Jump to content

fdgloworm

Members
  • Posts

    4
  • Joined

  • Last visited

Everything posted by fdgloworm

  1. Hello. I recently got my computer back, and things are not running as smoothly as they did before. The system itself seems to be functioning okay, but certain programs, and Internet Explorer, are running slower than they did, and for some reason the system has rebooted itself several times. I don't know what was being done when the system rebooted as I was not home at the time, my wife was on the computer. I have posted the MBAM, DDS, GMER logs in this post and have attached the zip file of ARK.txt and ATTACH.txt. MBAM: Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org Database version: 7797 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 9/25/2011 5:50:57 PM mbam-log-2011-09-25 (17-50-57).txt Scan type: Full scan (C:\|) Objects scanned: 227558 Time elapsed: 1 hour(s), 16 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS: . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by Acton at 17:57:12 on 2011-09-25 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2712 [GMT -4:00] . AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe C:\Documents and Settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe C:\Program Files\Real\RealPlayer\update\realsched.exe C:\WINDOWS\system32\ctfmon.exe svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.comcast.net/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uDefault_Search_URL = hxxp://www.google.com/ie uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [skyTel] SkyTel.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar mRun: [Panda Security URL Filtering] "c:\documents and settings\all users\application data\panda security url filtering\Panda_URL_Filtering.exe" mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Reboot.exe IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1315696631359 TCP: DhcpNameServer = 192.168.1.254 TCP: Interfaces\{1DA8FD69-5DFB-43A9-A714-E1BC09AD913E} : DhcpNameServer = 192.168.1.254 . ============= SERVICES / DRIVERS =============== . R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-4-28 129992] R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608] R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-9-10 2255464] R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2011-8-1 143752] R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 97096] R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111688] R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-4-28 112456] . =============== Created Last 30 ================ . 2011-09-25 20:31:57 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-09-25 20:31:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-09-22 10:43:16 107888 ----a-w- c:\windows\system32\CmdLineExt.dll 2011-09-15 08:35:52 -------- d-----w- c:\program files\common files\xing shared 2011-09-15 08:35:35 499712 ----a-w- c:\windows\system32\msvcp71.dll 2011-09-15 05:27:25 -------- d-----w- c:\program files\EA GAMES 2011-09-14 22:55:05 442368 ----a-r- c:\windows\system32\vp6vfw.dll 2011-09-14 15:11:33 -------- d-----w- c:\documents and settings\acton\local settings\application data\LEGO Software 2011-09-14 15:04:27 -------- d-----w- c:\documents and settings\acton\local settings\application data\Chromium 2011-09-14 15:04:14 -------- d-----w- c:\program files\LEGO Software 2011-09-14 15:03:48 348160 ----a-w- c:\windows\system32\msvcr71.dll 2011-09-14 15:03:48 1700352 ----a-w- c:\windows\system32\gdiplus.dll 2011-09-14 15:03:48 1060864 ----a-w- c:\windows\system32\mfc71.dll 2011-09-12 01:51:24 -------- d-----w- C:\lj1010 series 2011-09-12 00:44:53 -------- d-----w- c:\windows\system32\GroupPolicy 2011-09-11 08:54:39 -------- d-sh--w- c:\documents and settings\acton\IECompatCache 2011-09-11 08:19:15 -------- d-----w- c:\documents and settings\acton\local settings\application data\Temp 2011-09-11 06:57:16 -------- d-----w- c:\documents and settings\acton\local settings\application data\Google 2011-09-11 00:45:52 -------- d-----w- c:\documents and settings\acton\application data\Panda Security 2011-09-11 00:44:34 -------- d-----w- c:\program files\Toolbar Cleaner 2011-09-11 00:44:33 -------- d-----w- c:\documents and settings\acton\local settings\application data\panda2_0dn 2011-09-11 00:44:31 -------- d-----w- c:\documents and settings\all users\application data\Panda Security URL Filtering 2011-09-11 00:44:30 -------- d-----w- c:\documents and settings\acton\application data\pandasecuritytb 2011-09-11 00:43:45 -------- d-----w- c:\program files\Panda Security 2011-09-11 00:43:45 -------- d-----w- c:\documents and settings\all users\application data\Panda Security 2011-09-11 00:43:16 -------- d-----w- C:\temp 2011-09-11 00:24:34 -------- d-----w- c:\documents and settings\acton\application data\Malwarebytes 2011-09-11 00:24:30 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2011-09-11 00:20:07 -------- d-sh--w- c:\documents and settings\acton\PrivacIE 2011-09-11 00:15:19 -------- d-sh--w- c:\documents and settings\acton\IETldCache 2011-09-11 00:06:59 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll 2011-09-11 00:06:44 -------- d-----w- c:\windows\ie8updates 2011-09-11 00:06:39 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll 2011-09-11 00:06:39 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll 2011-09-11 00:06:39 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll 2011-09-11 00:06:39 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2011-09-11 00:06:39 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll 2011-09-11 00:06:39 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2011-09-11 00:06:39 11081728 -c----w- c:\windows\system32\dllcache\ieframe.dll 2011-09-11 00:05:42 -------- dc-h--w- c:\windows\ie8 2011-09-11 00:00:38 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll 2011-09-11 00:00:38 -------- d-----w- c:\windows\system32\ReinstallBackups 2011-09-10 23:52:59 70992 ----a-w- c:\windows\system32\XAPOFX1_2.dll 2011-09-10 23:51:28 -------- d-----w- c:\windows\Logs 2011-09-10 23:49:34 -------- d-----w- c:\windows\system32\Adobe 2011-09-10 23:47:41 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe 2011-09-10 23:47:41 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe 2011-09-10 23:47:41 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe 2011-09-10 23:47:40 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe 2011-09-10 23:46:33 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-09-10 23:45:32 -------- d-----w- c:\documents and settings\acton\local settings\application data\Adobe 2011-09-10 23:39:26 423936 ----a-w- c:\windows\system32\wgatray.exe.bak 2011-09-10 23:39:26 220672 ----a-w- c:\windows\system32\wgalogon.dll.bak 2011-09-10 23:38:24 -------- d-----w- c:\documents and settings\acton\application data\Philipp Winterberg 2011-09-10 23:20:08 26144 ----a-w- c:\windows\system32\spupdsvc.exe 2011-09-10 23:20:08 -------- d-----w- c:\windows\system32\PreInstall 2011-09-10 23:20:07 -------- d--h--w- c:\windows\$hf_mig$ 2011-09-10 23:18:18 21728 ----a-w- c:\windows\system32\wucltui.dll.mui 2011-09-10 23:18:17 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui 2011-09-10 23:18:17 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2011-09-10 23:18:17 15064 ----a-w- c:\windows\system32\wuapi.dll.mui 2011-09-10 23:18:17 -------- d-----w- c:\windows\system32\SoftwareDistribution 2011-09-10 23:17:08 -------- d-sh--w- c:\documents and settings\acton\UserData 2011-09-10 23:12:06 -------- d-----w- c:\documents and settings\all users\application data\NVIDIA Corporation 2011-09-10 23:08:13 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-09-10 23:05:10 -------- d-----w- c:\windows\system32\Lang 2011-09-10 23:01:59 2165760 ------r- c:\windows\MicCal.exe 2011-09-10 23:01:59 16380416 ------r- c:\windows\RTHDCPL.exe 2011-09-10 23:01:57 69632 ------r- c:\windows\Alcmtr.exe 2011-09-10 23:01:57 2808832 ------r- c:\windows\alcwzrd.exe 2011-09-10 23:01:56 299008 ------r- c:\windows\system32\ALSndMgr.cpl 2011-09-10 23:01:56 -------- d-----w- c:\program files\Realtek 2011-09-10 23:01:51 520192 ------r- c:\windows\RtlExUpd.dll 2011-09-10 23:01:51 315392 ----a-w- c:\windows\HideWin.exe . ==================== Find3M ==================== . 