Jump to content

Internet Security Essentials - rootkit? / infection


zsoverman
 Share

Recommended Posts

Here's the situation:

Windows XP Home Edition (SP2)

Upon login to Windows, things begin with several pop-up messages:

RUNDLL

Error Loading C:\WINDOWS\wmtmsv.dll

The specified module could not be found.

netsh.exe - Entry Point Not Found

The procedure entry point MigrateWinsockCOnfiguration could not be located in the dynamic link library MSWSOCK.dll

Clicking this second box triggers a couple dozen of these (one at a time):

nslookup.exe - Ordinal Not Found

THe ordinal 1108 could not be located in the dynamic link library WSOCK32.dll

Then I get a popup for "Internet Security Essentials", a fake antispyware. This program, which has eluded my every attempt to remove it, repeats its pop-ups throughout the session periodically. I can't tell if it's random or in response to user actions.

There's also some kind of either hidden web proxy or DNS poisoning going on, because web links in Internet Explorer 8 tend to redirect to malicious sites much of the time.

I also have trouble running Task Manager.

I've attempted to follow the instructions in this forum's pinned post, with the following outcome:

MBAM - It installs / updates, but a couple minutes into the scan it is shut down and thereafter rendered inoperable.

I've tried SAS as well, shuts down in mid scan. All antivirus programs I've tried (incl. Avira) get disabled and/or broken, if they run at all.

DEFOGGER - check

DDS log:

DDS (Ver_10-12-12.02) - NTFSx86

Run by Heather Stumbaugh at 21:52:03.06 on Tue 02/22/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.88 [GMT -8:00]

AV: avast! antivirus 4.8.1229 [VPS 100531-0] *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

"\\.\globalroot\Device\svchost.exe\svchost.exe"

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\All Users\Application Data\c28af1\ISc28_2164.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HPQ\SHARED\HPQWMI.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\Heather Stumbaugh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uDefault_Page_URL = hxxp://www.msn.com

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=laptop

uInternet Settings,ProxyServer = http=127.0.0.1:25454

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Nbutesugune] rundll32.exe "c:\windows\wmtmsv.dll",Startup

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [internet Security Essentials] "c:\documents and settings\all users\application data\c28af1\ISc28_2164.exe" /s /d

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

mRun: [uIUCU] c:\docume~1\heathe~1\locals~1\temp\UIUCU.EXE -CLEAN_UP

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [uyixosafu] rundll32.exe "c:\windows\ilucuvuh.dll",Startup

mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start

mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

uPolicies-explorer: DisallowRun = 1 (0x1)

uPolicies-disallowrun: 0 = msseces.exe

uPolicies-disallowrun: 1 = MSASCui.exe

uPolicies-disallowrun: 2 = ekrn.exe

uPolicies-disallowrun: 3 = egui.exe

uPolicies-disallowrun: 4 = avgnt.exe

uPolicies-disallowrun: 5 = avcenter.exe

uPolicies-disallowrun: 6 = avscan.exe

uPolicies-disallowrun: 7 = avgfrw.exe

uPolicies-disallowrun: 8 = avgui.exe

uPolicies-disallowrun: 9 = avgtray.exe

uPolicies-disallowrun: 10 = avgscanx.exe

uPolicies-disallowrun: 11 = avgcfgex.exe

uPolicies-disallowrun: 12 = avgemc.exe

uPolicies-disallowrun: 13 = avgchsvx.exe

uPolicies-disallowrun: 14 = avgcmgr.exe

uPolicies-disallowrun: 15 = avgwdsvc.exe

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

LSP: mswsock.dll

DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - hxxp://w4s2.work4sure.com/c/ge/w4sgeen9.exe

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

IFEO: image file execution options - svchost.exe

IFEO: a.exe - svchost.exe

IFEO: aAvgApi.exe - svchost.exe

IFEO: AAWTray.exe - svchost.exe

IFEO: About.exe - svchost.exe

Note: multiple IFEO entries found. Please refer to Attach.txt

Hosts: 64.34.212.70 www.google.com

Hosts: 64.34.212.70 google.com

Hosts: 64.34.212.70 google.com.au

Hosts: 64.34.212.70 www.google.com.au

Hosts: 64.34.212.70 google.be

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-20 78416]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-20 20560]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [2010-12-28 36224]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2009-10-20 200192]

R3 vbmab8c6;Virtual Bus for Microsoft ACPI-Compliant System;c:\windows\system32\drivers\vbmab8c6.sys [2004-8-4 52736]

S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.SYS [?]

S2 aspimgr;Microsoft ASPI Manager;c:\windows\system32\aspimgr.exe --> c:\windows\system32\aspimgr.exe [?]

S2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashserv.exe" --> c:\program files\alwil software\avast4\ashServ.exe [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]

S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\rubotsrv.exe --> c:\program files\trend micro\rubotted\RUBotSrv.exe [?]

S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashmaisv.exe" /service --> c:\program files\alwil software\avast4\ashMaiSv.exe [?]

