Jump to content

Recommended Posts

Yesterday I got hit by the XpSecurity 2012 malware.

Nod32 picked Up and quarntined

C:Documents&Settings/LocalSettings/ApplicationData/Kyj.exe - A variant of Win32/Adware.XPAntispyware.AC Application.

Said it would be removed at the next restart.

So I restarted.

First thing I noticed is that Nod32 did not start back up at restart (no tray icon). So I went to start/programs and selected Nod32 to start it and all I got was a 'open with' where you have to select the program you want to use to open the program.

This happens with everything I try to open up, I get the 'open with' box.

Anyway I browsed for Nod32 and used 'open with' to get it up and running.

When it started up I got...

This is from my Nod Log File - Detected Threats

12/28/2011 1:35:08 PM Startup scanner file Operating memory » \GLOBAL??\149eb2dc\WINDOWS\$NtUninstal1KB42 562$\345944796\Desktop.ini variant of Win32/sirefef.DN trojan cleaned by deleting

12/28/2011 1:30:34 pm Startup scanner file Operating memory » \GLOBAL??\149eb2dc\WINDOWS\$NtUninstal1KB42562$\345944796\Desktop.ini variant of Win32/Sirefef.DN trojan cleaned by deleting

I then attempted to open MB and once again got the 'open with' prompt.

Ran MB and this is my logs.

mbam-log-2011-12-28 (16-41-26)

Malwarebytes' Anti-Malware 1.50.1.1100

Database version: 8316

Windows 5.1.2600 Service Pack 2

internet Explorer 6.0.2900.2180

12/28/2011 4:41:35 PM mbam-log-2011-12-28 (16-41-26).txt

Scan type: Full scan (C:\|)

Objects scanned: 226503

Time elapsed: 25 minute(s), 31 second(s)

Memory Processes infected: 0

Memory Modules infected: 0

Registry Keys infected: 0

Registry values infected: 1

Registry Data Items infected: 4

Folders infected: 0

Files infected: 0

Memory Processes infected:

(No malicious items detected)

Memory Modules infected:

(no malicious items detected)

Registry Keys infected:

(No malicious items detected)

Registry Values infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> no action taken.

Registry Data Items infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenulnternet\FIREFOX.EXE\shell\open \command\(default) (Hijack.startMenulnternet) -> Bad: ("C:\Documents and Settings\Local Settings\Application Data\kyj.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe) Good: (firefox.exe) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenulnternet\FIREFOX.EXE\shell\safe mode\command\(default) (Hijack.startMenulnternet) -> Bad: ("C:\Documents and Settings\Local Settings\Application Data\kyj.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> no action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuinternet\IEXPLORE. EXE\shell \open\command\(default) (Hijack.startMenulnternet) -> Bad: ("C:\Documents and Settings\Local Settings\Application Data\kyj.exe" -a "C:\Program Files\internet Explorer\iexplore.exe) Good: (iexp1ore.exe) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders infected:

(No malicious items detected)

mbam-log-2011-12-28 (16-41-26)

Files infected: (No malicious items detected)

I also noticed that there is a newly installed program in 'my documents' called 5y83wm7. I did not click on it to open as its something that must have been created from all this mess.

So what do I need to do to get this nasty bug off my computer.

It appears that I have

1. Something called Kyj.exe

2. Something called Sirefef.DN

3. And the problem with all applications having to use the 'open with' prompt in order to open.

Thanks

Link to post
Share on other sites

Hello DymoMatic and welcome to Malwarebytes! :welcome:

I apologize for the delay.

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

-------------

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt
how the PC is running now?
-------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
***IMPORTANT: save ComboFix to your Desktop***
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please go here to see a list of programs that should be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**
Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.
-------------
Please print out these instructions or copy them to a Notepad file for an easier reading and download MBRCheck by a_d_13 to your Desktop from one of these locations:
http://ad13.geekstogo.com/MBRCheck.exe
http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe
http://www.kernelmode.info/MBRCheck.exe
Close all opened programs/ windows and double-click on MBRCheck.exe.
It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".
Press the "Enter" key to close the MBRCheck window and post the contents of the log file.
-------------
In your next reply, please include:
  • FSS.txt
  • TDSSKiller report
  • C:\ComboFix.txt
  • MBRCheck report

How is your computer running now?

Link to post
Share on other sites

D-Fred,

Thanks for the reply.

After posting my message I found this..

http://forums.malwarebytes.org/index.php?showtopic=9573 and ran the DDS tool.

I had not been back on the internet since posting my last message.

Reading your reply, I wasn't sure if I should follow thru with your suggestion or to post my results of the DDS log.

But decided to post the log first and see if you still want me to follow your suggestions before proceeding any further.

Thanks for the help

DDS LOG

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.662 [GMT -5:00]

.

AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Prevx\prevx.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Prevx\prevx.exe

.

============== Pseudo HJT Report ===============

.

uSearch Bar =

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061025

mDefault_Page_URL = hxxp://www.dell.com

mStart Page = hxxp://www.dell.com

uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=Xlnw-p_ARRr8b2qKgyY9_8tSMHk

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [H/PC Connection Agent] "c:\progra~1\micros~3\wcescomm.exe"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\the print shop 23\Remind.exe

mPolicies-system: EnableLUA = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\scott\application data\mozilla\firefox\profiles\lxebrcf6.default\

FF - prefs.js: browser.startup.homepage - hxxp://msn.com

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

============= SERVICES / DRIVERS ===============

.

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-5-13 32008]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-11-16 96408]

R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-5-13 6416120]

R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-11-16 735960]

R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-5-13 76696]

R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-5-13 26096]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664]

.

=============== File Associations ===============

.

.exe=41x

.

=============== Created Last 30 ================

.

.

==================== Find3M ====================

.

.

============= FINISH: 10:38:04.96 ===============

Link to post
Share on other sites

When trying to open the Farbar Service Scanner I got the "open with" prompt box which asks

'Choose the program you want to use to open this file'

I just went to browse and selected the FSS file to run it.

Not sure if that was correct procedure but was all I could do to get it to run.

Will mention also that we have the internet cable unplugged from the computer so not sure if that has any effect on the what the log shows

Farbar Service Scanner

Ran by (administrator) on 03-01-2012 at 12:41:09

Microsoft Windows XP Professional Service Pack 2 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

There is no connection to network.

Attempt to access Google IP returned error: Google IP is unreachable

Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

Windows Firewall:

=============

sharedaccess Service is not running. Checking service configuration:

The start type of sharedaccess service is set to Disabled. The default start type is Auto.

The ImagePath of sharedaccess service is OK.

The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall"=DWORD:0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

System Restore Disabled Policy:

========================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll

[2004-08-11 16:00] - [2006-05-19 07:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys

[2004-08-11 16:00] - [2004-08-04 04:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys

[2004-08-11 16:00] - [2004-08-04 04:00] - 0359040 ____A (Microsoft Corporation) 9F4B36614A0FC234525BA224957DE55C

C:\WINDOWS\system32\Drivers\ipsec.sys

[2004-08-11 16:00] - [2004-08-04 04:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll

[2004-08-11 16:00] - [2004-08-04 04:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D

C:\WINDOWS\system32\ipnathlp.dll

[2004-08-11 16:00] - [2004-08-04 04:00] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

C:\WINDOWS\system32\netman.dll

[2004-08-11 16:00] - [2004-08-04 04:00] - 0198144 ____A (Microsoft Corporation) DAB9E6C7105D2EF49876FE92C524F565

C:\WINDOWS\system32\wbem\WMIsvc.dll

[2004-08-11 16:11] - [2004-08-04 04:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\srsvc.dll

[2004-08-11 16:12] - [2004-08-04 04:00] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\system32\Drivers\sr.sys

[2004-08-11 16:12] - [2004-08-04 04:00] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

C:\WINDOWS\system32\svchost.exe

[2004-08-11 16:00] - [2004-08-04 04:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll

[2004-08-11 16:00] - [2004-08-04 04:00] - 0395776 ____A (Microsoft Corporation) 5C83A4408604F737717AB96371201680

C:\WINDOWS\system32\services.exe

[2004-08-11 16:00] - [2004-08-04 04:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

Extra List:

=======

epfwtdir(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)

0x080000000400000001000000020000000300000005000000060000000700000008000000

IpSec Tag value is correct.

