Jump to content

Ran MBAM, DDS, GMER - Please Advise


Recommended Posts

Thanks for getting me to this step Firefox, what a learning experience this has been.

I started out here: http://forums.malwarebytes.org/index.php?showtopic=52834

Followed the directions, I hope - I stopped before "Re-Enable Defogger" step.

Once again, thanks; I can't wait to put this behind me.

Results:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Dan at 18:53:53.86 on Fri 06/04/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.97 [GMT -5:00]

FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {1034070B-4EA4-4718-BC1F-D8D80E09FDE7}

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\S24EvMon.exe

svchost.exe

C:\WINDOWS\system32\ZCfgSvc.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\WINDOWS\SMPClient.exe

C:\Program Files\Lexmark 9500 Series\lxdoamon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\palmOne\HOTSYNC.EXE

C:\Program Files\Apoint\Apntex.exe

svchost.exe

C:\WINDOWS\System32\basfipm.exe

C:\WINDOWS\system32\lxdocoms.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

C:\WINDOWS\TEMP\WB4FA.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Dan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uDefault_Page_URL = hxxp://www.dell.com

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Tzeruje] rundll32.exe "c:\windows\suiclacr.dll",Startup

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [ATIModeChange] Ati2mdxx.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe

mRun: [PRONoMgr.exe] c:\program files\intel\prosetwireless\ncs\proset\PRONoMgr.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [bascstray] BascsTray.exe

mRun: [DVDSentry] c:\windows\system32\DSentry.exe

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow

mRun: [sMPClient] c:\windows\SMPClient.exe

mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"

mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"

mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN

mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

mRun: [lxdomon.exe] "c:\program files\lexmark 9500 series\lxdomon.exe"

mRun: [lxdoamon] "c:\program files\lexmark 9500 series\lxdoamon.exe"

mRun: [Lexmark 9500 Series Fax Server] "c:\program files\lexmark 9500 series\fm3032.exe" /s

mRun: [Hzumonorapule] rundll32.exe "c:\windows\oxerosuloro.dll",Startup

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

StartupFolder: c:\docume~1\dan\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE

StartupFolder: c:\documents and settings\dan\start menu\programs\startup\PowerReg Scheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: Sebring - c:\windows\system32\LgNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 192.168.100.2 skilmatch2

Hosts: 192.168.100.3 skilmatchp

Hosts: 192.168.100.4 skilmatche

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dan\applic~1\mozilla\firefox\profiles\7k16rbkb.default\

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {89892EBC-214E-459C-8AAB-784F19B9598C} - c:\documents and settings\dan\local settings\application data\{89892EBC-214E-459C-8AAB-784F19B9598C}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?]

R2 OfcPfwSvc;OfficeScanNT Personal Firewall;c:\program files\trend micro\officescan client\OfcPfwSvc.exe [2006-3-22 233552]

R2 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2007-12-3 78640]

R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2004-9-15 203024]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2004-9-15 36112]

S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\\lxdoserv.exe --> c:\windows\system32\spool\drivers\w32x86\3\\lxdoserv.exe [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-5-18 38224]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2007-12-3 23180]

=============== Created Last 30 ================

2010-06-04 22:05:03 0 ----a-w- c:\documents and settings\dan\defogger_reenable

2010-05-27 11:46:10 0 d-sh--w- c:\documents and settings\dan\IECompatCache

2010-05-18 19:21:52 2534 ----a-w- c:\windows\ayoqanedevacuq.dll

2010-05-18 19:07:08 2534 ----a-w- c:\windows\idocuwus.dll

2010-05-18 16:26:26 0 d-----w- c:\docume~1\dan\applic~1\Malwarebytes

2010-05-18 16:26:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-18 16:26:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-18 16:26:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-18 16:26:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-05-18 16:08:11 2534 ----a-w- c:\windows\uvipavur.dll

2010-05-18 16:01:03 2534 ----a-w- c:\windows\uhahopir.dll

2010-05-12 05:42:35 120 ----a-w- c:\windows\Nkopefayo.dat

2010-05-12 05:42:35 0 ----a-w- c:\windows\Dfuhaxu.bin

2010-05-12 05:39:32 0 d-----w- c:\windows\system32\msapps

2010-05-08 23:55:11 0 d-----w- c:\program files\palmOne

==================== Find3M ====================

============= FINISH: 18:55:47.57 ===============

______________________

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4169

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/4/2010 3:23:04 PM

mbam-log-2010-06-04 (15-23-04).txt

Scan type: Full scan (C:\|)

Objects scanned: 190035

Time elapsed: 1 hour(s), 0 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

_________________

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4167

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/4/2010 1:52:45 PM

mbam-log-2010-06-04 (13-52-45).txt

Scan type: Full scan (D:\|E:\|)

Objects scanned: 141694

Time elapsed: 2 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mjvqqhxr (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mjvqqhxr (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\Dan\Local Settings\Application Data\blxfeemyf\sptdnautssd.exe (Rogue.AntivirusSuite.Gen) -> Delete on reboot.

__________________________________________

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4149

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/27/2010 6:50:51 PM

mbam-log-2010-05-27 (18-50-51).txt

Scan type: Full scan (C:\|)

Objects scanned: 192994

Time elapsed: 1 hour(s), 14 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Files Infected:

C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP736\A0086168.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP736\A0086169.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.

________________________________

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4148

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

5/27/2010 12:31:54 PM

mbam-log-2010-05-27 (12-31-54).txt

Scan type: Full scan (C:\|)

Objects scanned: 216275

Time elapsed: 47 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Registry Keys Infected:

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eanfgkdo (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eanfgkdo (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\Dan\Local Settings\Application Data\ismfshcjo\aqpwlattssd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dan\Local Settings\Application Data\syssvc.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dan\Local Settings\Temp\8c8d163e.exe (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dan\Local Settings\Temp\aAEV.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dan\Local Settings\Temp\tuunld.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

____________________________

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4148

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/27/2010 9:29:41 AM

mbam-log-2010-05-27 (09-29-41).txt

Scan type: Full scan (C:\|)

Objects scanned: 192573

Time elapsed: 1 hour(s), 13 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Files Infected:

C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP735\A0086150.exe (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.

____________________________

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4141

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/25/2010 9:59:42 AM

mbam-log-2010-05-25 (09-59-42).txt

Scan type: Full scan (C:\|)

Objects scanned: 192964

Time elapsed: 1 hour(s), 56 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\postbootreminder (Backdoor.Losfondup) -> Quarantined and deleted successfully.

Files Infected:

C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP735\A0086149.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.

C:\windows\system32\etar32dll.dll (Backdoor.Losfondup) -> Delete on reboot.