S3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashwebsv.exe" /service --> c:\program files\alwil software\avast4\ashWebSv.exe [?]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]

S3 Normandy;Normandy SR2; [x]

S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [2010-12-28 134912]

=============== Created Last 30 ================

2011-02-23 04:32:20 -------- d-----w- c:\docume~1\heathe~1\applic~1\Malwarebytes

2011-02-23 04:32:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-23 04:32:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-02-23 04:32:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-23 04:32:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-23 04:21:48 -------- d-----w- C:\TDSSKiller_Quarantine

2011-02-23 02:27:03 -------- d--h--w- c:\windows\PIF

2011-02-23 00:39:02 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2011-02-23 00:39:02 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2011-02-23 00:05:09 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-02-16 21:42:36 -------- d-sh--w- c:\docume~1\heathe~1\applic~1\Internet Security Essentials

2011-02-16 21:42:35 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\ISVYE

2011-02-16 21:42:08 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\c28af1

2011-02-01 01:35:57 204800 ----a-w- c:\windows\system32\IVIresizeW7.dll

2011-02-01 01:35:57 20480 ----a-w- c:\windows\system32\IVIresize.dll

2011-02-01 01:35:57 200704 ----a-w- c:\windows\system32\IVIresizeA6.dll

2011-02-01 01:35:57 192512 ----a-w- c:\windows\system32\IVIresizeP6.dll

2011-02-01 01:35:57 192512 ----a-w- c:\windows\system32\IVIresizeM6.dll

2011-02-01 01:35:57 188416 ----a-w- c:\windows\system32\IVIresizePX.dll

2011-02-01 01:35:46 -------- d-----w- c:\program files\InterVideo

2011-02-01 01:18:28 7432 ----a-w- c:\windows\system32\drivers\eabfiltr.sys

2011-02-01 01:18:28 5220 ----a-w- c:\windows\system32\drivers\EabUsb.sys

2011-02-01 01:14:47 20576 ------w- c:\windows\system32\drivers\PxHelp20.sys

2011-02-01 01:14:47 109568 ------w- c:\windows\system32\pxinsi64.exe

2011-02-01 01:14:47 108544 ------w- c:\windows\system32\pxcpyi64.exe

2011-02-01 01:14:27 -------- d-----w- c:\program files\common files\muvee Technologies

2011-02-01 01:06:17 69632 ----a-w- c:\windows\system32\bcmwlD2K.EXE

2011-02-01 00:46:35 18944 -c--a-w- c:\windows\system32\dllcache\lprmon.dll

2011-02-01 00:46:35 18944 ----a-w- c:\windows\system32\lprmon.dll

2011-02-01 00:46:31 22528 -c--a-w- c:\windows\system32\dllcache\lpdsvc.dll

2011-02-01 00:46:31 22528 ----a-w- c:\windows\system32\lpdsvc.dll

2011-01-29 07:33:15 -------- d-----w- c:\windows\pss

==================== Find3M ====================

2011-02-02 09:28:03 89672 --sha-w- c:\windows\system32\csncui.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys

1 ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\Harddisk0\DR0[0x82B9B030]

3 CLASSPNP[0xF763D05B] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> [0x82A277B0]

\Driver\Disk[0x825BB950] -> IRP_MJ_CREATE -> 0xF76B1134

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

user != kernel MBR !!!

============= FINISH: 21:52:25.04 ===============

Attach.txt log is zipped and attached to this post.

GMER lists some files in the first phase but gives no warning message. So I tried running the scan (with appropriate items unchecked) anyway, about 1 second into the can the program shuts down, and thereafter refuses to run.

- - -

Google search on this one seems to lead me to many many instances where people just give up on this one, re-format etc. If pressed for time by this customer, I may have to do the same... but I'd desperately like to avoid it. Please help.

Attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

I had a difficult time getting ComboFix onto the affected machine. I've not touched it since I posted my first message, but somehow in the meantime yet another fake antivirus program has installed (Antivira or something?). 100% of my web browsing is now hijacked, as are most executables.

I put the machine into Safe Mode to get ComboFix on there. When I run ComboFix on the desktop, a small progress bar (labelled "Combofix") fills up, then pauses, then disappears. None of the subsequent dialogs referenced in the guide ever appear, and there is no log file.

Here is an updated DDS log in case it matters. Please advise what I should do next. I've left the machine in Safe Mode for now (the only state in which it's at all operable at the moment).

- - -

DDS (Ver_10-12-12.02) - NTFSx86 NETWORK

Run by Heather Stumbaugh at 1:28:08.62 on Wed 02/23/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.228 [GMT -8:00]

AV: avast! antivirus 4.8.1229 [VPS 100531-0] *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

"\\.\globalroot\Device\svchost.exe\svchost.exe"

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Heather Stumbaugh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uDefault_Page_URL = hxxp://www.msn.com

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=laptop

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:18810

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Nbutesugune] rundll32.exe "c:\windows\wmtmsv.dll",Startup