2011-09-10 23:11:53 280276 ----a-w- c:\windows\system32\nvdrsdb0.bin 2011-09-10 23:11:53 1 ----a-w- c:\windows\system32\nvdrssel.bin 2011-09-10 23:11:50 280276 ----a-w- c:\windows\system32\nvdrsdb1.bin 2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-08-01 11:23:20 143752 ----a-w- c:\windows\system32\drivers\PSINAflt.sys 2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys . ============= FINISH: 17:57:37.71 =============== GMER: GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-09-25 18:54:27 Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T1L0-17 SAMSUNG_SP0411C rev.UU100-05 Running: dew0w652.exe; Driver: C:\DOCUME~1\Acton\LOCALS~1\Temp\pxtdapob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\PSINProc.sys (PSINProc Filter Driver for XP32/Panda Security, S.L.) ZwTerminateProcess [0xB170B416] ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6D403A0, 0x8A1A15, 0xE8000020] ? C:\DOCUME~1\Acton\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EC0001 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2546A6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB98 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E569F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] WS2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A60F5A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] WS2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A30F5A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] WS2_32.dll!send 71AB4C27 6 Bytes JMP 71A00F5A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71970F5A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] WS2_32.dll!recv 71AB676F 6 Bytes JMP 719D0F5A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 719A0F5A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1048] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71940F5A .text C:\Program Files\Real\RealPlayer\update\realsched.exe[2036] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01540001 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] ws2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A20F5A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] ws2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 719F0F5A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] ws2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] ws2_32.dll!send 71AB4C27 6 Bytes JMP 719C0F5A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] ws2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71930F5A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] ws2_32.dll!recv 71AB676F 6 Bytes JMP 71990F5A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] ws2_32.dll!WSASend 71AB68FA 6 Bytes JMP 71960F5A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] ws2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71900F5A ---- EOF - GMER 1.0.15 ---- And the two attached files. I see alot of items in the GMER, especially items like USER32.dll!SetWindowsHookExW that have me very concerned. Are these all normal entries for Internet Explorer? Aaronattach.zip
  2. Thank you for your time, Screen317. Unfortunately, my coworker wanted his computer back, and did not want to take the time to finish cleaning it. I could not convince him otherwise. This thread is not active anymore. I will start at new thread for my home machine, to troubleshoot but also to learn how to move through this process faster as I think my pace was not fast enough for my coworker. Aaron
  3. Thank you, Screen317. I appreciate it. Here is the tdss log you requested. 2011/09/15 16:32:28.0328 3120 TDSS rootkit removing tool 2.5.22.0 Sep 13 2011 15:55:17 2011/09/15 16:32:28.0843 3120 ================================================================================ 2011/09/15 16:32:28.0843 3120 SystemInfo: 2011/09/15 16:32:28.0843 3120 2011/09/15 16:32:28.0843 3120 OS Version: 5.1.2600 ServicePack: 3.0 2011/09/15 16:32:28.0843 3120 Product type: Workstation 2011/09/15 16:32:28.0843 3120 ComputerName: TOUGHTURFCPU 2011/09/15 16:32:28.0843 3120 UserName: Carlos Soto 2011/09/15 16:32:28.0843 3120 Windows directory: C:\WINDOWS 2011/09/15 16:32:28.0843 3120 System windows directory: C:\WINDOWS 2011/09/15 16:32:28.0843 3120 Processor architecture: Intel x86 2011/09/15 16:32:28.0843 3120 Number of processors: 2 2011/09/15 16:32:28.0843 3120 Page size: 0x1000 2011/09/15 16:32:28.0843 3120 Boot type: Normal boot 2011/09/15 16:32:28.0843 3120 ================================================================================ 2011/09/15 16:32:32.0093 3120 Initialize success 2011/09/15 16:32:36.0968 0192 ================================================================================ 2011/09/15 16:32:36.0968 0192 Scan started 2011/09/15 16:32:36.0968 0192 Mode: Manual; 2011/09/15 16:32:36.0968 0192 ================================================================================ 2011/09/15 16:32:41.0265 0192 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/09/15 16:32:41.0406 0192 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys 2011/09/15 16:32:41.0546 0192 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2011/09/15 16:32:41.0656 0192 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys 2011/09/15 16:32:41.0828 0192 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys 2011/09/15 16:32:42.0000 0192 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys 2011/09/15 16:32:42.0703 0192 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2011/09/15 16:32:43.0046 0192 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/09/15 16:32:43.0171 0192 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/09/15 16:32:43.0406 0192 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/09/15 16:32:43.0546 0192 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/09/15 16:32:43.0765 0192 BCM43XX (e7debb46b9ef1f28932e533be4a3d1a9) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 2011/09/15 16:32:43.0921 0192 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/09/15 16:32:44.0046 0192 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys 2011/09/15 16:32:44.0062 0192 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys 2011/09/15 16:32:44.0281 0192 CAMCAUD (5a94e9d6e2716e38183959d8f4c2a5a9) C:\WINDOWS\system32\drivers\camcaud.sys 2011/09/15 16:32:44.0421 0192 CAMCHALA (e7e737bc125d6beb50669ff4b61ced19) C:\WINDOWS\system32\drivers\camchal.sys 2011/09/15 16:32:44.0609 0192 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/09/15 16:32:44.0703 0192 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 2011/09/15 16:32:44.0906 0192 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/09/15 16:32:44.0984 0192 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/09/15 16:32:45.0187 0192 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/09/15 16:32:45.0375 0192 CE3 (6d63e366d96494336f375ff155d47ab3) C:\WINDOWS\system32\DRIVERS\ce3n5.sys 2011/09/15 16:32:45.0531 0192 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys 2011/09/15 16:32:45.0718 0192 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys 2011/09/15 16:32:46.0109 0192 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/09/15 16:32:46.0265 0192 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2011/09/15 16:32:46.0468 0192 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2011/09/15 16:32:46.0593 0192 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/09/15 16:32:46.0765 0192 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2011/09/15 16:32:47.0000 0192 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/09/15 16:32:47.0109 0192 eabfiltr (3020c34ffdadfd69004570f88ff44b33) C:\WINDOWS\System32\drivers\EABFiltr.sys 2011/09/15 16:32:47.0234 0192 eabusb (1ba14da377b66278335d4b9e8824cd42) C:\WINDOWS\system32\drivers\eabusb.sys 2011/09/15 16:32:47.0453 0192 EMCR (7f07571f50353b42e6a2d93f07bec118) C:\WINDOWS\system32\DRIVERS\EMCR7SK.sys 2011/09/15 16:32:47.0609 0192 ENECBPTH (1fec25c49afbc34accbf3dc53031affe) C:\WINDOWS\system32\drivers\ENECBPTH.sys 2011/09/15 16:32:47.0765 0192 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/09/15 16:32:47.0921 0192 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys 2011/09/15 16:32:47.0984 0192 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2011/09/15 16:32:48.0093 0192 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys 2011/09/15 16:32:48.0328 0192 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2011/09/15 16:32:48.0484 0192 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/09/15 16:32:49.0265 0192 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/09/15 16:32:49.0406 0192 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 2011/09/15 16:32:49.0531 0192 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/09/15 16:32:49.0781 0192 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2011/09/15 16:32:50.0000 0192 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys 2011/09/15 16:32:50.0140 0192 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 2011/09/15 16:32:50.0281 0192 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys 2011/09/15 16:32:50.0421 0192 HSFHWICH (2d9f10d6e7baa20c4526ce6a16444581) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys 2011/09/15 16:32:50.0562 0192 HSF_DP (2d566a7f0b4c54b417ac637cb608444b) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 2011/09/15 16:32:50.0781 0192 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/09/15 16:32:51.0062 0192 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2011/09/15 16:32:51.0187 0192 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/09/15 16:32:51.0359 0192 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2011/09/15 16:32:51.0546 0192 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2011/09/15 16:32:51.0843 0192 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2011/09/15 16:32:52.0000 0192 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2011/09/15 16:32:52.0140 0192 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/09/15 16:32:52.0281 0192 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/09/15 16:32:52.0437 0192 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/09/15 16:32:52.0546 0192 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys 2011/09/15 16:32:52.0609 0192 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/09/15 16:32:52.0765 0192 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/09/15 16:32:52.0828 0192 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys 2011/09/15 16:32:53.0015 0192 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/09/15 16:32:53.0140 0192 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2011/09/15 16:32:53.0234 0192 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2011/09/15 16:32:53.0421 0192 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/09/15 16:32:53.0718 0192 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys 2011/09/15 16:32:53.0859 0192 mdmxsdk (b72d7ea394d5f1c5053368783ad7f7ed) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 2011/09/15 16:32:54.0062 0192 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/09/15 16:32:54.0203 0192 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2011/09/15 16:32:54.0265 0192 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/09/15 16:32:54.0546 0192 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2011/09/15 16:32:54.0687 0192 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/09/15 16:32:54.0812 0192 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/09/15 16:32:54.0937 0192 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/09/15 16:32:55.0156 0192 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2011/09/15 16:32:55.0343 0192 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/09/15 16:32:55.0437 0192 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/09/15 16:32:55.0531 0192 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/09/15 16:32:55.0625 0192 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/09/15 16:32:55.0750 0192 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys 2011/09/15 16:32:55.0875 0192 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys 2011/09/15 16:32:56.0093 0192 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 2011/09/15 16:32:56.0265 0192 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2011/09/15 16:32:56.0375 0192 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 2011/09/15 16:32:57.0187 0192 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/09/15 16:32:57.0312 0192 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/09/15 16:32:57.0437 0192 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/09/15 16:32:57.0562 0192 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/09/15 16:32:57.0703 0192 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/09/15 16:32:57.0812 0192 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/09/15 16:32:58.0000 0192 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2011/09/15 16:32:58.0140 0192 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2011/09/15 16:32:58.0281 0192 NSCIRDA (2adc0ca9945c65284b3d19bc18765974) C:\WINDOWS\system32\DRIVERS\nscirda.sys 2011/09/15 16:32:58.0468 0192 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/09/15 16:32:58.0656 0192 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/09/15 16:32:58.0921 0192 nv (06500516671f54f74672d99a6b26950d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 2011/09/15 16:32:59.0125 0192 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/09/15 16:32:59.0250 0192 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/09/15 16:32:59.0406 0192 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2011/09/15 16:32:59.0640 0192 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2011/09/15 16:32:59.0750 0192 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/09/15 16:32:59.0890 0192 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/09/15 16:33:00.0031 0192 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/09/15 16:33:00.0187 0192 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/09/15 16:33:00.0312 0192 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys 2011/09/15 16:33:01.0015 0192 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys 2011/09/15 16:33:01.0234 0192 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/09/15 16:33:01.0406 0192 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys 2011/09/15 16:33:01.0546 0192 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/09/15 16:33:01.0656 0192 PSINAflt (9abf1d1da5afaaaa41fcbd940aa2e844) C:\WINDOWS\system32\DRIVERS\PSINAflt.sys 2011/09/15 16:33:01.0734 0192 PSINFile (5bab5fb4cb1963f643a1a8b4d816cf8f) C:\WINDOWS\system32\DRIVERS\PSINFile.sys 2011/09/15 16:33:01.0781 0192 PSINKNC (0518f472a69249e18612e29278bd58ec) C:\WINDOWS\system32\DRIVERS\psinknc.sys 2011/09/15 16:33:01.0859 0192 PSINProc (87b2fe6d7b427947541360f48c302054) C:\WINDOWS\system32\DRIVERS\PSINProc.sys 2011/09/15 16:33:01.0921 0192 PSINProt (f4804beb5ff6741019b56a02ead4d3b7) C:\WINDOWS\system32\DRIVERS\PSINProt.sys 2011/09/15 16:33:02.0062 0192 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/09/15 16:33:02.0218 0192 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys 2011/09/15 16:33:02.0781 0192 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/09/15 16:33:02.0921 0192 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys 2011/09/15 16:33:03.0062 0192 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/09/15 16:33:03.0218 0192 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/09/15 16:33:03.0359 0192 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/09/15 16:33:03.0500 0192 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/09/15 16:33:03.0750 0192 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/09/15 16:33:03.0890 0192 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/09/15 16:33:04.0015 0192 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/09/15 16:33:04.0390 0192 RTL8023 (d88f6c53b637abe4c23de29db40a9f05) C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys 2011/09/15 16:33:04.0515 0192 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS 2011/09/15 16:33:04.0750 0192 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/09/15 16:33:04.0890 0192 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2011/09/15 16:33:05.0015 0192 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 2011/09/15 16:33:05.0250 0192 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys 2011/09/15 16:33:05.0593 0192 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys 2011/09/15 16:33:05.0953 0192 