**** End of log ****

I Had the same 'open with' issue when trying to run TDSSKiller, did the same as I did above.

Then when I run TDSSKiller I get the following in a pop up box.

Error

Valid Command Line Parameters:

-I <File_Name> (Path to Log File)

qpath <Folder_Name> (Path To Quarantine Folder)

qall (Copy All Objects to Quarantine)

qsus (Copy All Suspicious Objects to Quarantine)

qmbr (Copy all Mbr to Quarantine)

qboot (Copy All Boot Sectors to Quarantine)

dcexact (Cure/Delete known Malware Automatically)

qcsvc- <Service_Name> (Copy Service to Quarantine)

dcsys <Service_Name> (Delete Service)

sigcheck (Detect unsigned files as Suspicious)

tdlfs (Detect TDL3/4 File System Presence)

silent (Dont Show any Windows)

with a button to click 'OK'

So FSS is as far as I could go at this point.

As the TDSSkiller doesnt appear to work.

Thanks for the help..

Link to post
Share on other sites

It appears that your file associations may be corrupt, which is why you encountered trouble in running those tools.

Let's correct that, then see if you can successfully execute those programs ;):

  • download the CleanAutoRun utility, using one of the following links (whichever one works): .exe, .com, .pif.
  • run the utility by double-clicking the icon.
  • after the utility window appears on the screen, press any button to finish the process.

Let me know how it goes.

Link to post
Share on other sites

It appears that your file associations may be corrupt, which is why you encountered trouble in running those tools.

Let's correct that, then see if you can successfully execute those programs ;):

  • download the CleanAutoRun utility, using one of the following links (whichever one works): .exe, .com, .pif.
  • run the utility by double-clicking the icon.
  • after the utility window appears on the screen, press any button to finish the process.

Let me know how it goes.

Whichever one works???

Does it matter which link, I will need to download on one computer and then transfer to the infected computer by USB. Will that work?

Link to post
Share on other sites

Sure. By whichever one works, I meant whichever file type (.exe, .com, or .pif) you can successfully open, since you previously described issues you've been encountering with certain file types.

Well thats what I was thinking, but since I couldn't open anything to begin with I was at a loss as to how any of that was suppose to work....

Needless to say Ive had progress, after running the cleanautorun utility.

I Ran FSS again..

Farbar Service Scanner

Ran by (administrator) on 03-01-2012 at 15:28:05

Microsoft Windows XP Professional Service Pack 2 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

There is no connection to network.

Attempt to access Google IP returned error: Google IP is unreachable

Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

Windows Firewall:

=============

sharedaccess Service is not running. Checking service configuration:

The start type of sharedaccess service is set to Disabled. The default start type is Auto.

The ImagePath of sharedaccess service is OK.

The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall"=DWORD:0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

System Restore Disabled Policy:

========================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll

[2004-08-11 16:00] - [2006-05-19 07:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys

[2004-08-11 16:00] - [2004-08-04 04:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys

[2004-08-11 16:00] - [2004-08-04 04:00] - 0359040 ____A (Microsoft Corporation) 9F4B36614A0FC234525BA224957DE55C

C:\WINDOWS\system32\Drivers\ipsec.sys

[2004-08-11 16:00] - [2004-08-04 04:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll

[2004-08-11 16:00] - [2004-08-04 04:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D

C:\WINDOWS\system32\ipnathlp.dll

[2004-08-11 16:00] - [2004-08-04 04:00] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

C:\WINDOWS\system32\netman.dll

[2004-08-11 16:00] - [2004-08-04 04:00] - 0198144 ____A (Microsoft Corporation) DAB9E6C7105D2EF49876FE92C524F565

C:\WINDOWS\system32\wbem\WMIsvc.dll

[2004-08-11 16:11] - [2004-08-04 04:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\srsvc.dll

[2004-08-11 16:12] - [2004-08-04 04:00] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\system32\Drivers\sr.sys

[2004-08-11 16:12] - [2004-08-04 04:00] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

C:\WINDOWS\system32\svchost.exe

[2004-08-11 16:00] - [2004-08-04 04:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll

[2004-08-11 16:00] - [2004-08-04 04:00] - 0395776 ____A (Microsoft Corporation) 5C83A4408604F737717AB96371201680

C:\WINDOWS\system32\services.exe

[2004-08-11 16:00] - [2004-08-04 04:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

Extra List:

=======

epfwtdir(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)

0x080000000400000001000000020000000300000005000000060000000700000008000000

IpSec Tag value is correct.

**** End of log ****

Then Ran TDSSKiller and got this...(Pics Included)

15:29:03.0578 3140 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16

15:29:03.0609 3140 ============================================================

15:29:03.0609 3140 Current date / time: 2012/01/03 15:29:03.0609

15:29:03.0609 3140 SystemInfo:

15:29:03.0609 3140

15:29:03.0609 3140 OS Version: 5.1.2600 ServicePack: 2.0

15:29:03.0609 3140 Product type: Workstation

15:29:03.0609 3140 ComputerName:

15:29:03.0609 3140 UserName:

15:29:03.0609 3140 Windows directory: C:\WINDOWS

15:29:03.0609 3140 System windows directory: C:\WINDOWS

15:29:03.0609 3140 Processor architecture: Intel x86

15:29:03.0609 3140 Number of processors: 2

15:29:03.0609 3140 Page size: 0x1000

15:29:03.0609 3140 Boot type: Normal boot

15:29:03.0609 3140 ============================================================

15:29:05.0046 3140 Initialize success

15:31:43.0921 3392 ============================================================

15:31:43.0921 3392 Scan started

15:31:43.0921 3392 Mode: Manual;

15:31:43.0921 3392 ============================================================

15:31:44.0156 3392 Abiosdsk - ok

15:31:44.0203 3392 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

15:31:44.0218 3392 abp480n5 - ok

15:31:44.0265 3392 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

15:31:44.0265 3392 ACPI - ok

15:31:44.0312 3392 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

15:31:44.0328 3392 ACPIEC - ok

15:31:44.0343 3392 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

15:31:44.0375 3392 adpu160m - ok

15:31:44.0390 3392 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys

15:31:44.0421 3392 aec - ok

15:31:44.0437 3392 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys

15:31:44.0437 3392 AFD - ok

15:31:44.0468 3392 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys

15:31:44.0484 3392 agp440 - ok

15:31:44.0500 3392 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

15:31:44.0515 3392 agpCPQ - ok

15:31:44.0531 3392 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

15:31:44.0546 3392 Aha154x - ok

15:31:44.0562 3392 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

15:31:44.0578 3392 aic78u2 - ok

15:31:44.0593 3392 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

15:31:44.0609 3392 aic78xx - ok

15:31:44.0625 3392 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

15:31:44.0640 3392 AliIde - ok

15:31:44.0656 3392 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys

15:31:44.0687 3392 alim1541 - ok

15:31:44.0703 3392 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys

15:31:44.0718 3392 amdagp - ok

15:31:44.0734 3392 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

15:31:44.0750 3392 amsint - ok

15:31:44.0796 3392 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

15:31:44.0828 3392 asc - ok

15:31:44.0828 3392 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

15:31:44.0859 3392 asc3350p - ok

15:31:44.0875 3392 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

15:31:44.0890 3392 asc3550 - ok

15:31:44.0921 3392 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

15:31:44.0937 3392 AsyncMac - ok

15:31:44.0953 3392 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\drivers\atapi.sys