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [internet Security Essentials] "c:\documents and settings\all users\application data\c28af1\ISc28_2164.exe" /s /d

uRun: [ytrtrvyw] c:\docume~1\heathe~1\locals~1\temp\vxwbckhom\mexbfexsika.exe

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

mRun: [uIUCU] c:\docume~1\heathe~1\locals~1\temp\UIUCU.EXE -CLEAN_UP

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [uyixosafu] rundll32.exe "c:\windows\ilucuvuh.dll",Startup

mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start

mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

uPolicies-explorer: DisallowRun = 1 (0x1)

uPolicies-disallowrun: 0 = msseces.exe

uPolicies-disallowrun: 1 = MSASCui.exe

uPolicies-disallowrun: 2 = ekrn.exe

uPolicies-disallowrun: 3 = egui.exe

uPolicies-disallowrun: 4 = avgnt.exe

uPolicies-disallowrun: 5 = avcenter.exe

uPolicies-disallowrun: 6 = avscan.exe

uPolicies-disallowrun: 7 = avgfrw.exe

uPolicies-disallowrun: 8 = avgui.exe

uPolicies-disallowrun: 9 = avgtray.exe

uPolicies-disallowrun: 10 = avgscanx.exe

uPolicies-disallowrun: 11 = avgcfgex.exe

uPolicies-disallowrun: 12 = avgemc.exe

uPolicies-disallowrun: 13 = avgchsvx.exe

uPolicies-disallowrun: 14 = avgcmgr.exe

uPolicies-disallowrun: 15 = avgwdsvc.exe

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

LSP: mswsock.dll

DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - hxxp://w4s2.work4sure.com/c/ge/w4sgeen9.exe

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

IFEO: image file execution options - svchost.exe

IFEO: a.exe - svchost.exe

IFEO: aAvgApi.exe - svchost.exe

IFEO: AAWTray.exe - svchost.exe

IFEO: About.exe - svchost.exe

Note: multiple IFEO entries found. Please refer to Attach.txt

Hosts: 64.34.212.70 www.google.com

Hosts: 64.34.212.70 google.com

Hosts: 64.34.212.70 google.com.au

Hosts: 64.34.212.70 www.google.com.au

Hosts: 64.34.212.70 google.be

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R3 vbmab8c6;Virtual Bus for Microsoft ACPI-Compliant System;c:\windows\system32\drivers\vbmab8c6.sys [2004-8-4 52736]

S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-20 78416]

S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.SYS [?]

S2 aspimgr;Microsoft ASPI Manager;c:\windows\system32\aspimgr.exe --> c:\windows\system32\aspimgr.exe [?]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-20 20560]

S2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashserv.exe" --> c:\program files\alwil software\avast4\ashServ.exe [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]

S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\rubotsrv.exe --> c:\program files\trend micro\rubotted\RUBotSrv.exe [?]

S3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [2010-12-28 36224]

S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashmaisv.exe" /service --> c:\program files\alwil software\avast4\ashMaiSv.exe [?]

S3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashwebsv.exe" /service --> c:\program files\alwil software\avast4\ashWebSv.exe [?]

S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2009-10-20 200192]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]

S3 Normandy;Normandy SR2; [x]

S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [2010-12-28 134912]

=============== Created Last 30 ================

2011-02-23 04:32:20 -------- d-----w- c:\docume~1\heathe~1\applic~1\Malwarebytes

2011-02-23 04:32:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-23 04:32:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-02-23 04:32:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-23 04:32:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-23 04:21:48 -------- d-----w- C:\TDSSKiller_Quarantine

2011-02-23 02:27:03 -------- d--h--w- c:\windows\PIF

2011-02-23 00:39:02 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2011-02-23 00:39:02 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2011-02-23 00:05:09 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-02-16 21:42:36 -------- d-sh--w- c:\docume~1\heathe~1\applic~1\Internet Security Essentials

2011-02-16 21:42:35 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\ISVYE

2011-02-16 21:42:08 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\c28af1

2011-02-01 01:35:57 204800 ----a-w- c:\windows\system32\IVIresizeW7.dll

2011-02-01 01:35:57 20480 ----a-w- c:\windows\system32\IVIresize.dll

2011-02-01 01:35:57 200704 ----a-w- c:\windows\system32\IVIresizeA6.dll

2011-02-01 01:35:57 192512 ----a-w- c:\windows\system32\IVIresizeP6.dll

2011-02-01 01:35:57 192512 ----a-w- c:\windows\system32\IVIresizeM6.dll

2011-02-01 01:35:57 188416 ----a-w- c:\windows\system32\IVIresizePX.dll

2011-02-01 01:35:46 -------- d-----w- c:\program files\InterVideo

2011-02-01 01:18:28 7432 ----a-w- c:\windows\system32\drivers\eabfiltr.sys

2011-02-01 01:18:28 5220 ----a-w- c:\windows\system32\drivers\EabUsb.sys

2011-02-01 01:14:47 20576 ------w- c:\windows\system32\drivers\PxHelp20.sys

2011-02-01 01:14:47 109568 ------w- c:\windows\system32\pxinsi64.exe

2011-02-01 01:14:47 108544 ------w- c:\windows\system32\pxcpyi64.exe

2011-02-01 01:14:27 -------- d-----w- c:\program files\common files\muvee Technologies