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2011/09/15 16:33:06.0093 0192 SQTECH913D (1bd690b1be4c70107a48d73a7def6024) C:\WINDOWS\system32\Drivers\Capt913D.sys 2011/09/15 16:33:06.0281 0192 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys 2011/09/15 16:33:06.0484 0192 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/09/15 16:33:06.0781 0192 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys 2011/09/15 16:33:06.0984 0192 StreamDispatcher (3e5aa17e13fba9969d17b5455bde8efd) C:\WINDOWS\system32\DRIVERS\strmdisp.sys 2011/09/15 16:33:07.0218 0192 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 2011/09/15 16:33:07.0375 0192 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/09/15 16:33:07.0546 0192 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2011/09/15 16:33:08.0109 0192 SynTP (0c1762fef34b265498ef2f3bef7f1d64) C:\WINDOWS\system32\DRIVERS\SynTP.sys 2011/09/15 16:33:08.0343 0192 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/09/15 16:33:08.0562 0192 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/09/15 16:33:08.0828 0192 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys 2011/09/15 16:33:08.0937 0192 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/09/15 16:33:09.0125 0192 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/09/15 16:33:09.0234 0192 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/09/15 16:33:10.0343 0192 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys 2011/09/15 16:33:10.0437 0192 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2011/09/15 16:33:10.0656 0192 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2011/09/15 16:33:10.0859 0192 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys 2011/09/15 16:33:11.0062 0192 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2011/09/15 16:33:11.0218 0192 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/09/15 16:33:11.0359 0192 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/09/15 16:33:11.0562 0192 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2011/09/15 16:33:11.0671 0192 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2011/09/15 16:33:11.0796 0192 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/09/15 16:33:11.0890 0192 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/09/15 16:33:12.0015 0192 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2011/09/15 16:33:12.0093 0192 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2011/09/15 16:33:12.0234 0192 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/09/15 16:33:12.0406 0192 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/09/15 16:33:12.0546 0192 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/09/15 16:33:12.0687 0192 winachsf (88a5f20c6c221e50f01c00d8235db8c4) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 2011/09/15 16:33:12.0875 0192 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 2011/09/15 16:33:13.0000 0192 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 2011/09/15 16:33:13.0093 0192 MBR (0x1B8) (fa77ac5cf1ecfef0c3c51e42cd2557f5) \Device\Harddisk0\DR0 2011/09/15 16:33:13.0109 0192 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.a (0) 2011/09/15 16:33:13.0125 0192 Boot (0x1200) (aded37a154c467c15d40c6079bf0b331) \Device\Harddisk0\DR0\Partition0 2011/09/15 16:33:13.0125 0192 ================================================================================ 2011/09/15 16:33:13.0125 0192 Scan finished 2011/09/15 16:33:13.0125 0192 ================================================================================ 2011/09/15 16:33:13.0156 3004 Detected object count: 1 2011/09/15 16:33:13.0156 3004 Actual detected object count: 1 2011/09/15 16:35:47.0703 3004 \Device\Harddisk0\DR0 (Rootkit.Boot.Pihar.a) - will be cured after reboot 2011/09/15 16:35:47.0812 3004 \Device\Harddisk0\DR0 - ok 2011/09/15 16:35:47.0812 3004 Rootkit.Boot.Pihar.a(\Device\Harddisk0\DR0) - User select action: Cure 2011/09/15 16:38:27.0875 1912 Deinitialize success And a new ComboFix.txt file: ComboFix 11-09-15.05 - Carlos Soto 09/15/2011 17:57:45.2.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.249 [GMT -4:00] Running from: c:\documents and settings\Carlos Soto\Desktop\ComboFix.exe AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393} . . ((((((((((((((((((((((((( Files Created from 2011-08-15 to 2011-09-15 ))))))))))))))))))))))))))))))) . . 2011-09-15 20:24 . 2011-09-15 20:24 -------- d-----w- C:\tdsskller 2011-09-13 04:05 . 2011-09-13 04:05 -------- d-----w- c:\documents and settings\Carlos Soto\Local Settings\Application Data\WinZip 2011-09-13 03:58 . 2011-09-13 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip 2011-09-12 18:25 . 2011-09-12 18:25 -------- d-----w- c:\documents and settings\Carlos Soto\Application Data\Malwarebytes 2011-09-12 18:23 . 2011-09-12 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-09-12 18:23 . 2011-09-13 04:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-09-12 18:23 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-09-12 18:17 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\hidserv.dll 2011-09-12 18:17 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll 2011-09-12 18:17 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2011-09-12 18:17 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys 2011-09-12 18:17 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2011-09-12 18:17 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys 2011-09-12 01:29 . 2011-09-12 01:29 -------- d-----w- c:\windows\system32\GroupPolicy 2011-09-11 15:29 . 2011-09-11 15:29 249338 ----a-w- c:\windows\cc_20110911_112905.reg 2011-09-11 15:21 . 2011-09-11 15:21 -------- d-----w- c:\program files\CCleaner 2011-09-11 00:58 . 2011-09-11 00:58 -------- d-----w- c:\documents and settings\Carlos Soto\Application Data\Panda Security 2011-09-11 00:56 . 2011-09-11 01:40 -------- d-----w- c:\documents and settings\Carlos Soto\Local Settings\Application Data\panda2_0dn 2011-09-11 00:56 . 2011-09-15 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security URL Filtering 2011-09-11 00:56 . 2011-09-11 15:01 -------- d-----w- c:\documents and settings\Carlos Soto\Application Data\pandasecuritytb 2011-09-11 00:55 . 2011-09-11 00:56 -------- d-----w- c:\program files\Panda Security 2011-09-11 00:55 . 2011-09-11 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security 2011-09-11 00:32 . 2011-09-11 00:32 -------- d-----w- c:\windows\system32\LogFiles 2011-09-10 20:48 . 2011-09-10 20:49 -------- d-----w- c:\documents and settings\Administrator.TOUGHTURFCPU 2011-09-03 17:22 . 2011-09-03 17:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-09-03 10:17 . 2011-09-03 10:17 599040 ------w- c:\windows\system32\dllcache\crypt32.dll 2011-08-27 22:59 . 2011-08-27 22:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2011-08-21 17:19 . 2011-08-21 17:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\HP . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-09-03 10:17 . 2003-05-03 09:39 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-08-01 11:23 . 2011-08-01 11:23 143752 ----a-w- c:\windows\system32\drivers\PSINAflt.sys 2011-07-15 13:29 . 2003-03-31 02:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-07-08 14:02 . 2003-03-31 02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys 2011-06-24 14:10 . 2003-03-31 02:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2011-06-23 18:36 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll 2011-06-23 18:36 . 2003-03-31 02:00 43520 ------w- c:\windows\system32\licmgr10.dll 2011-06-23 18:36 . 2003-03-31 02:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-06-23 12:05 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec 2011-06-20 17:44 . 2003-03-31 02:00 293376 ----a-w- c:\windows\system32\winsrv.dll 2002-05-20 09:57 . 2004-09-15 18:20 24629 ----a-w- c:\program files\tx2for32.usa 2001-11-14 11:40 . 2004-09-15 18:20 102453 ----a-w- c:\program files\pr2frm32.usa . . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2003-08-19 08:01 . 2003-08-19 08:01 110592 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe . 2003-11-10 07:30 . 2003-11-10 07:30 70816 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe . 2003-06-25 18:24 . 2003-06-25 18:24 49152 c:\program files\Hewlett-Packard\HP Software Update\bak\HPWuSchd.exe . 