__________________________________

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4134

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

5/24/2010 11:46:07 PM

mbam-log-2010-05-24 (23-46-07).txt

Scan type: Full scan (C:\|)

Objects scanned: 219832

Time elapsed: 52 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxqiidfg (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxqiidfg (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\Dan\Local Settings\Application Data\syssvc.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dan\Local Settings\Application Data\jvgwydunn\tybalrktssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

__________________________________

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4133

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/23/2010 3:05:53 PM

mbam-log-2010-05-23 (15-05-53).txt

Scan type: Full scan (C:\|)

Objects scanned: 192434

Time elapsed: 1 hour(s), 15 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Files Infected:

C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP730\A0083131.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.

_________________

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4113

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/18/2010 4:57:57 PM

mbam-log-2010-05-18 (16-57-57).txt

Scan type: Full scan (C:\|)

Objects scanned: 191304

Time elapsed: 1 hour(s), 10 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Files Infected:

C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP730\A0083128.exe (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.

___________________________

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4113

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

5/18/2010 3:14:22 PM

mbam-log-2010-05-18 (15-14-22).txt

Scan type: Quick scan

Objects scanned: 171561

Time elapsed: 30 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 5

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 8

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ridaqovq (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ridaqovq (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\comserver (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\(default) (Hijack.Tray) -> Bad: (C:\DOCUME~1\Dan\LOCALS~1\Temp\7848113787.dll) Good: (stobject.dll) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\Dan\Local Settings\Application Data\ekhmtawrq\lkbsgmptssd.exe (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dan\Local Settings\Temp\4244749680.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dan\Local Settings\Temp\wlavqa.exe (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dan\Local Settings\Temp\ywbhtj.exe (Worm.AutoRun) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dan\Local Settings\Temp\comsrvr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\windows\system32\msapps\comsrvr.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\windows\herjek.config (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dan\Local Settings\Application Data\asam.exe (Trojan.Agent) -> Quarantined and deleted successfully.

ark.zip

Link to post
Share on other sites

Hello wholefoodsfool2! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.

Step 1

Please, uninstall the following applications:

  1. Adobe Reader 7.1.0

You can read, how to this here:

Step 2

The current version of MBAM database is 4170 and we'll use Normal mode for the following action:

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s) in this sequence:

  1. MalwareBytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites

Hey there Borislav; I'm glad you're here.

Removed Adobe. Ran ops per instructions.

MBAM & DDS results are below. Should I have attached the zipped "Attachment" results as well?

I look forward to your thoughts.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4170

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/5/2010 2:18:00 PM

mbam-log-2010-06-05 (14-18-00).txt

Scan type: Quick scan

Objects scanned: 171130

Time elapsed: 30 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_10-03-17.01) - NTFSx86

Run by Dan at 14:43:34.25 on Sat 06/05/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.115 [GMT -5:00]

FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {1034070B-4EA4-4718-BC1F-D8D80E09FDE7}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\S24EvMon.exe

svchost.exe

C:\WINDOWS\system32\ZCfgSvc.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\basfipm.exe

C:\WINDOWS\system32\lxdocoms.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\WINDOWS\SMPClient.exe

C:\Program Files\Lexmark 9500 Series\lxdoamon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\palmOne\HOTSYNC.EXE

C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\TEMP\CKCDE0.EXE

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\MDM.EXE

C:\WINDOWS\system32\MsiExec.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\Dan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uDefault_Page_URL = hxxp://www.dell.com

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Tzeruje] rundll32.exe "c:\windows\suiclacr.dll",Startup

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [ATIModeChange] Ati2mdxx.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe

mRun: [PRONoMgr.exe] c:\program files\intel\prosetwireless\ncs\proset\PRONoMgr.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [bascstray] BascsTray.exe

mRun: [DVDSentry] c:\windows\system32\DSentry.exe

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow

mRun: [sMPClient] c:\windows\SMPClient.exe

mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"

mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"

mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN

mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

mRun: [lxdomon.exe] "c:\program files\lexmark 9500 series\lxdomon.exe"

mRun: [lxdoamon] "c:\program files\lexmark 9500 series\lxdoamon.exe"

mRun: [Lexmark 9500 Series Fax Server] "c:\program files\lexmark 9500 series\fm3032.exe" /s

mRun: [Hzumonorapule] rundll32.exe "c:\windows\oxerosuloro.dll",Startup

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

StartupFolder: c:\docume~1\dan\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE

StartupFolder: c:\documents and settings\dan\start menu\programs\startup\PowerReg Scheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: Sebring - c:\windows\system32\LgNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 192.168.100.2 skilmatch2

Hosts: 192.168.100.3 skilmatchp

Hosts: 192.168.100.4 skilmatche

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dan\applic~1\mozilla\firefox\profiles\7k16rbkb.default\

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {89892EBC-214E-459C-8AAB-784F19B9598C} - c:\documents and settings\dan\local settings\application data\{89892EBC-214E-459C-8AAB-784F19B9598C}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?]

R2 OfcPfwSvc;OfficeScanNT Personal Firewall;c:\program files\trend micro\officescan client\OfcPfwSvc.exe [2006-3-22 233552]

R2 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2007-12-3 78640]

R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2004-9-15 203024]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2004-9-15 36112]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-5-18 38224]

S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\\lxdoserv.exe --> c:\windows\system32\spool\drivers\w32x86\3\\lxdoserv.exe [?]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2007-12-3 23180]

=============== Created Last 30 ================

2010-06-04 22:05:03 0 ----a-w- c:\documents and settings\dan\defogger_reenable

2010-05-27 11:46:10 0 d-sh--w- c:\documents and settings\dan\IECompatCache

2010-05-18 19:21:52 2534 ----a-w- c:\windows\ayoqanedevacuq.dll

2010-05-18 19:07:08 2534 ----a-w- c:\windows\idocuwus.dll

2010-05-18 16:26:26 0 d-----w- c:\docume~1\dan\applic~1\Malwarebytes

2010-05-18 16:26:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-18 16:26:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-18 16:26:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-18 16:26:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-05-18 16:08:11 2534 ----a-w- c:\windows\uvipavur.dll

2010-05-18 16:01:03 2534 ----a-w- c:\windows\uhahopir.dll

2010-05-12 05:42:35 120 ----a-w- c:\windows\Nkopefayo.dat

2010-05-12 05:42:35 0 ----a-w- c:\windows\Dfuhaxu.bin

2010-05-12 05:39:32 0 d-----w- c:\windows\system32\msapps

2010-05-08 23:55:11 0 d-----w- c:\program files\palmOne

==================== Find3M ====================

============= FINISH: 14:45:20.28 ===============

Link to post
Share on other sites

Thanks!