2011-02-01 01:06:17 69632 ----a-w- c:\windows\system32\bcmwlD2K.EXE

2011-02-01 00:46:35 18944 -c--a-w- c:\windows\system32\dllcache\lprmon.dll

2011-02-01 00:46:35 18944 ----a-w- c:\windows\system32\lprmon.dll

2011-02-01 00:46:31 22528 -c--a-w- c:\windows\system32\dllcache\lpdsvc.dll

2011-02-01 00:46:31 22528 ----a-w- c:\windows\system32\lpdsvc.dll

2011-01-29 07:33:15 -------- d-----w- c:\windows\pss

==================== Find3M ====================

2011-02-02 09:28:03 89672 --sha-w- c:\windows\system32\csncui.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: FUJITSU_MHV2060AT_PL rev.008300A1 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xF7781134]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; PUSH EBX; PUSH ESI; PUSH EDI; CMP EAX, [0xf7784858]; JNZ 0x1f; MOV EBX, [EBP+0xc]; CALL 0xfffffffffffffd3b; }

1 ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\Harddisk0\DR0[0x82BD5728]

3 CLASSPNP[0xF763D05B] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> [0x82607850]

\Driver\Disk[0x82A17030] -> IRP_MJ_CREATE -> 0xF7781134

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

user & kernel MBR OK

============= FINISH: 1:28:40.09 ===============

Attach.zip

Link to post
Share on other sites

  • Staff

Hi,

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Please run a GMER Rootkit scan:

Download GMER's application from here:

http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

After that, try running ComboFix again as outlined above.

Link to post
Share on other sites

TDSSkiller log:

2011/02/23 22:56:51.0906 1336 TDSS rootkit removing tool 2.4.18.0 Feb 21 2011 11:08:08

2011/02/23 22:56:52.0921 1336 ================================================================================

2011/02/23 22:56:52.0921 1336 SystemInfo:

2011/02/23 22:56:52.0921 1336

2011/02/23 22:56:52.0921 1336 OS Version: 5.1.2600 ServicePack: 2.0

2011/02/23 22:56:52.0921 1336 Product type: Workstation

2011/02/23 22:56:52.0921 1336 ComputerName: HOME

2011/02/23 22:56:52.0921 1336 UserName: Heather Stumbaugh

2011/02/23 22:56:52.0921 1336 Windows directory: C:\WINDOWS

2011/02/23 22:56:52.0921 1336 System windows directory: C:\WINDOWS

2011/02/23 22:56:52.0921 1336 Processor architecture: Intel x86

2011/02/23 22:56:52.0921 1336 Number of processors: 1

2011/02/23 22:56:52.0921 1336 Page size: 0x1000

2011/02/23 22:56:52.0921 1336 Boot type: Safe boot with network

2011/02/23 22:56:52.0921 1336 ================================================================================

2011/02/23 22:56:53.0218 1336 Initialize success

2011/02/23 22:57:08.0265 2028 ================================================================================

2011/02/23 22:57:08.0265 2028 Scan started

2011/02/23 22:57:08.0265 2028 Mode: Manual;

2011/02/23 22:57:08.0265 2028 ================================================================================

2011/02/23 22:57:10.0515 2028 Aavmker4 (b36c2d3a46078f4a278386f5c974564d) C:\WINDOWS\system32\drivers\Aavmker4.sys

2011/02/23 22:57:10.0687 2028 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/02/23 22:57:10.0765 2028 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2011/02/23 22:57:10.0890 2028 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys

2011/02/23 22:57:11.0000 2028 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys

2011/02/23 22:57:11.0234 2028 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

2011/02/23 22:57:11.0640 2028 AmdK8 (a2d5f093f9cb160c183c77015704f156) C:\WINDOWS\system32\DRIVERS\AmdK8.sys

2011/02/23 22:57:11.0812 2028 ArcCD (a82f1a1b09593c73efd02a59dc94920c) C:\WINDOWS\system32\drivers\ArcCD.sys

2011/02/23 22:57:11.0859 2028 ArcRec (1af9061b61741a912368ab4dc309d25e) C:\WINDOWS\system32\drivers\ArcRec.sys

2011/02/23 22:57:11.0937 2028 ArcUdfs (3ee9e41102a2c6b8f7dbad5d44abda05) C:\WINDOWS\system32\drivers\ArcUdfs.sys

2011/02/23 22:57:12.0281 2028 aswFsBlk (976e2ad5a62044629c2de2ca8563722a) C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys

2011/02/23 22:57:12.0375 2028 aswMon2 (c298f660fd9a91b0fb24c0aa26ae09ac) C:\WINDOWS\system32\drivers\aswMon2.sys

2011/02/23 22:57:12.0468 2028 aswRdr (d78653e357bfadb9a432aa1f66d50269) C:\WINDOWS\system32\drivers\aswRdr.sys

2011/02/23 22:57:12.0562 2028 aswSP (17c4f06944b90944291cf7fb18d630c2) C:\WINDOWS\system32\drivers\aswSP.sys

2011/02/23 22:57:12.0640 2028 aswTdi (c33510a1866806fd9c17f5d36b4db6a6) C:\WINDOWS\system32\drivers\aswTdi.sys