2002-10-07 07:23 . 2002-10-07 07:23 90112 c:\program files\HP\Digital Imaging\Unload\bak\hpqcmon.exe . 2002-04-17 17:42 . 2002-04-17 17:42 69632 c:\program files\HP\HP Share-to-Web\bak\hpgs2wnd.exe . 2003-05-03 09:12 . 2003-11-18 13:31 241664 c:\program files\HPQ\Quick Launch Buttons\bak\EabServr.exe 2010-10-28 17:40 . 2003-11-18 13:31 241664 c:\program files\HPQ\Quick Launch Buttons\eabservr.exe . 2004-01-16 19:16 . 2004-01-16 19:16 229376 c:\program files\iTunes\bak\iTunesHelper.exe 2010-12-13 22:16 . 2010-12-13 22:16 421160 c:\program files\iTunes\iTunesHelper.exe . 2007-10-23 01:29 . 2007-11-08 13:12 204 c:\program files\iTunes\bak\iTunesHelperAppLog.txt . 2003-05-03 08:50 . 2003-05-03 08:50 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe 2010-10-28 17:50 . 2010-10-28 17:50 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe . 2003-05-03 09:06 . 2003-05-03 09:06 98304 c:\program files\QuickTime\bak\qttask.exe 2010-11-29 22:38 . 2010-11-29 22:38 421888 c:\program files\QuickTime\QTTask.exe . 2004-08-15 17:32 . 2004-08-15 17:32 26112 c:\program files\Real\RealPlayer\bak\RealPlay.exe 2010-02-02 22:33 . 2010-02-02 22:33 222728 c:\program files\Real\RealPlayer\realplay.exe . 2003-05-03 09:19 . 2003-07-15 19:08 618496 c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe 2003-05-03 09:19 . 2003-07-15 19:08 618496 c:\program files\Synaptics\SynTP\SynTPEnh.exe . 2003-05-03 09:19 . 2003-07-15 19:09 110592 c:\program files\Synaptics\SynTP\bak\SynTPLpr.exe 2003-05-03 09:19 . 2003-07-15 19:09 110592 c:\program files\Synaptics\SynTP\SynTPLpr.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}] 2011-06-24 17:37 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2011-06-24 86696] . [HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 110592] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 618496] "PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616] "Panda Security URL Filtering"="c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe" [2011-05-17 231592] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-12 3067904] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "navapsvc"=2 (0x2) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\CCleaner\\CCleaner.exe"= "c:\\Program Files\\Panda Security\\Panda Cloud Antivirus\\PSUNMain.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\WINDOWS\\system32\\lxeccoms.exe"= "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"= . R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [4/28/2011 1:57 PM 129992] R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?] R2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [7/1/2011 4:59 PM 193192] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/12/2011 2:23 PM 366152] R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/28/2011 1:58 PM 140608] R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [8/1/2011 7:23 AM 143752] R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/28/2011 1:57 PM 97096] R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/28/2011 1:57 PM 111688] R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [4/28/2011 1:57 PM 112456] R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [8/15/2003 11:10 AM 68480] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/12/2011 2:23 PM 22216] S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 3:24 PM 135664] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 3:24 PM 135664] S3 SQTECH913D;913D Camera;c:\windows\system32\drivers\Capt913D.sys [11/21/2007 10:46 PM 29696] S3 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/22/2011 8:21 AM 92592] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc HPService REG_MULTI_SZ HPSLPSVC . Contents of the 'Scheduled Tasks' folder . 2011-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50] . 2011-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 19:24] . 2011-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 19:24] . 2011-06-07 c:\windows\Tasks\WebReg .job - c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2009-05-22 01:40] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: doginhispen.com Trusted Zone: whataboutadog.com TCP: DhcpNameServer = 68.87.72.134 68.87.77.134 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Carlos Soto\Application Data\Mozilla\Firefox\Profiles\7nbi8z24.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p= FF - prefs.js: network.proxy.type - 4 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord\firefox\ext FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-09-15 18:10 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2712) c:\windows\system32\WININET.dll c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\panda_url_filtering.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2011-09-15 18:14:41 ComboFix-quarantined-files.txt 2011-09-15 22:14 ComboFix2.txt 2011-09-13 02:14 . Pre-Run: 59,689,119,744 bytes free Post-Run: 59,816,394,752 bytes free . - - End Of File - - 47C5BDA58E3C23C41B42845E2F9A94F8 And the new DDS log with the attach.txt in a zip file and attached. . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22 Run by Carlos Soto at 19:27:16 on 2011-09-15 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.206 [GMT -4:00] . AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\WINDOWS\system32\svchost.exe -k HPService C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxecserv.exe C:\WINDOWS\system32\lxeccoms.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Documents and Settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll EB: {FE54FA40-D68C-11D2-98FA-00C0F0318AFE} - No File mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar mRun: [Panda Security URL Filtering] "c:\documents and settings\all users\application data\panda security url filtering\Panda_URL_Filtering.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll Trusted Zone: doginhispen.com Trusted Zone: whataboutadog.com DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 68.87.72.134 68.87.77.134 TCP: Interfaces\{1E5CC9EF-5BA4-4000-9099-399F01BDA9D8} : DhcpNameServer = 68.87.72.134 68.87.77.134 TCP: Interfaces\{667ACA36-51A1-4814-B620-43E56FB896B0} : DhcpNameServer = 68.87.72.134 68.87.77.134 . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\carlos soto\application data\mozilla\firefox\profiles\7nbi8z24.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p= FF - prefs.js: network.proxy.type - 4 FF - component: c:\documents and settings\carlos soto\application data\mozilla\firefox\profiles\7nbi8z24.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll FF - component: c:\documents and settings\carlos soto\application data\mozilla\firefox\profiles\7nbi8z24.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll FF - component: c:\documents and settings\carlos soto\application data\mozilla\firefox\profiles\7nbi8z24.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\picasa2\npPicasa2.dll FF - plugin: c:\program files\picasa2\npPicasa3.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord\firefox\ext FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3 FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} . ============= SERVICES / DRIVERS =============== . R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-4-28 129992] R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?] R2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [2011-7-1 193192] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-12 366152] R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608] R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2011-8-1 143752] R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 97096] R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111688] R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-4-28 112456] R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [2003-8-15 68480] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-12 22216] S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664] S3 SQTECH913D;913D Camera;c:\windows\system32\drivers\Capt913D.sys [2007-11-21 29696] S3 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592] . =============== Created Last 30 ================ . 