpdateTask.exe [2010-09-28 04:40] . . ------- Supplementary Scan ------- . uStart Page = hxxp://start.facemoods.com/?a=antn uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> . - - - - ORPHANS REMOVED - - - - Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) Toolbar-Locked - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) HKLM-Run-iTunesHelper - files\itunes\ituneshelper.exe HKLM-Run-SMSERIAL - (no file) SharedTaskScheduler-{23890fbe-a206-400f-8a89-f094b6efd9d9} - (no file) SharedTaskScheduler-{b43f8a73-c416-4add-91f9-33f0e5a270ca} - (no file) SharedTaskScheduler-{8b87616f-ccd9-4076-9873-1b724da2f16e} - (no file) SharedTaskScheduler-{c4172249-1f32-4832-8982-80b4f33ff7f0} - (no file) SharedTaskScheduler-{f1f47ee6-2383-4e1a-84b3-d4455fd87bdd} - (no file) SharedTaskScheduler-{f012e104-dfa5-4939-8c39-b827ce01ae78} - (no file) SSODL-bibiwaluk-{23890fbe-a206-400f-8a89-f094b6efd9d9} - (no file) SSODL-vimazodag-{b43f8a73-c416-4add-91f9-33f0e5a270ca} - (no file) SSODL-yeruzijep-{8b87616f-ccd9-4076-9873-1b724da2f16e} - (no file) SSODL-fagoziruy-{c4172249-1f32-4832-8982-80b4f33ff7f0} - (no file) SSODL-layezewan-{f1f47ee6-2383-4e1a-84b3-d4455fd87bdd} - (no file) SSODL-wuyagihes-{f012e104-dfa5-4939-8c39-b827ce01ae78} - (no file) Notify-setcell - setcell.dll SafeBoot-klmdb.sys ActiveSetup-{11522865-037B-4E24-99D6-B43A3782302F} - uaihv27.dll ActiveSetup-{1DFC0CB0-CE09-4E94-BD01-91C2E9D2A7CA} - oxia7.dll ActiveSetup-{3513A6A1-9E64-411E-A763-BE8CF8F8F1BC} - iwauqng5.dll ActiveSetup-{7D94FE9D-0031-4911-9D51-2A24CB88120C} - pbutk.dll ActiveSetup-{C1DDC416-23B2-4876-A75C-2D1902CCD0C3} - usmkppl.dll ActiveSetup-{D44AAFDA-1AF4-45AA-9813-6337EDFA496C} - jnjvcpxk1.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-06 14:04 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3976) c:\windows\system32\WININET.dll c:\documents and settings\All Users\Application Data\Panda Security Toolbar Antiphishing\panda2_0dn.dll c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\wdfmgr.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\windows\AGRSMMSG.exe c:\windows\ALCXMNTR.EXE . ************************************************************************** . Completion time: 2010-11-06 14:09:58 - machine was rebooted ComboFix-quarantined-files.txt 2010-11-06 19:09 ComboFix2.txt 2009-12-12 02:24 Pre-Run: 32,529,850,368 bytes free Post-Run: 36,105,555,968 bytes free - - End Of File - - 88632619534D233B6F2624D544DBFE1A
  14. bunruh
    got it!
  15. bunruh
    LD, in normal mode AFD shows up again and two runs of TDSSKiller found both times (delete doesn't delete apparently). Here's the log from the second run in normal mode: 2010/11/06 12:46:07.0890 TDSS rootkit removing tool 2.4.6.0 Nov 3 2010 10:11:43 2010/11/06 12:46:07.0890 ================================================================================ 2010/11/06 12:46:07.0890 SystemInfo: 2010/11/06 12:46:07.0890 2010/11/06 12:46:07.0890 OS Version: 5.1.2600 ServicePack: 3.0 2010/11/06 12:46:07.0890 Product type: Workstation 2010/11/06 12:46:07.0890 ComputerName: COMPAQ 2010/11/06 12:46:07.0890 UserName: Compaq_Owner 2010/11/06 12:46:07.0890 Windows directory: C:\WINDOWS 2010/11/06 12:46:07.0890 System windows directory: C:\WINDOWS 2010/11/06 12:46:07.0890 Processor architecture: Intel x86 2010/11/06 12:46:07.0890 Number of processors: 1 2010/11/06 12:46:07.0890 Page size: 0x1000 2010/11/06 12:46:07.0890 Boot type: Normal boot 2010/11/06 12:46:07.0890 ================================================================================ 2010/11/06 12:46:10.0296 Initialize success 2010/11/06 12:46:12.0250 ================================================================================ 2010/11/06 12:46:12.0250 Scan started 2010/11/06 12:46:12.0250 Mode: Manual; 2010/11/06 12:46:12.0250 ================================================================================ 2010/11/06 12:46:21.0859 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2010/11/06 12:46:22.0906 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2010/11/06 12:46:24.0375 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2010/11/06 12:46:24.0984 AFD (3d57e667e01b695a298dc553761742a3) C:\WINDOWS\System32\drivers\afd.sys 2010/11/06 12:46:24.0984 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 3d57e667e01b695a298dc553761742a3, Fake md5: 7e775010ef291da96ad17ca4b17137d7 2010/11/06 12:46:25.0000 AFD - detected Forged file (1) 2010/11/06 12:46:25.0375 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys 2010/11/06 12:46:29.0453 ALCXWDM (781c5ec517c53f5214b61253b20c13c4) C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2010/11/06 12:46:32.0046 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2010/11/06 12:46:33.0953 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2010/11/06 12:46:34.0406 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2010/11/06 12:46:35.0328 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2010/11/06 12:46:35.0718 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2010/11/06 12:46:36.0250 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys 2010/11/06 12:46:36.0484 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys 2010/11/06 12:46:36.0750 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys 2010/11/06 12:46:37.0203 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2010/11/06 12:46:37.0453 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2010/11/06 12:46:38.0078 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2010/11/06 