2011/02/23 22:57:12.0796 2028 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/02/23 22:57:12.0937 2028 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/02/23 22:57:13.0203 2028 ati2mtag (9dc33d25ee0ed27752455a52f25ddb6e) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/02/23 22:57:13.0359 2028 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/02/23 22:57:13.0531 2028 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/02/23 22:57:13.0656 2028 BCM43XX (e7debb46b9ef1f28932e533be4a3d1a9) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2011/02/23 22:57:13.0781 2028 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/02/23 22:57:13.0890 2028 CAMCAUD (4ebc37b6677a6768b307ae40839d788f) C:\WINDOWS\system32\drivers\camc6aud.sys

2011/02/23 22:57:13.0968 2028 CAMCHALA (9a38fc432ad8b3400cefb70a7236979e) C:\WINDOWS\system32\drivers\camc6hal.sys

2011/02/23 22:57:14.0062 2028 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/02/23 22:57:14.0140 2028 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/02/23 22:57:14.0250 2028 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/02/23 22:57:14.0359 2028 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/02/23 22:57:14.0609 2028 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/02/23 22:57:14.0687 2028 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/02/23 22:57:14.0937 2028 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/02/23 22:57:15.0046 2028 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2011/02/23 22:57:15.0171 2028 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

2011/02/23 22:57:15.0281 2028 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/02/23 22:57:15.0437 2028 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2011/02/23 22:57:15.0531 2028 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/02/23 22:57:15.0609 2028 eabfiltr (81b7808d3b5892388f33273119c2dc31) C:\WINDOWS\system32\drivers\EABFiltr.sys

2011/02/23 22:57:15.0687 2028 eabusb (1ba14da377b66278335d4b9e8824cd42) C:\WINDOWS\system32\drivers\eabusb.sys

2011/02/23 22:57:15.0781 2028 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/02/23 22:57:15.0875 2028 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys

2011/02/23 22:57:15.0937 2028 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2011/02/23 22:57:15.0984 2028 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/02/23 22:57:16.0062 2028 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/02/23 22:57:16.0109 2028 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/02/23 22:57:16.0187 2028 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/02/23 22:57:16.0296 2028 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/02/23 22:57:16.0421 2028 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/02/23 22:57:16.0546 2028 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/02/23 22:57:16.0687 2028 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2011/02/23 22:57:16.0796 2028 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2011/02/23 22:57:16.0906 2028 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2011/02/23 22:57:17.0000 2028 HSFHWATI (13d4b70bf2f9bc550e9079da864d3ec1) C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys

2011/02/23 22:57:17.0156 2028 HSF_DP (dfa8f86c0dbca7db948043aa3be6793b) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys

2011/02/23 22:57:17.0359 2028 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/02/23 22:57:17.0546 2028 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/02/23 22:57:17.0656 2028 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/02/23 22:57:17.0828 2028 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/02/23 22:57:17.0906 2028 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/02/23 22:57:17.0968 2028 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/02/23 22:57:18.0062 2028 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/02/23 22:57:18.0156 2028 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/02/23 22:57:18.0234 2028 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/02/23 22:57:18.0328 2028 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/02/23 22:57:18.0453 2028 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/02/23 22:57:18.0546 2028 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/02/23 22:57:18.0671 2028 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys

2011/02/23 22:57:18.0750 2028 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/02/23 22:57:18.0968 2028 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/02/23 22:57:19.0109 2028 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/02/23 22:57:19.0218 2028 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2011/02/23 22:57:19.0328 2028 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys

2011/02/23 22:57:19.0375 2028 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys

2011/02/23 22:57:19.0406 2028 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys

2011/02/23 22:57:19.0468 2028 motport (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motport.sys

2011/02/23 22:57:19.0578 2028 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/02/23 22:57:19.0703 2028 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/02/23 22:57:19.0828 2028 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/02/23 22:57:19.0937 2028 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/02/23 22:57:20.0046 2028 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/02/23 22:57:20.0093 2028 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2011/02/23 22:57:20.0187 2028 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/02/23 22:57:20.0312 2028 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/02/23 22:57:20.0343 2028 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/02/23 22:57:20.0421 2028 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/02/23 22:57:20.0500 2028 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2011/02/23 22:57:20.0625 2028 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2011/02/23 22:57:20.0718 2028 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/02/23 22:57:20.0828 2028 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/02/23 22:57:20.0875 2028 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/02/23 22:57:20.0921 2028 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/02/23 22:57:21.0000 2028 NetBIOS (92b8dd81abfd533b37fd439398a8c546) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/02/23 22:57:21.0031 2028 NetBIOS - detected Rootkit.Win32.ZAccess.c (0)

2011/02/23 22:57:21.0140 2028 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/02/23 22:57:21.0359 2028 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys

2011/02/23 22:57:21.0406 2028 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2011/02/23 22:57:21.0515 2028 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/02/23 22:57:21.0640 2028 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/02/23 22:57:21.0734 2028 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/02/23 22:57:21.0859 2028 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/02/23 22:57:22.0015 2028 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys

2011/02/23 22:57:22.0046 2028 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/02/23 22:57:22.0140 2028 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/02/23 22:57:22.0187 2028 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/02/23 22:57:22.0281 2028 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/02/23 22:57:22.0328 2028 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/02/23 22:57:22.0687 2028 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/02/23 22:57:22.0781 2028 Processor (9e372a156f92425a1904b84589093a37) C:\WINDOWS\system32\DRIVERS\processr.sys

2011/02/23 22:57:22.0875 2028 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/02/23 22:57:22.0921 2028 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/02/23 22:57:23.0031 2028 PxHelp20 (617accada2e0a0f43ec6030bbac49513) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/02/23 22:57:23.0328 2028 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/02/23 22:57:23.0390 2028 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/02/23 22:57:23.0500 2028 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/02/23 22:57:23.0546 2028 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/02/23 22:57:23.0640 2028 Rdbss (809ca45caa9072b3176ad44579d7f688) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/02/23 22:57:23.0703 2028 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/02/23 22:57:23.0828 2028 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/02/23 22:57:23.0890 2028 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/02/23 22:57:24.0062 2028 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys

2011/02/23 22:57:24.0140 2028 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2011/02/23 22:57:24.0453 2028 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/02/23 22:57:24.0578 2028 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys

2011/02/23 22:57:24.0640 2028 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/02/23 22:57:24.0890 2028 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys

2011/02/23 22:57:24.0984 2028 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/02/23 22:57:25.0078 2028 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/02/23 22:57:25.0187 2028 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/02/23 22:57:25.0296 2028 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2011/02/23 22:57:25.0671 2028 SynTP (794b330d3ea6b6b09c5b1bb1ee2e299f) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2011/02/23 22:57:25.0703 2028 SynTP - detected Rootkit.Win32.ZAccess.c (0)

2011/02/23 22:57:25.0765 2028 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/02/23 22:57:25.0906 2028 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/02/23 22:57:26.0000 2028 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/02/23 22:57:26.0109 2028 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/02/23 22:57:26.0203 2028 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/02/23 22:57:26.0359 2028 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2011/02/23 22:57:26.0562 2028 Update (cc6cb2d64603407da041edd611f321e1) C:\WINDOWS\system32\DRIVERS\update.sys

2011/02/23 22:57:26.0578 2028 Update - detected Rootkit.Win32.ZAccess.c (0)

2011/02/23 22:57:26.0687 2028 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/02/23 22:57:26.0765 2028 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/02/23 22:57:26.0812 2028 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/02/23 22:57:26.0875 2028 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/02/23 22:57:26.0953 2028 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/02/23 22:57:27.0140 2028 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/02/23 22:57:27.0218 2028 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/02/23 22:57:27.0390 2028 vbmab8c6 (10f2bac9c504fe5b409efda68c43b4e7) C:\WINDOWS\system32\drivers\vbmab8c6.sys

2011/02/23 22:57:27.0390 2028 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbmab8c6.sys. md5: 10f2bac9c504fe5b409efda68c43b4e7

2011/02/23 22:57:27.0406 2028 vbmab8c6 - detected Locked file (1)

2011/02/23 22:57:27.0500 2028 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2011/02/23 22:57:27.0640 2028 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/02/23 22:57:27.0750 2028 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/02/23 22:57:27.0875 2028 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2011/02/23 22:57:28.0109 2028 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/02/23 22:57:28.0328 2028 winachsf (473ee64c368ce2eed110376c11960259) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2011/02/23 22:57:28.0531 2028 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2011/02/23 22:57:28.0671 2028 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/02/23 22:57:28.0734 2028 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/02/23 22:57:28.0921 2028 xusb21 (f5e5f944e63a9b5f6e76c2ebb2ac462f) C:\WINDOWS\system32\DRIVERS\xusb21.sys

2011/02/23 22:57:29.0187 2028 ================================================================================

2011/02/23 22:57:29.0187 2028 Scan finished

2011/02/23 22:57:29.0187 2028 ================================================================================

2011/02/23 22:57:29.0234 1748 Detected object count: 4

2011/02/23 22:57:48.0281 1748 NetBIOS (92b8dd81abfd533b37fd439398a8c546) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/02/23 22:57:49.0218 1748 Backup copy found, using it..

2011/02/23 22:57:49.0250 1748 C:\WINDOWS\system32\DRIVERS\netbios.sys - will be cured after reboot

2011/02/23 22:57:49.0250 1748 Rootkit.Win32.ZAccess.c(NetBIOS) - User select action: Cure

2011/02/23 22:57:49.0484 1748 SynTP (794b330d3ea6b6b09c5b1bb1ee2e299f) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2011/02/23 22:57:49.0531 1748 Backup copy not found, trying to cure infected file..