2011-09-15 20:24:04 -------- d-----w- C:\tdsskller 2011-09-13 04:05:00 -------- d-----w- c:\documents and settings\carlos soto\local settings\application data\WinZip 2011-09-13 01:07:23 -------- d-sha-r- C:\cmdcons 2011-09-13 00:59:14 98816 ----a-w- c:\windows\sed.exe 2011-09-13 00:59:14 518144 ----a-w- c:\windows\SWREG.exe 2011-09-13 00:59:14 256000 ----a-w- c:\windows\PEV.exe 2011-09-13 00:59:14 208896 ----a-w- c:\windows\MBR.exe 2011-09-12 18:25:19 -------- d-----w- c:\documents and settings\carlos soto\application data\Malwarebytes 2011-09-12 18:23:43 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2011-09-12 18:23:39 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-09-12 18:23:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-09-12 18:17:35 21504 ----a-w- c:\windows\system32\hidserv.dll 2011-09-12 18:17:35 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll 2011-09-12 18:17:32 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2011-09-12 18:17:32 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys 2011-09-12 18:17:27 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2011-09-12 18:17:27 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys 2011-09-12 01:29:16 -------- d-----w- c:\windows\system32\GroupPolicy 2011-09-11 15:29:27 249338 ----a-w- c:\windows\cc_20110911_112905.reg 2011-09-11 15:21:05 -------- d-----w- c:\program files\CCleaner 2011-09-11 00:58:07 -------- d-----w- c:\documents and settings\carlos soto\application data\Panda Security 2011-09-11 00:56:43 -------- d-----w- c:\documents and settings\carlos soto\local settings\application data\panda2_0dn 2011-09-11 00:56:39 -------- d-----w- c:\documents and settings\all users\application data\Panda Security URL Filtering 2011-09-11 00:56:18 -------- d-----w- c:\documents and settings\carlos soto\application data\pandasecuritytb 2011-09-11 00:55:15 -------- d-----w- c:\program files\Panda Security 2011-09-11 00:55:15 -------- d-----w- c:\documents and settings\all users\application data\Panda Security 2011-09-11 00:32:50 -------- d-----w- c:\windows\system32\LogFiles 2011-09-10 21:19:53 -------- d-----w- c:\windows\pss 2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll . ==================== Find3M ==================== . 2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-08-01 11:23:20 143752 ----a-w- c:\windows\system32\drivers\PSINAflt.sys 2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys 2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll 2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll 2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec 2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll 2002-05-20 09:57:58 24629 ----a-w- c:\program files\tx2for32.usa 2001-11-14 11:40:34 102453 ----a-w- c:\program files\pr2frm32.usa . ============= FINISH: 19:27:53.89 =============== attach.zip
  4. Hello,all. I am trying to clean a coworkers laptop and the infection is beyond my experience. I found another thread here, and followed the same steps as he was experiencing the same problem, but it didn't solve the problem. HEre are the files as requested in your sticky post. MBAM: Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7702 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 9/12/2011 4:36:48 PM mbam-log-2011-09-12 (16-36-48).txt Scan type: Full scan (C:\|) Objects scanned: 323207 Time elapsed: 1 hour(s), 38 minute(s), 2 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 2 Files Infected: 11 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Typelib\{A8954909-1F0F-41A5-A7FA-3B376D69E226} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\toolbar.TB (Adware.Admedia) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\toolbar.TB.1 (Adware.Admedia) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: c:\program files\winbudget (Adware.Admedia) -> Quarantined and deleted successfully. c:\program files\winbudget\bin (Adware.Admedia) -> Quarantined and deleted successfully. Files Infected: c:\documents and settings\all users\application data\defender.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully. c:\documents and settings\danielle soto\my documents\downloads\IWON(2).exe (Adware.FunWeb) -> Quarantined and deleted successfully. c:\documents and settings\danielle soto\my documents\downloads\IWON.exe (Adware.FunWeb) -> Quarantined and deleted successfully. c:\program files\panda security\panda cloud antivirus\lostandfound\a0330245.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully. c:\system volume information\_restore{970bf179-4538-46f7-a171-f13cfc09440b}\rp1\a0000002.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully. c:\system volume information\_restore{970bf179-4538-46f7-a171-f13cfc09440b}\rp1\a0000003.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\148.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully. c:\windows\temp\wpbt0.dll (Spyware.Passwords.XGen) -> Quarantined and deleted successfully. c:\documents and settings\danielle soto\Cookies\MM2048.DAT (Trojan.Agent) -> Quarantined and deleted successfully. c:\documents and settings\danielle soto\Cookies\MM256.DAT (Trojan.Agent) -> Quarantined and deleted successfully. c:\program files\winbudget\bin\matrix.dat (Adware.Admedia) -> Quarantined and deleted successfully. DDS: . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22 Run by Carlos Soto at 22:46:56 on 2011-09-12 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.92 [GMT -4:00] . AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\WINDOWS\system32\svchost.exe -k HPService C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxecserv.exe C:\WINDOWS\system32\lxeccoms.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k imgsvc C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Documents and Settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll EB: {FE54FA40-D68C-11D2-98FA-00C0F0318AFE} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar mRun: [Panda Security URL Filtering] "c:\documents and settings\all users\application data\panda security url filtering\Panda_URL_Filtering.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll Trusted Zone: doginhispen.com Trusted Zone: whataboutadog.com DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 68.87.72.134 68.87.77.134 TCP: Interfaces\{1E5CC9EF-5BA4-4000-9099-399F01BDA9D8} : DhcpNameServer = 68.87.72.134 68.87.77.134 TCP: Interfaces\{667ACA36-51A1-4814-B620-43E56FB896B0} : DhcpNameServer = 68.87.72.134 68.87.77.134 . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\carlos soto\application data\mozilla\firefox\profiles\7nbi8z24.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p= FF - prefs.js: network.proxy.type - 4 FF - component: c:\documents and settings\carlos soto\application data\mozilla\firefox\profiles\7nbi8z24.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll FF - component: c:\documents and settings\carlos soto\application data\mozilla\firefox\profiles\7nbi8z24.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll FF - component: c:\documents and settings\carlos soto\application data\mozilla\firefox\profiles\7nbi8z24.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\picasa2\npPicasa2.dll FF - plugin: c:\program files\picasa2\npPicasa3.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord\firefox\ext FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3 FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} . ============= SERVICES / DRIVERS =============== . R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-4-28 129992] R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?] R2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [2011-7-1 193192] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-12 366640] R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608] R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2011-8-1 143752] R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 97096] R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111688] R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-4-28 112456] R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [2003-8-15 68480] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-12 22712] S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-9-12 41272] S3 SQTECH913D;913D Camera;c:\windows\system32\drivers\Capt913D.sys [2007-11-21 29696] S3 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592] . =============== Created Last 30 ================ . 