12:46:38.0390 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2010/11/06 12:46:38.0578 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2010/11/06 12:46:40.0109 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2010/11/06 12:46:40.0375 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2010/11/06 12:46:40.0968 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2010/11/06 12:46:41.0250 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2010/11/06 12:46:41.0484 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2010/11/06 12:46:41.0968 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2010/11/06 12:46:42.0328 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2010/11/06 12:46:42.0562 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 2010/11/06 12:46:42.0765 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2010/11/06 12:46:42.0953 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 2010/11/06 12:46:43.0109 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2010/11/06 12:46:43.0296 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2010/11/06 12:46:43.0484 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2010/11/06 12:46:43.0640 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys 2010/11/06 12:46:43.0781 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 2010/11/06 12:46:43.0937 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2010/11/06 12:46:44.0125 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2010/11/06 12:46:44.0593 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2010/11/06 12:46:45.0109 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2010/11/06 12:46:45.0281 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2010/11/06 12:46:45.0609 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2010/11/06 12:46:45.0765 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2010/11/06 12:46:45.0921 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2010/11/06 12:46:46.0109 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2010/11/06 12:46:46.0296 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2010/11/06 12:46:46.0500 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2010/11/06 12:46:46.0703 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2010/11/06 12:46:46.0890 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2010/11/06 12:46:47.0187 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2010/11/06 12:46:47.0359 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2010/11/06 12:46:47.0531 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2010/11/06 12:46:47.0796 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2010/11/06 12:46:48.0406 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2010/11/06 12:46:48.0812 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2010/11/06 12:46:49.0171 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys 2010/11/06 12:46:49.0406 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2010/11/06 12:46:49.0656 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2010/11/06 12:46:49.0875 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2010/11/06 12:46:50.0281 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2010/11/06 12:46:50.0531 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2010/11/06 12:46:50.0843 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2010/11/06 12:46:51.0125 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2010/11/06 12:46:51.0359 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2010/11/06 12:46:51.0593 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2010/11/06 12:46:51.0859 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2010/11/06 12:46:52.0171 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2010/11/06 12:46:52.0437 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2010/11/06 12:46:52.0656 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2010/11/06 12:46:52.0890 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2010/11/06 12:46:53.0093 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2010/11/06 12:46:53.0343 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys 2010/11/06 12:46:53.0562 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2010/11/06 12:46:53.0765 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2010/11/06 12:46:54.0062 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2010/11/06 12:46:54.0281 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2010/11/06 12:46:54.0578 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2010/11/06 12:46:54.0984 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2010/11/06 12:46:55.0187 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2010/11/06 12:46:55.0390 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2010/11/06 12:46:55.0562 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2010/11/06 12:46:55.0906 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2010/11/06 12:46:56.0156 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2010/11/06 12:46:56.0343 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2010/11/06 12:46:56.0671 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys 2010/11/06 12:46:56.0843 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2010/11/06 12:46:57.0250 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2010/11/06 12:46:57.0390 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2010/11/06 12:47:01.0265 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2010/11/06 12:47:01.0562 