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

"Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. "

Ok - Cannot disable TREND MICRO OfficeScan Client. No icon in system tray menu to right click and main console is not same as one pictured in the instructions. http://esupport.trendmicro.com/Pages/How-d...t.aspx#P97_1482

Link to post
Share on other sites

Let's try this:

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

SecCenter::
{1034070B-4EA4-4718-BC1F-D8D80E09FDE7}

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

ComboFix 10-06-03.01 - Dan 06/05/2010 16:50:57.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.219 [GMT -5:00]

Running from: c:\documents and settings\Dan\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Dan\g2mdlhlpx.exe

c:\documents and settings\Dan\Local Settings\Application Data\{89892EBC-214E-459C-8AAB-784F19B9598C}

c:\documents and settings\Dan\Local Settings\Application Data\{89892EBC-214E-459C-8AAB-784F19B9598C}\chrome.manifest

c:\documents and settings\Dan\Local Settings\Application Data\{89892EBC-214E-459C-8AAB-784F19B9598C}\chrome\content\_cfg.js

c:\documents and settings\Dan\Local Settings\Application Data\{89892EBC-214E-459C-8AAB-784F19B9598C}\chrome\content\overlay.xul

c:\documents and settings\Dan\Local Settings\Application Data\{89892EBC-214E-459C-8AAB-784F19B9598C}\install.rdf

C:\setup.exe

c:\windows\ayoqanedevacuq.dll

c:\windows\idocuwus.dll

c:\windows\oxerosuloro.dll

c:\windows\suiclacr.dll

c:\windows\system32\drivers\etc\lmhosts

c:\windows\system32\drivers\fad.sys

c:\windows\system32\VB40032.DLL

c:\windows\uhahopir.dll

c:\windows\uvipavur.dll

Infected copy of c:\windows\system32\drivers\omci.sys was found and disinfected

Restored copy from - Kitty had a snack :P

.

((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 )))))))))))))))))))))))))))))))

.

2010-06-04 18:21 . 2010-06-04 19:01 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\blxfeemyf

2010-06-04 00:20 . 2010-06-04 00:27 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\V-Safe 100

2010-06-02 14:36 . 2010-06-02 14:36 0 ----a-w- c:\windows\nsreg.dat

2010-06-02 14:36 . 2010-06-02 14:36 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Mozilla

2010-05-29 16:42 . 2010-05-29 16:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-05-27 16:00 . 2010-05-27 17:31 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\ismfshcjo

2010-05-27 11:46 . 2010-05-27 11:46 -------- d-sh--w- c:\documents and settings\Dan\IECompatCache

2010-05-25 02:06 . 2010-05-25 04:46 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\jvgwydunn

2010-05-20 22:05 . 2010-05-20 22:28 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Deployment

2010-05-18 16:26 . 2010-05-18 16:26 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes

2010-05-18 16:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-18 16:26 . 2010-05-18 19:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-18 16:26 . 2010-05-18 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-18 16:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-18 15:53 . 2010-05-18 20:14 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\ekhmtawrq

2010-05-14 02:28 . 2010-05-14 02:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-05-12 05:42 . 2010-06-05 20:51 120 ----a-w- c:\windows\Nkopefayo.dat

2010-05-12 05:42 . 2010-06-05 19:31 0 ----a-w- c:\windows\Dfuhaxu.bin

2010-05-12 05:39 . 2010-05-18 20:14 -------- d-----w- c:\windows\system32\msapps

2010-05-09 00:02 . 2010-05-09 00:02 -------- d-----w- c:\documents and settings\Dan\Application Data\Leadertech

2010-05-08 23:55 . 2010-05-09 00:02 -------- d-----w- c:\program files\palmOne

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-05 18:46 . 2004-09-16 18:25 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-04 00:35 . 2010-06-04 00:35 388096 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-06-04 00:35 . 2004-09-15 20:25 -------- d-----w- c:\program files\Trend Micro

2010-05-20 21:51 . 2010-03-01 20:10 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint

2010-05-08 23:55 . 2010-05-08 23:55 65536 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\PalmDesktopShortcut.exe

2010-05-08 23:55 . 2010-05-08 23:55 65536 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\ARPPRODUCTICON.exe

2010-05-08 23:55 . 2010-05-08 23:55 45056 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\BluetoothShortcut.exe

2010-04-29 13:07 . 2010-04-29 13:07 -------- d-----w- c:\documents and settings\Dan\Application Data\NewSoft

2010-04-22 23:36 . 2006-03-29 16:25 -------- d-----w- c:\program files\LoneStar

2010-04-14 22:22 . 2010-04-14 22:22 -------- d-----r- c:\program files\Centricity

2010-04-14 03:42 . 2007-12-03 18:19 -------- d-----w- c:\program files\Citrix

2010-04-13 01:26 . 2010-04-13 01:26 -------- d-----w- c:\documents and settings\Dan\Application Data\Lexmark Productivity Studio

2010-03-14 20:24 . 2004-08-24 07:55 89739 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-03 155648]

"ATIModeChange"="Ati2mdxx.exe" [2001-09-05 28672]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 86016]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-09 356429]

"SMPClient"="c:\windows\SMPClient.exe" [2002-10-15 184320]

"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2002-08-11 20530]

"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2002-08-11 24626]

"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2002-08-11 45056]

"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2002-08-11 20480]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]

"lxdomon.exe"="c:\program files\Lexmark 9500 Series\lxdomon.exe" [2008-01-02 455336]

"lxdoamon"="c:\program files\Lexmark 9500 Series\lxdoamon.exe" [2008-01-02 25256]

"Lexmark 9500 Series Fax Server"="c:\program files\Lexmark 9500 Series\fm3032.exe" [2008-01-02 311976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

c:\documents and settings\Dan\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

PowerReg Scheduler.exe [2010-5-8 233472]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-8-24 24576]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2004-01-13 20:17 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\lxdoamon.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\frun.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\lxdomon.exe"=

"c:\\windows\\system32\\lxdocfg.exe"=

"c:\\windows\\system32\\lxdocoms.exe"=

"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdopswx.exe"=

"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdotime.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\lxdoFax.exe"=

"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdojswx.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdowbgw.exe"=

R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?]