2011/02/23 22:57:49.0546 1748 C:\WINDOWS\system32\DRIVERS\SynTP.sys - Cure failed (FFFFFFFF)

2011/02/23 22:57:49.0546 1748 C:\WINDOWS\system32\DRIVERS\SynTP.sys - processing error

2011/02/23 22:57:49.0546 1748 Rootkit.Win32.ZAccess.c(SynTP) - User select action: Cure

2011/02/23 22:57:49.0687 1748 Update (cc6cb2d64603407da041edd611f321e1) C:\WINDOWS\system32\DRIVERS\update.sys

2011/02/23 22:57:49.0718 1748 Backup copy not found, trying to cure infected file..

2011/02/23 22:57:49.0718 1748 C:\WINDOWS\system32\DRIVERS\update.sys - Cure failed (FFFFFFFF)

2011/02/23 22:57:49.0718 1748 C:\WINDOWS\system32\DRIVERS\update.sys - processing error

2011/02/23 22:57:49.0718 1748 Rootkit.Win32.ZAccess.c(Update) - User select action: Cure

2011/02/23 22:57:49.0718 1748 Locked file(vbmab8c6) - User select action: Skip

2011/02/23 22:58:05.0421 0328 Deinitialize success

GMER shuts down immediately when I press the SCAN button.

(I went ahead and also tried ComboFix again, just in case; same result as prior attempts.)

Let me know what I should do next, thanks.

Link to post
Share on other sites

  • Staff

Hi,

Looks like many infections are at work here.

Run TDSSKiller again and post its log.

Next, download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • Click Run Scan and let the program run uninterrupted.
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

See if MBAM can scan now; rename its executable to something other than MBAM.exe before opening it. Also try running ComboFix again; see if renaming it to anything.cmd allows it to run.

Link to post
Share on other sites

TDSkiller log:

2011/02/24 23:49:44.0718 1128 TDSS rootkit removing tool 2.4.18.0 Feb 21 2011 11:08:08

2011/02/24 23:49:45.0093 1128 ================================================================================

2011/02/24 23:49:45.0093 1128 SystemInfo:

2011/02/24 23:49:45.0093 1128

2011/02/24 23:49:45.0093 1128 OS Version: 5.1.2600 ServicePack: 2.0

2011/02/24 23:49:45.0093 1128 Product type: Workstation

2011/02/24 23:49:45.0093 1128 ComputerName: HOME

2011/02/24 23:49:45.0093 1128 UserName: Heather Stumbaugh

2011/02/24 23:49:45.0093 1128 Windows directory: C:\WINDOWS

2011/02/24 23:49:45.0093 1128 System windows directory: C:\WINDOWS

2011/02/24 23:49:45.0093 1128 Processor architecture: Intel x86

2011/02/24 23:49:45.0093 1128 Number of processors: 1

2011/02/24 23:49:45.0093 1128 Page size: 0x1000

2011/02/24 23:49:45.0093 1128 Boot type: Safe boot with network

2011/02/24 23:49:45.0093 1128 ================================================================================

2011/02/24 23:49:45.0390 1128 Initialize success

2011/02/24 23:49:48.0375 0296 ================================================================================

2011/02/24 23:49:48.0375 0296 Scan started

2011/02/24 23:49:48.0375 0296 Mode: Manual;

2011/02/24 23:49:48.0375 0296 ================================================================================

2011/02/24 23:49:50.0203 0296 Aavmker4 (b36c2d3a46078f4a278386f5c974564d) C:\WINDOWS\system32\drivers\Aavmker4.sys

2011/02/24 23:49:50.0421 0296 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/02/24 23:49:50.0500 0296 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2011/02/24 23:49:50.0625 0296 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys

2011/02/24 23:49:50.0734 0296 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys

2011/02/24 23:49:50.0843 0296 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

2011/02/24 23:49:51.0375 0296 AmdK8 (a2d5f093f9cb160c183c77015704f156) C:\WINDOWS\system32\DRIVERS\AmdK8.sys

2011/02/24 23:49:51.0500 0296 ArcCD (a82f1a1b09593c73efd02a59dc94920c) C:\WINDOWS\system32\drivers\ArcCD.sys

2011/02/24 23:49:51.0593 0296 ArcRec (1af9061b61741a912368ab4dc309d25e) C:\WINDOWS\system32\drivers\ArcRec.sys

2011/02/24 23:49:51.0671 0296 ArcUdfs (3ee9e41102a2c6b8f7dbad5d44abda05) C:\WINDOWS\system32\drivers\ArcUdfs.sys

2011/02/24 23:49:51.0921 0296 aswFsBlk (976e2ad5a62044629c2de2ca8563722a) C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys

2011/02/24 23:49:52.0093 0296 aswMon2 (c298f660fd9a91b0fb24c0aa26ae09ac) C:\WINDOWS\system32\drivers\aswMon2.sys

2011/02/24 23:49:52.0171 0296 aswRdr (d78653e357bfadb9a432aa1f66d50269) C:\WINDOWS\system32\drivers\aswRdr.sys

2011/02/24 23:49:52.0250 0296 aswSP (17c4f06944b90944291cf7fb18d630c2) C:\WINDOWS\system32\drivers\aswSP.sys

2011/02/24 23:49:52.0328 0296 aswTdi (e27f0d0fe3a8d6fd07bb38c37faeed6b) C:\WINDOWS\system32\drivers\aswTdi.sys