15:31:44.0953 3392 atapi - ok

15:31:44.0953 3392 Atdisk - ok

15:31:45.0031 3392 ati2mtag (afb591955258dec2deb6de0137876800) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

15:31:45.0031 3392 ati2mtag - ok

15:31:45.0062 3392 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

15:31:45.0078 3392 Atmarpc - ok

15:31:45.0093 3392 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

15:31:45.0125 3392 audstub - ok

15:31:45.0125 3392 b57w2k (241474d01380e9ed41d4c07f4f5fd401) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

15:31:45.0156 3392 b57w2k - ok

15:31:45.0171 3392 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

15:31:45.0187 3392 Beep - ok

15:31:45.0234 3392 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

15:31:45.0250 3392 cbidf - ok

15:31:45.0265 3392 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

15:31:45.0265 3392 cbidf2k - ok

15:31:45.0265 3392 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

15:31:45.0296 3392 cd20xrnt - ok

15:31:45.0312 3392 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

15:31:45.0328 3392 Cdaudio - ok

15:31:45.0343 3392 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

15:31:45.0375 3392 Cdfs - ok

15:31:45.0375 3392 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

15:31:45.0421 3392 Cdrom - ok

15:31:45.0421 3392 Changer - ok

15:31:45.0453 3392 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

15:31:45.0468 3392 CmdIde - ok

15:31:45.0500 3392 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

15:31:45.0515 3392 Cpqarray - ok

15:31:45.0546 3392 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

15:31:45.0562 3392 dac2w2k - ok

15:31:45.0562 3392 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

15:31:45.0593 3392 dac960nt - ok

15:31:45.0609 3392 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

15:31:45.0625 3392 Disk - ok

15:31:45.0656 3392 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

15:31:45.0687 3392 DLABOIOM - ok

15:31:45.0703 3392 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

15:31:45.0718 3392 DLACDBHM - ok

15:31:45.0734 3392 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS

15:31:45.0734 3392 DLADResN - ok

15:31:45.0765 3392 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

15:31:45.0781 3392 DLAIFS_M - ok

15:31:45.0796 3392 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

15:31:45.0828 3392 DLAOPIOM - ok

15:31:45.0828 3392 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

15:31:45.0859 3392 DLAPoolM - ok

15:31:45.0859 3392 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS

15:31:45.0875 3392 DLARTL_N - ok

15:31:45.0890 3392 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

15:31:45.0906 3392 DLAUDFAM - ok

15:31:45.0921 3392 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

15:31:45.0937 3392 DLAUDF_M - ok

15:31:46.0000 3392 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

15:31:46.0031 3392 dmboot - ok

15:31:46.0046 3392 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

15:31:46.0062 3392 dmio - ok

15:31:46.0062 3392 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

15:31:46.0093 3392 dmload - ok

15:31:46.0125 3392 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

15:31:46.0125 3392 DMusic - ok

15:31:46.0140 3392 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

15:31:46.0156 3392 dpti2o - ok

15:31:46.0187 3392 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

15:31:46.0203 3392 drmkaud - ok

15:31:46.0218 3392 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

15:31:46.0250 3392 DRVMCDB - ok

15:31:46.0250 3392 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

15:31:46.0265 3392 DRVNDDM - ok

15:31:46.0281 3392 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

15:31:46.0328 3392 E100B - ok

15:31:46.0343 3392 eamon (af82dc664e3d8e2cba3b95e68f6448a7) C:\WINDOWS\system32\DRIVERS\eamon.sys

15:31:46.0343 3392 eamon - ok

15:31:46.0375 3392 ehdrv (686a799c1bf1b18941994daf9f45db06) C:\WINDOWS\system32\DRIVERS\ehdrv.sys

15:31:46.0406 3392 ehdrv - ok

15:31:46.0421 3392 epfwtdir (3a7fba5c06dbcffc7d062fe705397a96) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys

15:31:46.0421 3392 epfwtdir - ok

15:31:46.0437 3392 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

15:31:46.0468 3392 Fastfat - ok

15:31:46.0484 3392 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

15:31:46.0500 3392 Fdc - ok

15:31:46.0500 3392 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

15:31:46.0515 3392 Fips - ok

15:31:46.0531 3392 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

15:31:46.0546 3392 Flpydisk - ok

15:31:46.0578 3392 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

15:31:46.0609 3392 FltMgr - ok

15:31:46.0625 3392 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

15:31:46.0640 3392 Fs_Rec - ok

15:31:46.0640 3392 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

15:31:46.0671 3392 Ftdisk - ok

15:31:46.0687 3392 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

15:31:46.0703 3392 Gpc - ok

15:31:46.0750 3392 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

15:31:46.0765 3392 HidUsb - ok

15:31:46.0796 3392 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

15:31:46.0812 3392 hpn - ok

15:31:46.0843 3392 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys

15:31:46.0859 3392 HTTP - ok

15:31:46.0875 3392 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys

15:31:46.0890 3392 i2omgmt - ok

15:31:46.0906 3392 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys

15:31:46.0937 3392 i2omp - ok

15:31:46.0953 3392 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

15:31:46.0984 3392 i8042prt - ok

15:31:47.0000 3392 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

15:31:47.0015 3392 Imapi - ok

15:31:47.0031 3392 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

15:31:47.0046 3392 ini910u - ok

15:31:47.0062 3392 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys

15:31:47.0093 3392 IntelIde - ok

15:31:47.0109 3392 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys

15:31:47.0125 3392 intelppm - ok

15:31:47.0140 3392 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

15:31:47.0156 3392 Ip6Fw - ok

15:31:47.0171 3392 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

15:31:47.0203 3392 IpFilterDriver - ok

15:31:47.0218 3392 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

15:31:47.0234 3392 IpInIp - ok

15:31:47.0250 3392 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys

15:31:47.0265 3392 IpNat - ok

15:31:47.0281 3392 IPSec (37a4ddd17195f6d65e3a6731c70a103f) C:\WINDOWS\system32\DRIVERS\ipsec.sys

15:31:47.0281 3392 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: 37a4ddd17195f6d65e3a6731c70a103f, Fake md5: 64537aa5c003a6afeee1df819062d0d1

15:31:47.0281 3392 IPSec ( Rootkit.Win32.ZAccess.aml ) - infected

15:31:47.0281 3392 IPSec - detected Rootkit.Win32.ZAccess.aml (0)