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys 2010/11/06 12:47:01.0984 Ps2 (9b793a1ffd480155fe9ee5261153f21b) C:\WINDOWS\system32\DRIVERS\PS2.sys 2010/11/06 12:47:02.0281 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2010/11/06 12:47:02.0625 PSINAflt (469943fb4398df5662dd5d06193c0bb0) C:\WINDOWS\system32\DRIVERS\PSINAflt.sys 2010/11/06 12:47:03.0156 PSINFile (d5c75c5238c52f0c664d23a7ffe38a5c) C:\WINDOWS\system32\DRIVERS\PSINFile.sys 2010/11/06 12:47:03.0500 PSINKNC (3942d3cfab0545f599e6eff2b8a1aad2) C:\WINDOWS\system32\DRIVERS\psinknc.sys 2010/11/06 12:47:04.0000 PSINProc (d3730032f61fca2d2ae6a2daf90347b1) C:\WINDOWS\system32\DRIVERS\PSINProc.sys 2010/11/06 12:47:04.0328 PSINProt (7803cb196f872c7e359c5c71e0a9ac69) C:\WINDOWS\system32\DRIVERS\PSINProt.sys 2010/11/06 12:47:04.0656 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2010/11/06 12:47:05.0156 PxHelp20 (30cbae0a34359f1cd19d1576245149ed) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2010/11/06 12:47:06.0468 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2010/11/06 12:47:06.0734 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2010/11/06 12:47:07.0046 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2010/11/06 12:47:07.0390 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2010/11/06 12:47:07.0625 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2010/11/06 12:47:07.0875 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2010/11/06 12:47:08.0171 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2010/11/06 12:47:08.0562 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2010/11/06 12:47:09.0312 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS 2010/11/06 12:47:09.0687 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2010/11/06 12:47:09.0921 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2010/11/06 12:47:10.0078 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 2010/11/06 12:47:10.0296 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys 2010/11/06 12:47:10.0843 SiS315 (509d96916c7d9218e4083940b8711b9b) C:\WINDOWS\system32\DRIVERS\sisgrp.sys 2010/11/06 12:47:11.0109 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys 2010/11/06 12:47:11.0468 SiSkp (2c921a4cce0b3eb372ebf448939fa3bf) C:\WINDOWS\system32\DRIVERS\srvkp.sys 2010/11/06 12:47:11.0765 SISNIC (5529b51aacff16fbdde4b34ff0af2b76) C:\WINDOWS\system32\DRIVERS\sisnic.sys 2010/11/06 12:47:12.0218 smserial (bc871f7565c714252e836234043f77a5) C:\WINDOWS\system32\DRIVERS\smserial.sys 2010/11/06 12:47:13.0250 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2010/11/06 12:47:13.0593 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2010/11/06 12:47:13.0921 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys 2010/11/06 12:47:14.0265 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 2010/11/06 12:47:14.0625 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2010/11/06 12:47:14.0937 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2010/11/06 12:47:16.0906 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2010/11/06 12:47:17.0671 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2010/11/06 12:47:18.0875 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2010/11/06 12:47:19.0593 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2010/11/06 12:47:20.0234 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2010/11/06 12:47:21.0781 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2010/11/06 12:47:24.0000 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2010/11/06 12:47:26.0375 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2010/11/06 12:47:27.0062 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2010/11/06 12:47:27.0421 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys 2010/11/06 12:47:28.0171 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2010/11/06 12:47:28.0765 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2010/11/06 12:47:29.0437 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2010/11/06 12:47:30.0140 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2010/11/06 12:47:30.0671 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2010/11/06 12:47:31.0265 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2010/11/06 12:47:32.0281 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2010/11/06 12:47:32.0953 ================================================================================ 2010/11/06 12:47:32.0953 Scan finished 2010/11/06 12:47:32.0953 ================================================================================ 2010/11/06 12:47:32.0968 Detected object count: 1 2010/11/06 12:47:40.0875 HKLM\SYSTEM\ControlSet001\services\AFD - will be deleted after reboot 2010/11/06 12:47:40.0875 HKLM\SYSTEM\ControlSet001\control\safeboot\Network\AFD - will be deleted after reboot 2010/11/06 12:47:40.0875 HKLM\SYSTEM\ControlSet002\services\AFD - will be deleted after reboot 2010/11/06 12:47:40.0875 HKLM\SYSTEM\ControlSet002\control\safeboot\Network\AFD - will be deleted after reboot 2010/11/06 12:47:40.0875 HKLM\SYSTEM\ControlSet003\services\AFD - will be deleted after reboot 2010/11/06 12:47:40.0875 HKLM\SYSTEM\ControlSet003\control\safeboot\Network\AFD - will be deleted after reboot 2010/11/06 12:47:40.0890 C:\WINDOWS\System32\drivers\afd.sys - will be deleted after reboot 2010/11/06 12:47:40.0890 Forged file(AFD) - User select action: Delete 2010/11/06 12:47:44.0265 Deinitialize success
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.