R2 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [12/3/2007 1:25 PM 78640]

R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [9/15/2004 3:25 PM 203024]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [9/15/2004 3:25 PM 36112]

S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdoserv.exe --> c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdoserv.exe [?]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [12/3/2007 1:24 PM 23180]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\7k16rbkb.default\

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Tzeruje - c:\windows\suiclacr.dll

HKLM-Run-bascstray - BascsTray.exe

HKLM-Run-Hzumonorapule - c:\windows\oxerosuloro.dll

AddRemove-Centricity DICOM Viewer - c:\program files\Centricity\DICOM Viewer\3.1.1\EN-US\setupw2k

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-05 17:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82870EE4]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf853af28

\Driver\ACPI -> ACPI.sys @ 0xf84adcb8

\Driver\atapi -> atapi.sys @ 0xf8421852

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598

ParseProcedure -> ntoskrnl.exe @ 0x8056ea15

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598

ParseProcedure -> ntoskrnl.exe @ 0x8056ea15

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\LgNotify.dll

- - - - - - - > 'lsass.exe'(1056)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3244)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\windows\System32\S24EvMon.exe

c:\windows\system32\ZCfgSvc.exe

c:\windows\System32\SCardSvr.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\System32\basfipm.exe

c:\windows\system32\lxdocoms.exe

c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe

c:\windows\System32\RegSrvc.exe

c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe

c:\program files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

c:\program files\Apoint\Apntex.exe

c:\windows\TEMP\LZC8F6.EXE

c:\program files\Trend Micro\OfficeScan Client\pccntupd.exe

c:\windows\System32\MDM.EXE

.

**************************************************************************

.

Completion time: 2010-06-05 17:22:16 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-05 22:22

Pre-Run: 15,892,234,240 bytes free

Post-Run: 17,141,665,792 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 3A9C243A50CCB5A1142556E0076E149F

Link to post
Share on other sites

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Link to post
Share on other sites

17:39:42:530 3428 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48

17:39:42:530 3428 ================================================================================

17:39:42:530 3428 SystemInfo:

17:39:42:530 3428 OS Version: 5.1.2600 ServicePack: 3.0

17:39:42:530 3428 Product type: Workstation

17:39:42:530 3428 ComputerName: KITCHENCOMPUTER

17:39:42:530 3428 UserName: Dan

17:39:42:530 3428 Windows directory: C:\WINDOWS

17:39:42:530 3428 Processor architecture: Intel x86

17:39:42:530 3428 Number of processors: 1

17:39:42:530 3428 Page size: 0x1000

17:39:42:530 3428 Boot type: Normal boot

17:39:42:530 3428 ================================================================================

17:39:42:830 3428 Initialize success

17:39:42:830 3428

17:39:42:830 3428 Scanning Services ...

17:39:43:531 3428 Raw services enum returned 369 services

17:39:43:541 3428

17:39:43:541 3428 Scanning Drivers ...

17:39:45:814 3428 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS

17:39:46:085 3428 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

17:39:46:275 3428 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

17:39:46:345 3428 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys

17:39:46:495 3428 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

17:39:46:766 3428 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

17:39:46:986 3428 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

17:39:47:136 3428 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys

17:39:47:286 3428 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys

17:39:47:437 3428 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys

17:39:47:687 3428 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys

17:39:47:897 3428 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys

17:39:48:047 3428 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys

17:39:48:208 3428 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys

17:39:48:358 3428 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys

17:39:48:538 3428 ApfiltrService (42860ba463d5c9c58a91d1ad208169a9) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

17:39:48:799 3428 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys

17:39:48:939 3428 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys

17:39:49:099 3428 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys

17:39:49:259 3428 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

17:39:49:439 3428 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

17:39:49:670 3428 ati2mtag (1ca68bc171e299636026ee9656217d27) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

17:39:49:870 3428 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

17:39:50:030 3428 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

17:39:50:181 3428 b57w2k (b9543b0c771feab7ca095303007a159c) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

17:39:50:321 3428 BASFND (3d87b0484be1093c6614062701f375c5) C:\WINDOWS\system32\Drivers\BASFND.sys

17:39:50:391 3428 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

17:39:50:481 3428 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys

17:39:50:601 3428 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

17:39:50:791 3428 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys

17:39:50:962 3428 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

17:39:51:112 3428 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

17:39:51:262 3428 Cdr4_xp (297acc7d7c66ec86ee0b4eb5af9a8fd3) C:\WINDOWS\system32\drivers\Cdr4_xp.sys

17:39:51:412 3428 Cdralw2k (5e31abf467a6fd857710c0927c88ee4c) C:\WINDOWS\system32\drivers\Cdralw2k.sys

17:39:51:492 3428 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

17:39:51:763 3428 cdudf_xp (cfd81f2140193fc7f1812e6d6eaf6795) C:\WINDOWS\system32\drivers\cdudf_xp.sys

17:39:51:973 3428 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

17:39:52:113 3428 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys

17:39:52:274 3428 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

17:39:52:434 3428 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys

17:39:52:644 3428 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys

17:39:52:914 3428 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys

17:39:53:095 3428 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

17:39:53:335 3428 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

17:39:53:686 3428 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

17:39:53:886 3428 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

17:39:54:046 3428 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

17:39:54:196 3428 DNE (c86fbf607445bf693450d84b775f168c) C:\WINDOWS\system32\DRIVERS\dne2000.sys

17:39:54:357 3428 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys

17:39:54:547 3428 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys

17:39:54:637 3428 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys

17:39:54:837 3428 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys

17:39:54:997 3428 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

17:39:55:148 3428 dvd_2K (677829f7010768eeeed8d0083e510dab) C:\WINDOWS\system32\drivers\dvd_2K.sys

17:39:55:208 3428 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys

17:39:55:358 3428 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

17:39:55:518 3428 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

17:39:55:678 3428 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

17:39:55:859 3428 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

17:39:56:119 3428 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

17:39:56:329 3428 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

17:39:56:550 3428 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

17:39:56:740 3428 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

17:39:56:920 3428 gv3 (01cdb5b4649fae249e787a83be22916a) C:\WINDOWS\system32\DRIVERS\gv3.sys

17:39:57:070 3428 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

17:39:57:121 3428 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys

17:39:57:291 3428 HSFHWICH (dd33c6b441ca381f8fc82b06be2e2cac) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys

17:39:57:531 3428 HSF_DP (272914d8e356bbbffbe7e88871a188ef) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys

17:39:57:791 3428 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

17:39:58:012 3428 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

17:39:58:152 3428 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys

17:39:58:222 3428 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

17:39:58:432 3428 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys

17:39:58:623 3428 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys

17:39:58:833 3428 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys

17:39:59:003 3428 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys

17:39:59:163 3428 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys

17:39:59:324 3428 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys

17:39:59:484 3428 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys

17:39:59:654 3428 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys

17:39:59:905 3428 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys

17:40:00:055 3428 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys

17:40:00:205 3428 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

17:40:00:355 3428 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys

17:40:00:515 3428 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

17:40:00:696 3428 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

17:40:00:846 3428 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

17:40:01:036 3428 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

17:40:01:196 3428 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

17:40:01:246 3428 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

17:40:01:477 3428 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

17:40:01:677 3428 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

17:40:01:847 3428 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

17:40:02:038 3428 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

17:40:02:178 3428 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

17:40:02:328 3428 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys

17:40:02:398 3428 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

17:40:02:699 3428 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

17:40:02:879 3428 MDC8021X (0f528e44cdc78365be693ae723e3801c) C:\WINDOWS\system32\DRIVERS\mdc8021x.sys

17:40:03:069 3428 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

17:40:03:219 3428 mmc_2K (9b90303a9c9405a6ce1466ff4aa20fdd) C:\WINDOWS\system32\drivers\mmc_2K.sys

17:40:03:369 3428 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

17:40:03:430 3428 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

17:40:03:570 3428 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

17:40:03:760 3428 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

17:40:03:910 3428 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

17:40:03:990 3428 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys

17:40:04:191 3428 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

17:40:04:401 3428 MRxSmb (421f7b922cec5a5f340e7574a98f7b7c) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

17:40:04:601 3428 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

17:40:04:772 3428 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

17:40:04:922 3428 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

17:40:04:952 3428 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

17:40:05:182 3428 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

17:40:05:312 3428 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

17:40:05:362 3428 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

17:40:05:543 3428 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

17:40:05:723 3428 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

17:40:05:763 3428 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

17:40:05:893 3428 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

17:40:05:973 3428 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

17:40:06:214 3428 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

17:40:06:414 3428 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

17:40:06:594 3428 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

17:40:06:804 3428 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys

17:40:06:965 3428 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

17:40:07:055 3428 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

17:40:07:115 3428 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

17:40:07:275 3428 O2SCBUS (7f8d43fd4159b16ebfd65e13ee34677f) C:\WINDOWS\system32\DRIVERS\ozscr.sys

17:40:07:315 3428 omci (faa1aba995eeea9f68ac87dc36f64b2d) C:\WINDOWS\system32\DRIVERS\omci.sys

17:40:07:315 3428 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\omci.sys. Real md5: faa1aba995eeea9f68ac87dc36f64b2d, Fake md5: b17228142cec9b3c222239fd935a37ca

17:40:07:315 3428 File "C:\WINDOWS\system32\DRIVERS\omci.sys" infected by TDSS rootkit ... 17:40:11:291 3428 Backup copy not found, trying to cure infected file..

17:40:11:291 3428 Cure success, using it..

17:40:11:311 3428 will be cured on next reboot

17:40:11:501 3428 PalmUSBD (803cf09c795290825607505d37819135) C:\WINDOWS\system32\drivers\PalmUSBD.sys

17:40:11:752 3428 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

17:40:12:082 3428 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

17:40:12:142 3428 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

17:40:12:342 3428 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

17:40:12:513 3428 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

17:40:12:833 3428 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

17:40:13:073 3428 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys

17:40:13:244 3428 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys

17:40:13:404 3428 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

17:40:13:554 3428 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

17:40:13:794 3428 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

17:40:13:945 3428 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

17:40:14:095 3428 pwd_2k (d8b90616a8bd53de281dbdb664c0984a) C:\WINDOWS\system32\drivers\pwd_2k.sys

17:40:14:255 3428 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys

17:40:14:415 3428 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys

17:40:14:455 3428 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys

17:40:14:706 3428 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys

17:40:14:906 3428 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys

17:40:15:056 3428 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

17:40:15:116 3428 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

17:40:15:347 3428 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

17:40:15:497 3428 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

17:40:15:697 3428 RCFOX (e09a2360727cbc2cc8a611f29cb3ce66) C:\WINDOWS\system32\Drivers\RCFOX.sys

17:40:15:898 3428 rcvpn (808b237c0b31327be1dbd72f14787f7e) C:\WINDOWS\system32\DRIVERS\rcvpn.sys

17:40:16:108 3428 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

17:40:16:338 3428 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

17:40:16:518 3428 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

17:40:16:709 3428 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

17:40:16:939 3428 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

17:40:17:129 3428 s24trans (41cf7128424f3bdc35b05be3cc8ce7ec) C:\WINDOWS\system32\DRIVERS\s24trans.sys

17:40:17:310 3428 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

17:40:17:540 3428 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

17:40:17:900 3428 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

17:40:18:141 3428 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

17:40:18:421 3428 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys

17:40:18:571 3428 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys

17:40:18:762 3428 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

17:40:18:942 3428 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

17:40:19:162 3428 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

17:40:19:393 3428 STAC97 (b3034de9020cde2c46f653d972446bf2) C:\WINDOWS\system32\drivers\stac97.sys

17:40:19:573 3428 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

17:40:19:763 3428 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

17:40:19:913 3428 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys

17:40:20:063 3428 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys

17:40:20:224 3428 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys

17:40:20:394 3428 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys

17:40:20:564 3428 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

17:40:20:835 3428 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

17:40:21:105 3428 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

17:40:21:275 3428 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

17:40:21:476 3428 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

17:40:21:566 3428 TmFilter (e588e930ecc0c579d3114a63fce4de12) C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys

17:40:21:766 3428 TmPreFilter (249e50e41a89f2d82a054dad4b2376ee) C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys

17:40:21:936 3428 TM_CFW (6ebec57eb4b4b29c8a90d3c32a588f3e) C:\Program Files\Trend Micro\OfficeScan Client\tm_cfw.sys

17:40:22:277 3428 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys

17:40:22:447 3428 UdfReadr_xp (4e75005b74be901c30f2636df40b0c15) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys

17:40:22:667 3428 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

17:40:22:868 3428 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys

17:40:23:058 3428 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

17:40:23:278 3428 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

17:40:23:458 3428 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

17:40:23:599 3428 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

17:40:23:799 3428 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

17:40:23:959 3428 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

17:40:24:129 3428 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

17:40:24:270 3428 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

17:40:24:430 3428 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys

17:40:24:600 3428 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys

17:40:24:920 3428 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

17:40:25:101 3428 VSApiNt (eca1a1effb1e5cac6f933fd42480345e) C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys

17:40:25:401 3428 w22n51 (4fed83668f087ecbe810ea90beceb765) C:\WINDOWS\system32\DRIVERS\w22n51.sys

17:40:26:122 3428 w29n51 (f0608f3b5b6d16f4870e867f9d069b6b) C:\WINDOWS\system32\DRIVERS\w29n51.sys

17:40:26:453 3428 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

17:40:26:743 3428 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

17:40:27:003 3428 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

17:40:27:184 3428 winachsf (8d4f833289e769dca80c0067cc2e40d8) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

17:40:27:414 3428 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

17:40:27:674 3428 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

17:40:27:684 3428 Reboot required for cure complete..