15:31:47.0296 3392 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

15:31:47.0312 3392 IRENUM - ok

15:31:47.0328 3392 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

15:31:47.0343 3392 isapnp - ok

15:31:47.0359 3392 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

15:31:47.0390 3392 Kbdclass - ok

15:31:47.0390 3392 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

15:31:47.0421 3392 kbdhid - ok

15:31:47.0453 3392 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys

15:31:47.0453 3392 kmixer - ok

15:31:47.0468 3392 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys

15:31:47.0484 3392 KSecDD - ok

15:31:47.0500 3392 lbrtfdc - ok

15:31:47.0546 3392 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

15:31:47.0562 3392 mdmxsdk - ok

15:31:47.0578 3392 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

15:31:47.0593 3392 mnmdd - ok

15:31:47.0625 3392 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

15:31:47.0640 3392 Modem - ok

15:31:47.0656 3392 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

15:31:47.0671 3392 MODEMCSA - ok

15:31:47.0687 3392 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

15:31:47.0703 3392 Mouclass - ok

15:31:47.0718 3392 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

15:31:47.0734 3392 mouhid - ok

15:31:47.0750 3392 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

15:31:47.0765 3392 MountMgr - ok

15:31:47.0781 3392 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

15:31:47.0796 3392 mraid35x - ok

15:31:47.0812 3392 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

15:31:47.0828 3392 MRxDAV - ok

15:31:47.0875 3392 MRxSmb (5ddc9a1b2eb5a4bf010ce8c019a18c1f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

15:31:47.0921 3392 MRxSmb - ok

15:31:47.0937 3392 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

15:31:47.0953 3392 Msfs - ok

15:31:47.0984 3392 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

15:31:48.0000 3392 MSKSSRV - ok

15:31:48.0015 3392 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

15:31:48.0031 3392 MSPCLOCK - ok

15:31:48.0046 3392 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

15:31:48.0062 3392 MSPQM - ok

15:31:48.0078 3392 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

15:31:48.0078 3392 mssmbios - ok

15:31:48.0093 3392 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

15:31:48.0109 3392 Mup - ok

15:31:48.0125 3392 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

15:31:48.0125 3392 NDIS - ok

15:31:48.0156 3392 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

15:31:48.0156 3392 NdisTapi - ok

15:31:48.0171 3392 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

15:31:48.0187 3392 Ndisuio - ok

15:31:48.0203 3392 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

15:31:48.0218 3392 NdisWan - ok

15:31:48.0234 3392 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

15:31:48.0250 3392 NDProxy - ok

15:31:48.0250 3392 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

15:31:48.0281 3392 NetBIOS - ok

15:31:48.0312 3392 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

15:31:48.0312 3392 NetBT - ok

15:31:48.0328 3392 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

15:31:48.0343 3392 Npfs - ok

15:31:48.0375 3392 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys

15:31:48.0406 3392 Ntfs - ok

15:31:48.0421 3392 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

15:31:48.0437 3392 Null - ok

15:31:48.0500 3392 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

15:31:48.0546 3392 nv - ok

15:31:48.0546 3392 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

15:31:48.0578 3392 NwlnkFlt - ok

15:31:48.0593 3392 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

15:31:48.0609 3392 NwlnkFwd - ok

15:31:48.0625 3392 omci (b17228142cec9b3c222239fd935a37ca) C:\WINDOWS\system32\DRIVERS\omci.sys

15:31:48.0640 3392 omci - ok

15:31:48.0671 3392 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

15:31:48.0687 3392 Parport - ok

15:31:48.0703 3392 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

15:31:48.0718 3392 PartMgr - ok

15:31:48.0734 3392 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

15:31:48.0765 3392 ParVdm - ok

15:31:48.0765 3392 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

15:31:48.0796 3392 PCI - ok

15:31:48.0796 3392 PCIDump - ok

15:31:48.0796 3392 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

15:31:48.0828 3392 PCIIde - ok

15:31:48.0843 3392 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

15:31:48.0859 3392 Pcmcia - ok

15:31:48.0875 3392 PDCOMP - ok

15:31:48.0875 3392 PDFRAME - ok

15:31:48.0890 3392 PDRELI - ok

15:31:48.0890 3392 PDRFRAME - ok

15:31:48.0906 3392 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

15:31:48.0921 3392 perc2 - ok

15:31:48.0937 3392 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

15:31:48.0953 3392 perc2hib - ok

15:31:49.0015 3392 PMEM (2b85237f904c5bdf7ad386f0ede19bd3) C:\WINDOWS\system32\drivers\pmemnt.sys

15:31:49.0015 3392 PMEM - ok

15:31:49.0031 3392 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

15:31:49.0062 3392 PptpMiniport - ok

15:31:49.0062 3392 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

15:31:49.0109 3392 PSched - ok

15:31:49.0125 3392 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

15:31:49.0140 3392 Ptilink - ok

15:31:49.0171 3392 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys

15:31:49.0187 3392 PxHelp20 - ok

15:31:49.0218 3392 pxkbf (0c738845c7c12c45f05b127edff2cc87) C:\WINDOWS\system32\drivers\pxkbf.sys

15:31:49.0234 3392 pxkbf - ok

15:31:49.0250 3392 pxrts (04d1c97a0818f9378eeaa793a09f8202) C:\WINDOWS\system32\drivers\pxrts.sys

15:31:49.0250 3392 pxrts - ok

15:31:49.0265 3392 pxscan (e6e1f9f717feab3e16c3b160b17e6855) C:\WINDOWS\system32\drivers\pxscan.sys

15:31:49.0265 3392 pxscan - ok

15:31:49.0281 3392 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

15:31:49.0312 3392 ql1080 - ok

15:31:49.0312 3392 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

15:31:49.0343 3392 Ql10wnt - ok

15:31:49.0343 3392 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

15:31:49.0375 3392 ql12160 - ok

15:31:49.0375 3392 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

15:31:49.0406 3392 ql1240 - ok

15:31:49.0437 3392 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

15:31:49.0453 3392 ql1280 - ok

15:31:49.0468 3392 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

15:31:49.0484 3392 RasAcd - ok

15:31:49.0500 3392 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

15:31:49.0515 3392 Rasl2tp - ok

15:31:49.0531 3392 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

15:31:49.0562 3392 RasPppoe - ok

15:31:49.0562 3392 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

15:31:49.0578 3392 Raspti - ok

15:31:49.0625 3392 Rdbss (809ca45caa9072b3176ad44579d7f688) C:\WINDOWS\system32\DRIVERS\rdbss.sys

15:31:49.0687 3392 Rdbss - ok

15:31:49.0703 3392 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

15:31:49.0718 3392 RDPCDD - ok

15:31:49.0734 3392 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

15:31:49.0781 3392 rdpdr - ok

15:31:49.0828 3392 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

15:31:49.0828 3392 RDPWD - ok

15:31:49.0843 3392 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

15:31:49.0859 3392 redbook - ok

15:31:49.0890 3392 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys

15:31:49.0906 3392 Secdrv - ok

15:31:49.0953 3392 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys

15:31:49.0968 3392 senfilt - ok

15:31:49.0984 3392 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

15:31:50.0015 3392 serenum - ok

15:31:50.0015 3392 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

15:31:50.0046 3392 Serial - ok

15:31:50.0046 3392 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

15:31:50.0078 3392 Sfloppy - ok

15:31:50.0078 3392 Simbad - ok

15:31:50.0109 3392 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys

15:31:50.0125 3392 sisagp - ok

15:31:50.0156 3392 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys

15:31:50.0187 3392 smwdm - ok

15:31:50.0203 3392 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

15:31:50.0234 3392 Sparrow - ok

15:31:50.0250 3392 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys

15:31:50.0265 3392 splitter - ok

15:31:50.0281 3392 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

15:31:50.0296 3392 sr - ok

15:31:50.0343 3392 Srv (e03b4ea274c9e509cca7f9f0cec24232) C:\WINDOWS\system32\DRIVERS\srv.sys