2011-09-13 01:07:23 -------- d-sha-r- C:\cmdcons 2011-09-13 00:59:14 98816 ----a-w- c:\windows\sed.exe 2011-09-13 00:59:14 518144 ----a-w- c:\windows\SWREG.exe 2011-09-13 00:59:14 256000 ----a-w- c:\windows\PEV.exe 2011-09-13 00:59:14 208896 ----a-w- c:\windows\MBR.exe 2011-09-12 18:25:19 -------- d-----w- c:\documents and settings\carlos soto\application data\Malwarebytes 2011-09-12 18:23:44 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-09-12 18:23:43 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2011-09-12 18:23:39 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-09-12 18:23:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-09-12 18:17:35 21504 ----a-w- c:\windows\system32\hidserv.dll 2011-09-12 18:17:35 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll 2011-09-12 18:17:32 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2011-09-12 18:17:32 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys 2011-09-12 18:17:27 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2011-09-12 18:17:27 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys 2011-09-12 01:29:16 -------- d-----w- c:\windows\system32\GroupPolicy 2011-09-11 15:29:27 249338 ----a-w- c:\windows\cc_20110911_112905.reg 2011-09-11 15:21:05 -------- d-----w- c:\program files\CCleaner 2011-09-11 00:58:07 -------- d-----w- c:\documents and settings\carlos soto\application data\Panda Security 2011-09-11 00:56:43 -------- d-----w- c:\documents and settings\carlos soto\local settings\application data\panda2_0dn 2011-09-11 00:56:39 -------- d-----w- c:\documents and settings\all users\application data\Panda Security URL Filtering 2011-09-11 00:56:18 -------- d-----w- c:\documents and settings\carlos soto\application data\pandasecuritytb 2011-09-11 00:55:15 -------- d-----w- c:\program files\Panda Security 2011-09-11 00:55:15 -------- d-----w- c:\documents and settings\all users\application data\Panda Security 2011-09-11 00:32:50 -------- d-----w- c:\windows\system32\LogFiles 2011-09-10 21:19:53 -------- d-----w- c:\windows\pss 2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll . ==================== Find3M ==================== . 2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-08-01 11:23:20 143752 ----a-w- c:\windows\system32\drivers\PSINAflt.sys 2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys 2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll 2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll 2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec 2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll 2002-05-20 09:57:58 24629 ----a-w- c:\program files\tx2for32.usa 2001-11-14 11:40:34 102453 ----a-w- c:\program files\pr2frm32.usa . =================== ROOTKIT ==================== . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: FUJITSU_MHT2080AT_PL rev.0022 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 . device: opened successfully user: MBR read successfully . Disk trace: called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x827EE4C0]<< _asm { MOV EAX, [ESP+0x4]; MOV ECX, [0x827f58a4]; PUSH ESI; MOV ESI, [ESP+0xc]; PUSH EDI; MOV EDI, [ESI+0x60]; CMP EAX, [0x827f5730]; JNZ 0x1f; MOV [ESP+0xc], ECX; } 1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x82B60AB8] 3 CLASSPNP[0xF85D6FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000087[0x82B503B8] 5 ACPI[0xF852D620] -> nt!IofCallDriver[0x804E13B9] -> [0x82B4FD98] \Driver\atapi[0x82814D28] -> IRP_MJ_CREATE -> 0x827EE4C0 error: Read A device attached to the system is not functioning. kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [sI], CH; JL 0x2d; JNZ 0x3b; } detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x827EE2E0 user & kernel MBR OK Warning: possible TDL3 rootkit infection ! . ============= FINISH: 22:49:56.00 =============== GMER: GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-09-12 23:16:59 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 FUJITSU_MHT2080AT_PL rev.0022 Running: 3bcnhzer.exe; Driver: C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\fgriqfow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\PSINProc.sys (PSINProc Filter Driver for XP32/Panda Security, S.L.) ZwTerminateProcess [0xF1E51416] ---- Kernel code sections - GMER 1.0.15 ---- ? C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\svchost.exe[1312] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00DD000A .text C:\WINDOWS\System32\svchost.exe[1312] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00DE000A .text C:\WINDOWS\System32\svchost.exe[1312] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00DF000A .text C:\WINDOWS\System32\svchost.exe[1312] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E1000A .text C:\Program Files\internet explorer\iexplore.exe[2296] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00ED0001 .text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2546A6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[2296] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB98 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[2296] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E569F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[2296] WS2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A60F5A .text C:\Program Files\internet explorer\iexplore.exe[2296] WS2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A30F5A .text C:\Program Files\internet explorer\iexplore.exe[2296] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A .text C:\Program Files\internet explorer\iexplore.exe[2296] WS2_32.dll!send 71AB4C27 6 Bytes JMP 71A00F5A .text C:\Program Files\internet explorer\iexplore.exe[2296] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71970F5A .text C:\Program Files\internet explorer\iexplore.exe[2296] WS2_32.dll!recv 71AB676F 6 Bytes JMP 719D0F5A .text C:\Program Files\internet explorer\iexplore.exe[2296] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 719A0F5A .text C:\Program Files\internet explorer\iexplore.exe[2296] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71940F5A .text C:\Program Files\internet explorer\iexplore.exe[3812] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FB0001 .text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\internet explorer\iexplore.exe[3812] ws2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A60F5A .text C:\Program Files\internet explorer\iexplore.exe[3812] ws2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A30F5A .text C:\Program Files\internet explorer\iexplore.exe[3812] ws2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A .text C:\Program Files\internet explorer\iexplore.exe[3812] ws2_32.dll!send 71AB4C27 6 Bytes JMP 71A00F5A .text C:\Program Files\internet explorer\iexplore.exe[3812] ws2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71970F5A .text C:\Program Files\internet explorer\iexplore.exe[3812] ws2_32.dll!recv 71AB676F 6 Bytes JMP 719D0F5A .text C:\Program Files\internet explorer\iexplore.exe[3812] ws2_32.dll!WSASend 71AB68FA 6 Bytes JMP 719A0F5A .text C:\Program Files\internet explorer\iexplore.exe[3812] ws2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71940F5A ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company) Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 827EE2E0 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 827EE2E0 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 827EE2E0 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 827EE2E0 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Classes\{A38D32BB-D6BD-4f94-8440-4256C5AD0899}@SN BCD86378-D3E8-4ED5-A0FF-AE619ACC25FC ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior ---- EOF - GMER 1.0.15 ---- Also ComboFix: ComboFix 11-09-12.04 - Carlos Soto 09/12/2011 21:37:18.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.111 [GMT -4:00] Running from: c:\documents and settings\Carlos Soto\My Documents\Downloads\ComboFix.exe AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Administrator.TOUGHTURFCPU\Local Settings\Application Data\ApplicationHistory c:\documents and settings\Administrator.TOUGHTURFCPU\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini c:\documents and settings\Administrator.TOUGHTURFCPU\Local Settings\Application Data\ApplicationHistory\MBKInstaller.exe.7de71b57.ini c:\documents and settings\Carlos Soto\Local Settings\Application Data\ApplicationHistory c:\documents and settings\Carlos Soto\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini c:\documents and settings\Carlos Soto\WINDOWS c:\documents and settings\Danielle Soto\WINDOWS c:\program files\messenger\msmsgsin.exe c:\windows\help\wmplayer.bak c:\windows\system32\drivers\OCA_LOG.TXT . Infected copy of c:\windows\system32\userinit.