17:40:28:285 3428 Cure on reboot scheduled successfully

17:40:28:285 3428

17:40:28:285 3428 Completed

17:40:28:285 3428

17:40:28:285 3428 Results:

17:40:28:285 3428 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

17:40:28:285 3428 File objects infected / cured / cured on reboot: 1 / 0 / 1

17:40:28:285 3428

17:40:28:285 3428 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

Good!

Now, delete your copy of ComboFix and then:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

ComboFix 10-06-05.01 - Dan 06/05/2010 18:13:49.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.127 [GMT -5:00]

Running from: c:\documents and settings\Dan\Desktop\Combo-Fix.exe

FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {1034070B-4EA4-4718-BC1F-D8D80E09FDE7}

.

((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 )))))))))))))))))))))))))))))))

.

2010-06-05 22:44 . 2010-06-05 22:44 -------- d-----w- c:\windows\LastGood

2010-06-04 18:21 . 2010-06-04 19:01 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\blxfeemyf

2010-06-04 00:20 . 2010-06-04 00:27 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\V-Safe 100

2010-06-02 14:36 . 2010-06-02 14:36 0 ----a-w- c:\windows\nsreg.dat

2010-06-02 14:36 . 2010-06-02 14:36 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Mozilla

2010-05-29 16:42 . 2010-05-29 16:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-05-27 16:00 . 2010-05-27 17:31 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\ismfshcjo

2010-05-27 11:46 . 2010-05-27 11:46 -------- d-sh--w- c:\documents and settings\Dan\IECompatCache

2010-05-25 02:06 . 2010-05-25 04:46 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\jvgwydunn

2010-05-20 22:05 . 2010-05-20 22:28 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Deployment

2010-05-18 16:26 . 2010-05-18 16:26 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes

2010-05-18 16:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-18 16:26 . 2010-05-18 19:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-18 16:26 . 2010-05-18 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-18 16:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-18 15:53 . 2010-05-18 20:14 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\ekhmtawrq

2010-05-14 02:28 . 2010-05-14 02:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-05-12 05:42 . 2010-06-05 20:51 120 ----a-w- c:\windows\Nkopefayo.dat

2010-05-12 05:42 . 2010-06-05 19:31 0 ----a-w- c:\windows\Dfuhaxu.bin

2010-05-12 05:39 . 2010-05-18 20:14 -------- d-----w- c:\windows\system32\msapps

2010-05-09 00:02 . 2010-05-09 00:02 -------- d-----w- c:\documents and settings\Dan\Application Data\Leadertech

2010-05-08 23:55 . 2010-05-09 00:02 -------- d-----w- c:\program files\palmOne

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-05 22:41 . 2004-08-24 08:23 17153 ----a-w- c:\windows\system32\drivers\omci.sys

2010-06-05 18:46 . 2004-09-16 18:25 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-04 00:35 . 2010-06-04 00:35 388096 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-06-04 00:35 . 2004-09-15 20:25 -------- d-----w- c:\program files\Trend Micro

2010-05-20 21:51 . 2010-03-01 20:10 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint

2010-05-08 23:55 . 2010-05-08 23:55 65536 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\PalmDesktopShortcut.exe

2010-05-08 23:55 . 2010-05-08 23:55 65536 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\ARPPRODUCTICON.exe

2010-05-08 23:55 . 2010-05-08 23:55 45056 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\BluetoothShortcut.exe

2010-04-29 13:07 . 2010-04-29 13:07 -------- d-----w- c:\documents and settings\Dan\Application Data\NewSoft

2010-04-22 23:36 . 2006-03-29 16:25 -------- d-----w- c:\program files\LoneStar

2010-04-14 22:22 . 2010-04-14 22:22 -------- d-----r- c:\program files\Centricity

2010-04-14 03:42 . 2007-12-03 18:19 -------- d-----w- c:\program files\Citrix

2010-04-13 01:26 . 2010-04-13 01:26 -------- d-----w- c:\documents and settings\Dan\Application Data\Lexmark Productivity Studio

2010-03-14 20:24 . 2004-08-24 07:55 89739 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-03 155648]

"ATIModeChange"="Ati2mdxx.exe" [2001-09-05 28672]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 86016]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-09 356429]

"SMPClient"="c:\windows\SMPClient.exe" [2002-10-15 184320]

"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2002-08-11 20530]

"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2002-08-11 24626]

"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2002-08-11 45056]

"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2002-08-11 20480]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]

"lxdomon.exe"="c:\program files\Lexmark 9500 Series\lxdomon.exe" [2008-01-02 455336]

"lxdoamon"="c:\program files\Lexmark 9500 Series\lxdoamon.exe" [2008-01-02 25256]

"Lexmark 9500 Series Fax Server"="c:\program files\Lexmark 9500 Series\fm3032.exe" [2008-01-02 311976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

c:\documents and settings\Dan\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

PowerReg Scheduler.exe [2010-5-8 233472]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-8-24 24576]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2004-01-13 20:17 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\lxdoamon.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\frun.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\lxdomon.exe"=

"c:\\windows\\system32\\lxdocfg.exe"=

"c:\\windows\\system32\\lxdocoms.exe"=

"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdopswx.exe"=

"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdotime.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\lxdoFax.exe"=

"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdojswx.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdowbgw.exe"=

R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?]

R2 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [12/3/2007 1:25 PM 78640]

R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [9/15/2004 3:25 PM 203024]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [9/15/2004 3:25 PM 36112]

S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdoserv.exe --> c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdoserv.exe [?]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [12/3/2007 1:24 PM 23180]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB

*Deregistered* - klmdb

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\7k16rbkb.default\

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-05 18:20

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\LgNotify.dll

- - - - - - - > 'explorer.exe'(204)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-06-05 18:25:49

ComboFix-quarantined-files.txt 2010-06-05 23:25

ComboFix2.txt 2010-06-05 22:22

Pre-Run: 17,108,643,840 bytes free

Post-Run: 17,096,462,336 bytes free

- - End Of File - - FCB1DD8A94D278522EFBE1E0DE6C90DA

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

Driver::
KLMDB

File::
c:\windows\Nkopefayo.dat
c:\windows\Dfuhaxu.bin

DirLook::
c:\documents and settings\Dan\Local Settings\Application Data\blxfeemyf
c:\documents and settings\Dan\Local Settings\Application Data\ismfshcjo
c:\documents and settings\Dan\Local Settings\Application Data\jvgwydunn
c:\documents and settings\Dan\Local Settings\Application Data\ekhmtawrq

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>

RegLock::
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Thanks for getting back to me so frequently, you guys rock!