15:31:50.0359 3392 Srv - ok

15:31:50.0375 3392 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

15:31:50.0390 3392 swenum - ok

15:31:50.0406 3392 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

15:31:50.0421 3392 swmidi - ok

15:31:50.0453 3392 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

15:31:50.0468 3392 symc810 - ok

15:31:50.0484 3392 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

15:31:50.0500 3392 symc8xx - ok

15:31:50.0515 3392 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

15:31:50.0531 3392 sym_hi - ok

15:31:50.0546 3392 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

15:31:50.0562 3392 sym_u3 - ok

15:31:50.0593 3392 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

15:31:50.0593 3392 sysaudio - ok

15:31:50.0625 3392 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys

15:31:50.0625 3392 Tcpip - ok

15:31:50.0656 3392 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

15:31:50.0671 3392 TDPIPE - ok

15:31:50.0687 3392 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

15:31:50.0703 3392 TDTCP - ok

15:31:50.0734 3392 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

15:31:50.0750 3392 TermDD - ok

15:31:50.0781 3392 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

15:31:50.0796 3392 TosIde - ok

15:31:50.0828 3392 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

15:31:50.0843 3392 Udfs - ok

15:31:50.0859 3392 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

15:31:50.0890 3392 ultra - ok

15:31:50.0906 3392 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

15:31:50.0921 3392 Update - ok

15:31:50.0968 3392 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

15:31:50.0984 3392 usbccgp - ok

15:31:51.0000 3392 usbehci (708579b01fed227aadb393cb0c3b4a2c) C:\WINDOWS\system32\DRIVERS\usbehci.sys

15:31:51.0015 3392 usbehci - ok

15:31:51.0031 3392 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

15:31:51.0046 3392 usbhub - ok

15:31:51.0093 3392 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

15:31:51.0125 3392 usbprint - ok

15:31:51.0156 3392 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

15:31:51.0187 3392 USBSTOR - ok

15:31:51.0203 3392 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

15:31:51.0218 3392 usbuhci - ok

15:31:51.0265 3392 usb_rndisx (ae4df3b7d1db9373b08db4ed224e26b6) C:\WINDOWS\system32\DRIVERS\usb8023x.sys

15:31:51.0296 3392 usb_rndisx - ok

15:31:51.0312 3392 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

15:31:51.0328 3392 VgaSave - ok

15:31:51.0343 3392 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys

15:31:51.0390 3392 viaagp - ok

15:31:51.0406 3392 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys

15:31:51.0421 3392 ViaIde - ok

15:31:51.0437 3392 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

15:31:51.0453 3392 VolSnap - ok

15:31:51.0484 3392 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

15:31:51.0515 3392 Wanarp - ok

15:31:51.0515 3392 WDICA - ok

15:31:51.0531 3392 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys

15:31:51.0562 3392 wdmaud - ok

15:31:51.0625 3392 Winachcf (ddb6b2d33bb299664f1470ed4e83c389) C:\WINDOWS\system32\DRIVERS\winachcf.sys

15:31:51.0671 3392 Winachcf - ok

15:31:51.0718 3392 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

15:31:51.0984 3392 \Device\Harddisk0\DR0 - ok

15:31:51.0984 3392 Boot (0x1200) (8c7a936423af5f3f4dfa763f58f99926) \Device\Harddisk0\DR0\Partition0

15:31:51.0984 3392 \Device\Harddisk0\DR0\Partition0 - ok

15:31:51.0984 3392 ============================================================

15:31:51.0984 3392 Scan finished

15:31:52.0000 3392 ============================================================

15:31:52.0000 3384 Detected object count: 1

15:31:52.0000 3384 Actual detected object count: 1

15:38:21.0156 3384 Backup copy found, using it..

15:38:21.0203 3384 C:\WINDOWS\system32\DRIVERS\ipsec.sys - will be cured on reboot

15:38:22.0281 3384 IPSec ( Rootkit.Win32.ZAccess.aml ) - User select action: Cure

15:44:27.0546 3136 Deinitialize success

Then Ran NOD32, scan results shown in screen shot.

Then Ran MBAM, scan results shown in screen shot.

Computer seems to run pretty good, can open programs without a 'open with' prompt.

Have not yet connected to internet, so dont know if that works.

I have not yet run ComboFix or MBRCheck as I wanted to get back with you on these results, to see if I need to run them or if I need to do something else.

Thanks for the help.!!

post-104727-0-00664200-1325633114.jpg

post-104727-0-91729600-1325633134.jpg

post-104727-0-60693900-1325633150.jpg

post-104727-0-96328800-1325633517.jpg

post-104727-0-97844400-1325633529.jpg

Link to post
Share on other sites

I have not yet run ComboFix or MBRCheck as I wanted to get back with you on these results, to see if I need to run them or if I need to do something else.

Sure, go ahead and allow TDSSKiller to replace the infected file... Then, please proceed with running ComboFix and MBRCheck. ;)

Link to post
Share on other sites

ComboFix Log

ComboFix 12-01-03.04 - 01/04/2012 8:57.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.656 [GMT -5:00]

Running from: c:\documents and settings\{username}\Desktop\ComboFix.exe

AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

* Created a new restore point

* Resident AV is active

.

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\{username}\My Documents\pub1E.tmp

c:\documents and settings\{username}\WINDOWS

c:\windows\$NtUninstallKB42562$

c:\windows\$NtUninstallKB42562$\299657195

c:\windows\$NtUninstallKB42562$\345944796\@

c:\windows\$NtUninstallKB42562$\345944796\bckfg.tmp

c:\windows\$NtUninstallKB42562$\345944796\cfg.ini

c:\windows\$NtUninstallKB42562$\345944796\Desktop.ini

c:\windows\$NtUninstallKB42562$\345944796\keywords

c:\windows\$NtUninstallKB42562$\345944796\kwrd.dll

c:\windows\$NtUninstallKB42562$\345944796\L\iahonoel

c:\windows\$NtUninstallKB42562$\345944796\U\00000001.@

c:\windows\$NtUninstallKB42562$\345944796\U\00000002.@

c:\windows\$NtUninstallKB42562$\345944796\U\00000004.@

c:\windows\$NtUninstallKB42562$\345944796\U\80000000.@

c:\windows\$NtUninstallKB42562$\345944796\U\80000004.@

c:\windows\$NtUninstallKB42562$\345944796\U\80000032.@

.

.

((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))

.

.

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-03 20:45 . 2004-08-11 21:00 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"H/PC Connection Agent"="c:\progra~1\MICROS~3\wcescomm.exe" [2005-11-15 1200128]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-01 344064]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-25 169984]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Event Reminder.lnk - c:\program files\The Print Shop 23\Remind.exe [2008-7-16 344064]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

.

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [5/13/2010 8:55 AM 32008]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [11/16/2009 9:03 AM 108792]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [11/16/2009 9:06 AM 96408]

R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [5/13/2010 8:55 AM 6416120]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/16/2009 9:04 AM 735960]

R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [5/13/2010 8:55 AM 76696]

R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [5/13/2010 8:55 AM 26096]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 11:10 AM 135664]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 11:10 AM 135664]

.