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe . . ((((((((((((((((((((((((( Files Created from 2011-08-13 to 2011-09-13 ))))))))))))))))))))))))))))))) . . 2011-09-12 18:25 . 2011-09-12 18:25 -------- d-----w- c:\documents and settings\Carlos Soto\Application Data\Malwarebytes 2011-09-12 18:23 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-09-12 18:23 . 2011-09-12 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-09-12 18:23 . 2011-09-12 18:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-09-12 18:23 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-09-12 18:17 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\hidserv.dll 2011-09-12 18:17 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll 2011-09-12 18:17 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2011-09-12 18:17 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys 2011-09-12 18:17 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2011-09-12 18:17 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys 2011-09-12 01:29 . 2011-09-12 01:29 -------- d-----w- c:\windows\system32\GroupPolicy 2011-09-11 15:29 . 2011-09-11 15:29 249338 ----a-w- c:\windows\cc_20110911_112905.reg 2011-09-11 15:21 . 2011-09-11 15:21 -------- d-----w- c:\program files\CCleaner 2011-09-11 00:58 . 2011-09-11 00:58 -------- d-----w- c:\documents and settings\Carlos Soto\Application Data\Panda Security 2011-09-11 00:56 . 2011-09-11 01:40 -------- d-----w- c:\documents and settings\Carlos Soto\Local Settings\Application Data\panda2_0dn 2011-09-11 00:56 . 2011-09-13 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security URL Filtering 2011-09-11 00:56 . 2011-09-11 15:01 -------- d-----w- c:\documents and settings\Carlos Soto\Application Data\pandasecuritytb 2011-09-11 00:55 . 2011-09-11 00:56 -------- d-----w- c:\program files\Panda Security 2011-09-11 00:55 . 2011-09-11 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security 2011-09-11 00:32 . 2011-09-11 00:32 -------- d-----w- c:\windows\system32\LogFiles 2011-09-10 20:48 . 2011-09-10 20:49 -------- d-----w- c:\documents and settings\Administrator.TOUGHTURFCPU 2011-09-03 17:22 . 2011-09-03 17:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-09-03 10:17 . 2011-09-03 10:17 599040 ------w- c:\windows\system32\dllcache\crypt32.dll 2011-08-27 22:59 . 2011-08-27 22:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2011-08-21 17:19 . 2011-08-21 17:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\HP . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-09-03 10:17 . 2003-05-03 09:39 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-08-01 11:23 . 2011-08-01 11:23 143752 ----a-w- c:\windows\system32\drivers\PSINAflt.sys 2011-07-15 13:29 . 2003-03-31 02:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-07-08 14:02 . 2003-03-31 02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys 2011-06-24 14:10 . 2003-03-31 02:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2011-06-23 18:36 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll 2011-06-23 18:36 . 2003-03-31 02:00 43520 ------w- c:\windows\system32\licmgr10.dll 2011-06-23 18:36 . 2003-03-31 02:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-06-23 12:05 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec 2011-06-20 17:44 . 2003-03-31 02:00 293376 ----a-w- c:\windows\system32\winsrv.dll 2002-05-20 09:57 . 2004-09-15 18:20 24629 ----a-w- c:\program files\tx2for32.usa 2001-11-14 11:40 . 2004-09-15 18:20 102453 ----a-w- c:\program files\pr2frm32.usa . . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}] 2011-06-24 17:37 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2011-06-24 86696] . [HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 110592] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 618496] "PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616] "Panda Security URL Filtering"="c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe" [2011-05-17 231592] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-12 3067904] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "navapsvc"=2 (0x2) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\CCleaner\\CCleaner.exe"= "c:\\Program Files\\Panda Security\\Panda Cloud Antivirus\\PSUNMain.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\WINDOWS\\system32\\lxeccoms.exe"= "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"= . R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [4/28/2011 1:57 PM 129992] R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?] R2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [7/1/2011 4:59 PM 193192] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/12/2011 2:23 PM 366640] R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/28/2011 1:58 PM 140608] R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [8/1/2011 7:23 AM 143752] R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/28/2011 1:57 PM 97096] R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/28/2011 1:57 PM 111688] R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [4/28/2011 1:57 PM 112456] R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [8/15/2003 11:10 AM 68480] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/12/2011 2:23 PM 22712] S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 3:24 PM 135664] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 3:24 PM 135664] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/12/2011 2:23 PM 41272] S3 SQTECH913D;913D Camera;c:\windows\system32\drivers\Capt913D.sys [11/21/2007 10:46 PM 29696] S3 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/22/2011 8:21 AM 92592] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc HPService REG_MULTI_SZ HPSLPSVC . Contents of the 'Scheduled Tasks' folder . 2011-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50] . 2011-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 19:24] . 2011-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 19:24] . 2011-06-07 c:\windows\Tasks\WebReg .job - c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2009-05-22 01:40] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: doginhispen.com Trusted Zone: whataboutadog.com TCP: DhcpNameServer = 68.87.72.134 68.87.77.134 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Carlos Soto\Application Data\Mozilla\Firefox\Profiles\7nbi8z24.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p= FF - prefs.js: network.proxy.type - 4 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord\firefox\ext FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) SafeBoot-mcmscsvc SafeBoot-MCODS . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-09-12 21:57 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: FUJITSU_MHT2080AT_PL rev.0022 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 . device: opened successfully user: MBR read successfully error: Read A device attached to the system is not functioning. kernel: MBR read successfully detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x829E12E0 user & kernel MBR OK . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2012) c:\windows\system32\WININET.dll c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\panda_url_filtering.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\lxeccoms.exe c:\windows\System32\nvsvc32.exe . ************************************************************************** . Completion time: 2011-09-12 22:14:35 - machine was rebooted ComboFix-quarantined-files.txt 2011-09-13 02:14 . Pre-Run: 58,480,381,952 bytes free Post-Run: 59,893,768,192 bytes free . WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn . - - End Of File - - 47FB91353A93157C64E66C370A8A8639 I have also attached a zip file with ARK and attach.txt files. Aaron logarchive.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.