ComboFix 10-06-05.02 - Dan 06/06/2010 9:22.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.162 [GMT -5:00]

Running from: c:\documents and settings\Dan\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt

FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {1034070B-4EA4-4718-BC1F-D8D80E09FDE7}

FILE ::

"c:\windows\Dfuhaxu.bin"

"c:\windows\Nkopefayo.dat"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Dfuhaxu.bin

c:\windows\Nkopefayo.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_KLMDB

((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 )))))))))))))))))))))))))))))))

.

2010-06-04 18:21 . 2010-06-04 19:01 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\blxfeemyf

2010-06-04 00:20 . 2010-06-04 00:27 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\V-Safe 100

2010-06-02 14:36 . 2010-06-02 14:36 0 ----a-w- c:\windows\nsreg.dat

2010-06-02 14:36 . 2010-06-02 14:36 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Mozilla

2010-05-29 16:42 . 2010-05-29 16:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-05-27 16:00 . 2010-05-27 17:31 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\ismfshcjo

2010-05-27 11:46 . 2010-05-27 11:46 -------- d-sh--w- c:\documents and settings\Dan\IECompatCache

2010-05-25 02:06 . 2010-05-25 04:46 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\jvgwydunn

2010-05-20 22:05 . 2010-05-20 22:28 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Deployment

2010-05-18 16:26 . 2010-05-18 16:26 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes

2010-05-18 16:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-18 16:26 . 2010-05-18 19:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-18 16:26 . 2010-05-18 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-18 16:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-18 15:53 . 2010-05-18 20:14 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\ekhmtawrq

2010-05-14 02:28 . 2010-05-14 02:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-05-12 05:39 . 2010-05-18 20:14 -------- d-----w- c:\windows\system32\msapps

2010-05-09 00:02 . 2010-05-09 00:02 -------- d-----w- c:\documents and settings\Dan\Application Data\Leadertech

2010-05-08 23:55 . 2010-05-09 00:02 -------- d-----w- c:\program files\palmOne

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-05 22:41 . 2004-08-24 08:23 17153 ----a-w- c:\windows\system32\drivers\omci.sys

2010-06-05 18:46 . 2004-09-16 18:25 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-04 00:35 . 2010-06-04 00:35 388096 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-06-04 00:35 . 2004-09-15 20:25 -------- d-----w- c:\program files\Trend Micro

2010-05-20 21:51 . 2010-03-01 20:10 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint

2010-05-08 23:55 . 2010-05-08 23:55 65536 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\PalmDesktopShortcut.exe

2010-05-08 23:55 . 2010-05-08 23:55 65536 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\ARPPRODUCTICON.exe

2010-05-08 23:55 . 2010-05-08 23:55 45056 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\BluetoothShortcut.exe

2010-04-29 13:07 . 2010-04-29 13:07 -------- d-----w- c:\documents and settings\Dan\Application Data\NewSoft

2010-04-22 23:36 . 2006-03-29 16:25 -------- d-----w- c:\program files\LoneStar

2010-04-14 22:22 . 2010-04-14 22:22 -------- d-----r- c:\program files\Centricity

2010-04-14 03:42 . 2007-12-03 18:19 -------- d-----w- c:\program files\Citrix

2010-04-13 01:26 . 2010-04-13 01:26 -------- d-----w- c:\documents and settings\Dan\Application Data\Lexmark Productivity Studio

2010-03-14 20:24 . 2004-08-24 07:55 89739 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\Dan\Local Settings\Application Data\blxfeemyf ----

---- Directory of c:\documents and settings\Dan\Local Settings\Application Data\ekhmtawrq ----

---- Directory of c:\documents and settings\Dan\Local Settings\Application Data\ismfshcjo ----

---- Directory of c:\documents and settings\Dan\Local Settings\Application Data\jvgwydunn ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-03 155648]

"ATIModeChange"="Ati2mdxx.exe" [2001-09-05 28672]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 86016]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-09 356429]

"SMPClient"="c:\windows\SMPClient.exe" [2002-10-15 184320]

"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2002-08-11 20530]

"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2002-08-11 24626]

"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2002-08-11 45056]

"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2002-08-11 20480]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]

"lxdomon.exe"="c:\program files\Lexmark 9500 Series\lxdomon.exe" [2008-01-02 455336]

"lxdoamon"="c:\program files\Lexmark 9500 Series\lxdoamon.exe" [2008-01-02 25256]

"Lexmark 9500 Series Fax Server"="c:\program files\Lexmark 9500 Series\fm3032.exe" [2008-01-02 311976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

c:\documents and settings\Dan\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

PowerReg Scheduler.exe [2010-5-8 233472]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-8-24 24576]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2004-01-13 20:17 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\lxdoamon.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\frun.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\lxdomon.exe"=

"c:\\windows\\system32\\lxdocfg.exe"=

"c:\\windows\\system32\\lxdocoms.exe"=

"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdopswx.exe"=

"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdotime.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\lxdoFax.exe"=

"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdojswx.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdowbgw.exe"=

R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?]

R2 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [12/3/2007 1:25 PM 78640]

R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [9/15/2004 3:25 PM 203024]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [9/15/2004 3:25 PM 36112]

S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdoserv.exe --> c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdoserv.exe [?]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [12/3/2007 1:24 PM 23180]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\7k16rbkb.default\

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-06 09:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\LgNotify.dll

- - - - - - - > 'explorer.exe'(1832)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\windows\System32\S24EvMon.exe

c:\windows\System32\SCardSvr.exe

c:\windows\system32\ZCfgSvc.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\System32\basfipm.exe

c:\windows\system32\lxdocoms.exe

c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe

c:\windows\System32\RegSrvc.exe

c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe

c:\program files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

c:\program files\Apoint\Apntex.exe

c:\windows\TEMP\WV233D.EXE

c:\program files\Trend Micro\OfficeScan Client\pccntupd.exe

.

**************************************************************************

.

Completion time: 2010-06-06 09:39:45 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-06 14:39

ComboFix2.txt 2010-06-05 23:25

ComboFix3.txt 2010-06-05 22:22

Pre-Run: 17,121,271,808 bytes free

Post-Run: 17,016,664,064 bytes free

- - End Of File - - 674C83BA5E38E380BD51C362B4EC63FD

Link to post
Share on other sites

Please manually delete the following folders:

c:\documents and settings\Dan\Local Settings\Application Data\blxfeemyf

c:\documents and settings\Dan\Local Settings\Application Data\ekhmtawrq

c:\documents and settings\Dan\Local Settings\Application Data\ismfshcjo

c:\documents and settings\Dan\Local Settings\Application Data\jvgwydunn

Let me know how are things running now.