Contents of the 'Scheduled Tasks' folder

.

2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 16:10]

.

2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 16:10]

.

.

------- Supplementary Scan -------

.

mStart Page = hxxp://www.dell.com

uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=Xlnw-p_ARRr8b2qKgyY9_8tSMHk

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.10.1

FF - ProfilePath - c:\documents and settings\{username}\Application Data\Mozilla\Firefox\Profiles\lxebrcf6.default\

FF - prefs.js: browser.startup.homepage - hxxp://msn.com

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-51643046.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-01-04 09:04

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\windows\TEMP\NOD14.tmp 856576 bytes

c:\windows\TEMP\NOD15.tmp 0 bytes

.

scan completed successfully

hidden files: 2

.

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Dell\OpenManage\Client\Iap.exe

c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe

c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe

c:\progra~1\MICROS~3\rapimgr.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2012-01-04 09:06:18 - machine was rebooted

ComboFix-quarantined-files.txt 2012-01-04 14:06

.

Pre-Run: 34,218,823,680 bytes free

Post-Run: 34,867,421,184 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 6DD822384E1C56745245063BF0A008BC

MBR LOG

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 2 (build 2600)

Logical Drives Mask: 0x0000000d

Kernel Drivers (total 138):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E2000 \WINDOWS\system32\hal.dll

0xF7B12000 \WINDOWS\system32\KDCOM.DLL

0xF7A22000 \WINDOWS\system32\BOOTVID.dll

0xF74E3000 ACPI.sys

0xF7B14000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xF74D2000 pci.sys

0xF7612000 isapnp.sys

0xF7BDA000 pciide.sys

0xF7892000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF7622000 MountMgr.sys

0xF74B3000 ftdisk.sys

0xF7B16000 dmload.sys

0xF748D000 dmio.sys

0xF789A000 PartMgr.sys

0xF78A2000 pxscan.sys

0xF7632000 VolSnap.sys

0xF7475000 atapi.sys

0xF7642000 disk.sys

0xF7652000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF7456000 fltMgr.sys

0xF7444000 sr.sys

0xF742E000 DRVMCDB.SYS

0xF78AA000 PxHelp20.sys

0xF7417000 KSecDD.sys

0xF738A000 Ntfs.sys

0xF735D000 NDIS.sys

0xF7662000 Combo-Fix.sys

0xF7342000 Mup.sys

0xF77C2000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xF71B3000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xF719F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xF717E000 \SystemRoot\system32\DRIVERS\b57xp32.sys

0xF7932000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xF715B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF793A000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xF711B000 \SystemRoot\system32\drivers\smwdm.sys

0xF70F7000 \SystemRoot\system32\drivers\portcls.sys

0xF77D2000 \SystemRoot\system32\drivers\drmk.sys

0xF70D4000 \SystemRoot\system32\drivers\ks.sys

0xF7021000 \SystemRoot\system32\drivers\senfilt.sys

0xF7942000 \SystemRoot\system32\DRIVERS\fdc.sys

0xF700D000 \SystemRoot\system32\DRIVERS\parport.sys

0xF77E2000 \SystemRoot\system32\DRIVERS\serial.sys

0xF7AC6000 \SystemRoot\system32\DRIVERS\serenum.sys

0xF77F2000 \SystemRoot\system32\DRIVERS\imapi.sys

0xF7B22000 \SystemRoot\System32\Drivers\DLACDBHM.SYS

0xF7802000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xF7812000 \SystemRoot\system32\DRIVERS\redbook.sys

0xF7D5E000 \SystemRoot\system32\DRIVERS\audstub.sys

0xF7822000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xF7ACE000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xF6FF6000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xF7832000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xF7842000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF794A000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xF6FE5000 \SystemRoot\system32\DRIVERS\psched.sys

0xF7852000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF7952000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF795A000 \SystemRoot\system32\DRIVERS\raspti.sys

0xF6E7B000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xF7862000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF7962000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xF796A000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF7B26000 \SystemRoot\system32\DRIVERS\swenum.sys

0xF6E47000 \SystemRoot\system32\DRIVERS\update.sys

0xF7AEA000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xF7972000 \SystemRoot\system32\DRIVERS\omci.sys

0xF7682000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF76A2000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xF7B28000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xF797A000 \SystemRoot\system32\DRIVERS\flpydisk.sys

0xF7B2A000 \SystemRoot\System32\Drivers\i2omgmt.SYS

0xF7B2C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF7D3A000 \SystemRoot\System32\Drivers\Null.SYS

0xF7B2E000 \SystemRoot\System32\Drivers\Beep.SYS

0xF798A000 \SystemRoot\System32\Drivers\DLARTL_N.SYS

0xAA71B000 \SystemRoot\system32\DRIVERS\ehdrv.sys

0xF7992000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xF799A000 \SystemRoot\System32\drivers\vga.sys

0xF7B30000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF7B32000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xF79A2000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF79AA000 \SystemRoot\System32\Drivers\Npfs.SYS

0xF72F5000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xAA6E8000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xAA690000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xAA668000 \SystemRoot\system32\DRIVERS\netbt.sys

0xAA647000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xF76D2000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xAA62E000 \SystemRoot\system32\DRIVERS\epfwtdir.sys

0xAA5E4000 \SystemRoot\System32\drivers\afd.sys

0xF76E2000 \SystemRoot\system32\DRIVERS\netbios.sys

0xAA5B9000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xAA54A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF76F2000 \SystemRoot\System32\Drivers\Fips.SYS

0xF7AC2000 \SystemRoot\system32\DRIVERS\hidusb.sys

0xF7712000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0xF7722000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xF79BA000 \SystemRoot\system32\DRIVERS\usbprint.sys

0xF6ECC000 \SystemRoot\system32\DRIVERS\mouhid.sys

0xF79CA000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0xF6EC8000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0xF79D2000 \SystemRoot\System32\drivers\pxkbf.sys

0xAA50A000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xF7B36000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xF6EB8000 \SystemRoot\System32\drivers\Dxapi.sys

0xF79DA000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xF7C4A000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\ati2dvag.dll

0xBF04E000 \SystemRoot\System32\ati2cqag.dll

0xBF081000 \SystemRoot\System32\atikvmag.dll

0xBF0B4000 \SystemRoot\System32\ati3duag.dll

0xBF2F2000 \SystemRoot\System32\ativvaxx.dll

0xA8326000 \SystemRoot\system32\DRIVERS\eamon.sys

0xA8315000 \SystemRoot\System32\drivers\pxrts.sys

0xAA7B0000 \SystemRoot\System32\Drivers\DRVNDDM.SYS

0xF7C2A000 \SystemRoot\System32\DLA\DLADResN.SYS

0xA82D7000 \SystemRoot\System32\DLA\DLAIFS_M.SYS

0xA844A000 \SystemRoot\System32\DLA\DLAOPIOM.SYS

0xF7B42000 \SystemRoot\System32\DLA\DLAPoolM.SYS

0xF79E2000 \SystemRoot\System32\DLA\DLABOIOM.SYS

0xA82BF000 \SystemRoot\System32\DLA\DLAUDFAM.SYS

0xA82A9000 \SystemRoot\System32\DLA\DLAUDF_M.SYS

0xA83FA000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xA7FC4000 \SystemRoot\system32\drivers\wdmaud.sys

0xA80F9000 \SystemRoot\system32\drivers\sysaudio.sys

0xA7D8A000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xA7DB7000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys

0xF7B9A000 \??\C:\WINDOWS\system32\drivers\pmemnt.sys

0xA7C20000 \SystemRoot\system32\DRIVERS\srv.sys

0xA79CD000 \SystemRoot\System32\Drivers\Fastfat.SYS

0xA7644000 \SystemRoot\System32\Drivers\HTTP.sys

0xF7A0A000 \??\C:\ComboFix\catchme.sys

0xF7BA0000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 33):

0 System Idle Process

4 System

596 C:\WINDOWS\system32\smss.exe

656 csrss.exe

684 C:\WINDOWS\system32\winlogon.exe

728 C:\WINDOWS\system32\services.exe

740 C:\WINDOWS\system32\lsass.exe

972 C:\WINDOWS\system32\ati2evxx.exe

988 C:\WINDOWS\system32\svchost.exe

1068 svchost.exe

1164 C:\WINDOWS\system32\svchost.exe

1252 svchost.exe

1360 svchost.exe

1564 C:\WINDOWS\system32\spoolsv.exe

472 C:\Program Files\Prevx\prevx.exe

588 C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

924 C:\Program Files\Dell\OpenManage\Client\Iap.exe

2004 C:\Program Files\Analog Devices\Core\smax4pnp.exe

2024 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

864 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

152 C:\WINDOWS\system32\DLA\DLACTRLW.EXE

232 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

236 C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

288 C:\PROGRA~1\MICROS~3\wcescomm.exe

420 C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

556 C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe

1552 C:\PROGRA~1\MICROS~3\rapimgr.exe

1212 wmiprvse.exe

2148 C:\Program Files\Prevx\prevx.exe

3832 alg.exe

3864 C:\WINDOWS\system32\wscntfy.exe

3020 C:\WINDOWS\explorer.exe

2856 C:\Documents and Settings\{username}\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD080HJ/P, Rev: ZH100-34

Size Device Name MBR Status

--------------------------------------------

74 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

Scanned again with Mbam, still shows a infection

post-104727-0-78806500-1325692681.jpg

Link to post
Share on other sites

Sorry for the delay in getting back with you, ended up having to leave town yesterday.

As you asked I ran MBAM again and my results are as follows......

See screen shot -(CMbamdelete) these are the result of running it again.

MBAM found 2 issues, I marked only the one for deletion and deleted.

Then ran your FSS report.. results follow.

Farbar Service Scanner

Ran by administrator) on 06-01-2012 at 11:38:54

Microsoft Windows XP Professional Service Pack 2 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

There is no connection to network.

Attempt to access Google IP returned error: Google IP is unreachable

Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

Windows Firewall:

=============

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

System Restore Disabled Policy:

========================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll

[2004-08-11 16:00] - [2006-05-19 07:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys

[2004-08-11 16:00] - [2004-08-04 04:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys

[2004-08-11 16:00] - [2004-08-04 04:00] - 0359040 ____A (Microsoft Corporation) 9F4B36614A0FC234525BA224957DE55C

C:\WINDOWS\system32\Drivers\ipsec.sys

[2004-08-11 16:00] - [2012-01-03 15:45] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll

[2004-08-11 16:00] - [2004-08-04 04:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D

C:\WINDOWS\system32\ipnathlp.dll

[2004-08-11 16:00] - [2004-08-04 04:00] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

C:\WINDOWS\system32\netman.dll

[2004-08-11 16:00] - [2004-08-04 04:00] - 0198144 ____A (Microsoft Corporation) DAB9E6C7105D2EF49876FE92C524F565

C:\WINDOWS\system32\wbem\WMIsvc.dll

[2004-08-11 16:11] - [2004-08-04 04:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\srsvc.dll

[2004-08-11 16:12] - [2004-08-04 04:00] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\system32\Drivers\sr.sys

[2004-08-11 16:12] - [2004-08-04 04:00] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

C:\WINDOWS\system32\svchost.exe

[2004-08-11 16:00] - [2004-08-04 04:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll

[2004-08-11 16:00] - [2004-08-04 04:00] - 0395776 ____A (Microsoft Corporation) 5C83A4408604F737717AB96371201680

C:\WINDOWS\system32\services.exe

[2004-08-11 16:00] - [2004-08-04 04:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

Extra List:

=======

epfwtdir(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)

0x080000000400000001000000020000000300000005000000060000000700000008000000

IpSec Tag value is correct.

**** End of log ****

Ran MBAM again and it comes up clean (Screen shot CMbamAft)

After that I ran NOD32 around 12:06 and I got (Screen shot - CNodAft and Screen shot CNodAftScan)

Additional NOD Screen Shots

Log files of Nod32 (Screen shot CNodaft2) - On demand computer scan

Lof files of Nod32 (Screen shot CNodaft3) - Detected Threats

Log files of Nod32 (Screen shot CNodaft6) - Quarantine

It appears that Nod picked up some of the infilitrations around (10:48) before I ran my MBAM scan and my Nod32 Scan and deleted them automatically.

So looks like the only thing left over is the bug found in - Screen shot - CNodAft, however MBAM doesnt pick it up.

Whats Next...

Thanks for the help

post-104727-0-64050000-1325877392.jpg

post-104727-0-12876500-1325877406.jpg

post-104727-0-29383700-1325877419.jpg

post-104727-0-21790000-1325877430.jpg

post-104727-0-63870600-1325877444.jpg

post-104727-0-59114400-1325877450.jpg

post-104727-0-75740500-1325877457.jpg

Link to post
Share on other sites

As you can probably tell, we've got some more work to do:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    dhcpcsvc.dll
    netbt.sys
    tcpip.sys
    ipsec.sys
    dnsrslvr.dll
    ipnathlp.dll
    netman.dll
    WMIsvc.dll
    srsvc.dll
    sr.sys
    rpcss.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

isnt that last file left over just a .zip file? Cant I just use Nod to scan again and then delete the file?

Sure, NOD32 should take care of it. If not, let me know and we can manually delete it using ComboFix ;).

Hasnt everything else been deleted or quarantined?

The reason I am asking you to run SystemLook is because it appears a number of files relating to your Internet connection services have been corrupted due to the virus you had. What we'll do is locate suitable copies and use ComboFix to replace the modified ones with clean ones. This will ensure you're completely safe :).

Link to post
Share on other sites

Ok Ran NOD32 again and let it delete the zip file it found.

Restarted computer / Ran both MBAM and NOD32 / Both logs come up with clean.

Plugged in cable to access internet

Ran a FSS report

Farbar Service Scanner

Ran by (administrator) on 09-01-2012 at 10:39:49

Microsoft Windows XP Professional Service Pack 2 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

System Restore Disabled Policy:

========================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll

[2004-08-11 16:00] - [2006-05-19 07:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys

[2004-08-11 16:00] - [2004-08-04 04:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys

[2004-08-11 16:00] - [2004-08-04 04:00] - 0359040 ____A (Microsoft Corporation) 9F4B36614A0FC234525BA224957DE55C

C:\WINDOWS\system32\Drivers\ipsec.sys

[2004-08-11 16:00] - [2012-01-03 15:45] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll

[2004-08-11 16:00] - [2004-08-04 04:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D

C:\WINDOWS\system32\ipnathlp.dll

[2004-08-11 16:00] - [2004-08-04 04:00] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

C:\WINDOWS\system32\netman.dll

[2004-08-11 16:00] - [2004-08-04 04:00] - 0198144 ____A (Microsoft Corporation) DAB9E6C7105D2EF49876FE92C524F565

C:\WINDOWS\system32\wbem\WMIsvc.dll

[2004-08-11 16:11] - [2004-08-04 04:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\srsvc.dll

[2004-08-11 16:12] - [2004-08-04 04:00] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\system32\Drivers\sr.sys

[2004-08-11 16:12] - [2004-08-04 04:00] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

C:\WINDOWS\system32\svchost.exe

[2004-08-11 16:00] - [2004-08-04 04:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll

[2004-08-11 16:00] - [2004-08-04 04:00] - 0395776 ____A (Microsoft Corporation) 5C83A4408604F737717AB96371201680

C:\WINDOWS\system32\services.exe

[2004-08-11 16:00] - [2004-08-04 04:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

Extra List:

=======

epfwtdir(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)

0x080000000400000001000000020000000300000005000000060000000700000008000000

IpSec Tag value is correct.

**** End of log ****

Only thing that I have noticed not working is when I insert a USB stick, I dont get the Icon that I normally get in the task bar area (right side). That allows you to open up the Usb menu.

Link to post
Share on other sites

Only thing that I have noticed not working is when I insert a USB stick, I dont get the Icon that I normally get in the task bar area (right side). That allows you to open up the Usb menu.

Its possible that autoplay got disabled during all of this... does the USB device still show up in "My Computer" after you insert it?

Also, please run the SystemLook script from my previous post- we'll need that information ;)

Link to post
Share on other sites

SystemLook 30.07.11 by jpshortstuff

Log created at 08:50 on 11/01/2012 by *******

Administrator - Elevation successful

========== filefind ==========

Searching for "dhcpcsvc.dll"

C:\i386\dhcpcsvc.dll --a---- 111616 bytes [21:42 04/12/2006] [12:59 19/05/2006] EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\$hf_mig$\KB914388\SP2QFE\dhcpcsvc.dll --a---- 112128 bytes [04:34 25/10/2006] [13:46 19/05/2006] 3F15A1DBD86F7BDAF404648282D11ECE

C:\WINDOWS\system32\dhcpcsvc.dll --a---- 111616 bytes [21:00 11/08/2004] [12:59 19/05/2006] EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\dllcache\dhcpcsvc.dll ------- 111616 bytes [04:34 25/10/2006] [12:59 19/05/2006] EF545E1A4B043DA4C84E230DD471C55F

Searching for "netbt.sys"

C:\i386\netbt.sys --a---- 162816 bytes [21:42 04/12/2006] [09:00 04/08/2004] 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\drivers\netbt.sys --a---- 162816 bytes [21:00 11/08/2004] [09:00 04/08/2004] 0C80E410CD2F47134407EE7DD19CC86B

Searching for "tcpip.sys"

C:\i386\tcpip.sys --a---- 359040 bytes [21:43 04/12/2006] [09:00 04/08/2004] 9F4B36614A0FC234525BA224957DE55C

C:\WINDOWS\ERDNT\cache\tcpip.sys --a---- 359040 bytes [14:05 04/01/2012] [09:00 04/08/2004] 9F4B36614A0FC234525BA224957DE55C

C:\WINDOWS\system32\drivers\tcpip.sys --a---- 359040 bytes [21:00 11/08/2004] [09:00 04/08/2004] 9F4B36614A0FC234525BA224957DE55C

Searching for "ipsec.sys"

C:\i386\ipsec.sys --a---- 74752 bytes [21:42 04/12/2006] [09:00 04/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\ERDNT\cache\ipsec.sys --a---- 74752 bytes [14:05 04/01/2012] [20:45 03/01/2012] 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\drivers\ipsec.sys --a---- 74752 bytes [21:00 11/08/2004] [20:45 03/01/2012] 64537AA5C003A6AFEEE1DF819062D0D1

Searching for "dnsrslvr.dll"

C:\i386\dnsrslvr.dll --a---- 45568 bytes [21:42 04/12/2006] [09:00 04/08/2004] 7379DE06FD196E396A00AA97B990C00D

C:\WINDOWS\system32\dnsrslvr.dll --a---- 45568 bytes [21:00 11/08/2004] [09:00 04/08/2004] 7379DE06FD196E396A00AA97B990C00D

Searching for "ipnathlp.dll"

C:\i386\ipnathlp.dll --a---- 331264 bytes [21:43 04/12/2006] [09:00 04/08/2004] 36CC8C01B5E50163037BEF56CB96DEFF

C:\WINDOWS\system32\ipnathlp.dll --a---- 331264 bytes [21:00 11/08/2004] [09:00 04/08/2004] 36CC8C01B5E50163037BEF56CB96DEFF

Searching for "netman.dll"

C:\i386\netman.dll --a---- 198144 bytes [21:44 04/12/2006] [09:00 04/08/2004] DAB9E6C7105D2EF49876FE92C524F565

C:\WINDOWS\ERDNT\cache\netman.dll --a---- 198144 bytes [14:05 04/01/2012] [09:00 04/08/2004] DAB9E6C7105D2EF49876FE92C524F565

C:\WINDOWS\system32\netman.dll --a---- 198144 bytes [21:00 11/08/2004] [09:00 04/08/2004] DAB9E6C7105D2EF49876FE92C524F565

Searching for "WMIsvc.dll"

C:\i386\wmisvc.dll --a---- 144896 bytes [21:48 04/12/2006] [09:00 04/08/2004] F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\wbem\wmisvc.dll --a---- 144896 bytes [21:11 11/08/2004] [09:00 04/08/2004] F399242A80C4066FD155EFA4CF96658E

Searching for "srsvc.dll"

C:\i386\srsvc.dll --a---- 170496 bytes [21:47 04/12/2006] [09:00 04/08/2004] 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\ERDNT\cache\srsvc.dll --a---- 170496 bytes [14:05 04/01/2012] [09:00 04/08/2004] 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\system32\srsvc.dll --a---- 170496 bytes [21:12 11/08/2004] [09:00 04/08/2004] 92BDF74F12D6CBEC43C94D4B7F804838

Searching for "sr.sys"

C:\i386\sr.sys --a---- 73472 bytes [21:43 04/12/2006] [09:00 04/08/2004] E41B6D037D6CD08461470AF04500DC24

C:\WINDOWS\system32\drivers\sr.sys --a---- 73472 bytes [21:12 11/08/2004] [09:00 04/08/2004] E41B6D037D6CD08461470AF04500DC24

Searching for "rpcss.dll"

C:\i386\rpcss.dll --a---- 395776 bytes [21:46 04/12/2006] [09:00 04/08/2004] 5C83A4408604F737717AB96371201680

C:\WINDOWS\ERDNT\cache\rpcss.dll --a---- 395776 bytes [14:05 04/01/2012] [09:00 04/08/2004] 5C83A4408604F737717AB96371201680

C:\WINDOWS\system32\rpcss.dll --a---- 395776 bytes [21:00 11/08/2004] [09:00 04/08/2004] 5C83A4408604F737717AB96371201680

-= EOF =-

Link to post
Share on other sites

After consulting with an expert, the issues appear to be caused by you running an out of date Service Pack. Let's take care of that before we move on to anything else.

:excl:Please consider updating to the latest Windows Service Pack.

Windows Service Pack 3 (SP3) contains critical security updates released since SP1 and SP2 plus support for new types of hardware and emerging hardware standards.

Please visit: Windows Update to download the latest Service Pack. NOTE: you will have to install SP2 and a number of other updates before SP3. However, all of this will leave you much safer than before.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.