Link to post
Share on other sites

Is it odd that ComboFix has twice today prompted me to update to a newer version, restart the comp, then run?

ComboFix 10-06-05.03 - Dan 06/06/2010 9:57.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.22 [GMT -5:00]

Running from: c:\documents and settings\Dan\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt

FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {1034070B-4EA4-4718-BC1F-D8D80E09FDE7}

FILE ::

"c:\windows\Dfuhaxu.bin"

"c:\windows\Nkopefayo.dat"

.

((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 )))))))))))))))))))))))))))))))

.

2010-06-04 18:21 . 2010-06-04 19:01 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\blxfeemyf

2010-06-04 00:20 . 2010-06-04 00:27 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\V-Safe 100

2010-06-02 14:36 . 2010-06-02 14:36 0 ----a-w- c:\windows\nsreg.dat

2010-06-02 14:36 . 2010-06-02 14:36 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Mozilla

2010-05-29 16:42 . 2010-05-29 16:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-05-27 16:00 . 2010-05-27 17:31 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\ismfshcjo

2010-05-27 11:46 . 2010-05-27 11:46 -------- d-sh--w- c:\documents and settings\Dan\IECompatCache

2010-05-25 02:06 . 2010-05-25 04:46 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\jvgwydunn

2010-05-20 22:05 . 2010-05-20 22:28 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Deployment

2010-05-18 16:26 . 2010-05-18 16:26 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes

2010-05-18 16:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-18 16:26 . 2010-05-18 19:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-18 16:26 . 2010-05-18 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-18 16:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-18 15:53 . 2010-05-18 20:14 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\ekhmtawrq

2010-05-14 02:28 . 2010-05-14 02:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-05-12 05:39 . 2010-05-18 20:14 -------- d-----w- c:\windows\system32\msapps

2010-05-09 00:02 . 2010-05-09 00:02 -------- d-----w- c:\documents and settings\Dan\Application Data\Leadertech

2010-05-08 23:55 . 2010-05-09 00:02 -------- d-----w- c:\program files\palmOne

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-05 22:41 . 2004-08-24 08:23 17153 ----a-w- c:\windows\system32\drivers\omci.sys

2010-06-05 18:46 . 2004-09-16 18:25 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-04 00:35 . 2010-06-04 00:35 388096 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-06-04 00:35 . 2004-09-15 20:25 -------- d-----w- c:\program files\Trend Micro

2010-05-20 21:51 . 2010-03-01 20:10 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint

2010-05-08 23:55 . 2010-05-08 23:55 65536 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\PalmDesktopShortcut.exe

2010-05-08 23:55 . 2010-05-08 23:55 65536 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\ARPPRODUCTICON.exe

2010-05-08 23:55 . 2010-05-08 23:55 45056 ----a-r- c:\documents and settings\Dan\Application Data\Microsoft\Installer\{B1D78321-7AB1-45A7-A084-885AF75B8F3D}\BluetoothShortcut.exe

2010-04-29 13:07 . 2010-04-29 13:07 -------- d-----w- c:\documents and settings\Dan\Application Data\NewSoft

2010-04-22 23:36 . 2006-03-29 16:25 -------- d-----w- c:\program files\LoneStar

2010-04-14 22:22 . 2010-04-14 22:22 -------- d-----r- c:\program files\Centricity

2010-04-14 03:42 . 2007-12-03 18:19 -------- d-----w- c:\program files\Citrix

2010-04-13 01:26 . 2010-04-13 01:26 -------- d-----w- c:\documents and settings\Dan\Application Data\Lexmark Productivity Studio

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\Dan\Local Settings\Application Data\blxfeemyf ----

---- Directory of c:\documents and settings\Dan\Local Settings\Application Data\ekhmtawrq ----

---- Directory of c:\documents and settings\Dan\Local Settings\Application Data\ismfshcjo ----

---- Directory of c:\documents and settings\Dan\Local Settings\Application Data\jvgwydunn ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-03 155648]

"ATIModeChange"="Ati2mdxx.exe" [2001-09-05 28672]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 86016]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-09 356429]

"SMPClient"="c:\windows\SMPClient.exe" [2002-10-15 184320]

"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2002-08-11 20530]

"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2002-08-11 24626]

"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2002-08-11 45056]

"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2002-08-11 20480]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]

"lxdomon.exe"="c:\program files\Lexmark 9500 Series\lxdomon.exe" [2008-01-02 455336]

"lxdoamon"="c:\program files\Lexmark 9500 Series\lxdoamon.exe" [2008-01-02 25256]

"Lexmark 9500 Series Fax Server"="c:\program files\Lexmark 9500 Series\fm3032.exe" [2008-01-02 311976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

c:\documents and settings\Dan\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

PowerReg Scheduler.exe [2010-5-8 233472]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-8-24 24576]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2004-01-13 20:17 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\lxdoamon.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\frun.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\lxdomon.exe"=

"c:\\windows\\system32\\lxdocfg.exe"=

"c:\\windows\\system32\\lxdocoms.exe"=

"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdopswx.exe"=

"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdotime.exe"=

"c:\\Program Files\\Lexmark 9500 Series\\lxdoFax.exe"=

"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdojswx.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdowbgw.exe"=

R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?]

R2 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [12/3/2007 1:25 PM 78640]

R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [9/15/2004 3:25 PM 203024]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [9/15/2004 3:25 PM 36112]

S2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdoserv.exe --> c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdoserv.exe [?]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [12/3/2007 1:24 PM 23180]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\7k16rbkb.default\

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-06 10:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\LgNotify.dll

- - - - - - - > 'explorer.exe'(1004)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\windows\System32\S24EvMon.exe

c:\windows\system32\ZCfgSvc.exe

c:\windows\System32\SCardSvr.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\System32\basfipm.exe

c:\windows\system32\lxdocoms.exe

c:\program files\Apoint\Apntex.exe

c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe

c:\windows\System32\RegSrvc.exe

c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe

c:\program files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

c:\windows\TEMP\IKE33B.EXE

.

**************************************************************************

.

Completion time: 2010-06-06 10:15:28 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-06 15:15

ComboFix2.txt 2010-06-06 14:39

ComboFix3.txt 2010-06-05 23:25

ComboFix4.txt 2010-06-05 22:22

Pre-Run: 17,015,525,376 bytes free

Post-Run: 16,979,132,416 bytes free

- - End Of File - - 4BDD00C527F10CA226BCDD9137BB3A58

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.