2011/02/24 23:49:52.0343 0296 aswTdi - detected Rootkit.Win32.ZAccess.c (0)

2011/02/24 23:49:52.0453 0296 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/02/24 23:49:52.0593 0296 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/02/24 23:49:52.0828 0296 ati2mtag (9dc33d25ee0ed27752455a52f25ddb6e) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/02/24 23:49:53.0140 0296 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/02/24 23:49:53.0296 0296 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/02/24 23:49:53.0468 0296 BCM43XX (e7debb46b9ef1f28932e533be4a3d1a9) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2011/02/24 23:49:53.0531 0296 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/02/24 23:49:53.0656 0296 CAMCAUD (4ebc37b6677a6768b307ae40839d788f) C:\WINDOWS\system32\drivers\camc6aud.sys

2011/02/24 23:49:53.0781 0296 CAMCHALA (9a38fc432ad8b3400cefb70a7236979e) C:\WINDOWS\system32\drivers\camc6hal.sys

2011/02/24 23:49:54.0031 0296 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/02/24 23:49:54.0562 0296 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/02/24 23:49:54.0734 0296 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/02/24 23:49:54.0859 0296 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/02/24 23:49:55.0187 0296 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/02/24 23:49:55.0296 0296 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/02/24 23:49:55.0515 0296 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/02/24 23:49:55.0625 0296 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2011/02/24 23:49:55.0796 0296 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

2011/02/24 23:49:55.0890 0296 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/02/24 23:49:55.0984 0296 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2011/02/24 23:49:56.0093 0296 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/02/24 23:49:56.0187 0296 eabfiltr (81b7808d3b5892388f33273119c2dc31) C:\WINDOWS\system32\drivers\EABFiltr.sys

2011/02/24 23:49:56.0328 0296 eabusb (1ba14da377b66278335d4b9e8824cd42) C:\WINDOWS\system32\drivers\eabusb.sys

2011/02/24 23:49:56.0437 0296 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/02/24 23:49:56.0562 0296 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys

2011/02/24 23:49:56.0640 0296 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2011/02/24 23:49:56.0703 0296 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/02/24 23:49:56.0828 0296 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/02/24 23:49:56.0875 0296 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/02/24 23:49:56.0968 0296 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/02/24 23:49:57.0078 0296 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/02/24 23:49:57.0140 0296 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/02/24 23:49:57.0265 0296 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/02/24 23:49:57.0453 0296 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2011/02/24 23:49:57.0593 0296 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2011/02/24 23:49:57.0765 0296 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2011/02/24 23:49:57.0906 0296 HSFHWATI (13d4b70bf2f9bc550e9079da864d3ec1) C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys

2011/02/24 23:49:57.0984 0296 HSF_DP (dfa8f86c0dbca7db948043aa3be6793b) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys

2011/02/24 23:49:58.0156 0296 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/02/24 23:49:58.0390 0296 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/02/24 23:49:58.0531 0296 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/02/24 23:49:58.0765 0296 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/02/24 23:49:58.0828 0296 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/02/24 23:49:58.0875 0296 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/02/24 23:49:58.0953 0296 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/02/24 23:49:59.0046 0296 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/02/24 23:49:59.0125 0296 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/02/24 23:49:59.0281 0296 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/02/24 23:49:59.0453 0296 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/02/24 23:49:59.0531 0296 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/02/24 23:49:59.0609 0296 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys

2011/02/24 23:49:59.0703 0296 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/02/24 23:49:59.0937 0296 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/02/24 23:50:00.0046 0296 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/02/24 23:50:00.0203 0296 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2011/02/24 23:50:00.0328 0296 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys

2011/02/24 23:50:00.0390 0296 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys

2011/02/24 23:50:00.0437 0296 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys

2011/02/24 23:50:00.0484 0296 motport (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motport.sys

2011/02/24 23:50:00.0562 0296 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/02/24 23:50:00.0687 0296 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/02/24 23:50:00.0734 0296 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/02/24 23:50:00.0828 0296 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/02/24 23:50:00.0921 0296 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/02/24 23:50:01.0062 0296 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2011/02/24 23:50:01.0234 0296 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/02/24 23:50:01.0375 0296 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/02/24 23:50:01.0437 0296 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/02/24 23:50:01.0578 0296 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/02/24 23:50:01.0828 0296 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2011/02/24 23:50:02.0000 0296 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2011/02/24 23:50:02.0265 0296 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/02/24 23:50:02.0328 0296 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/02/24 23:50:02.0421 0296 NdisWan (f5986637fd42e3e1ed7d7fa131acaee9) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/02/24 23:50:02.0453 0296 NdisWan - detected Rootkit.Win32.ZAccess.c (0)

2011/02/24 23:50:02.0500 0296 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/02/24 23:50:02.0593 0296 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\drivers\tsk1B.tmp

2011/02/24 23:50:02.0718 0296 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/02/24 23:50:02.0906 0296 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys

2011/02/24 23:50:03.0031 0296 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2011/02/24 23:50:03.0156 0296 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/02/24 23:50:03.0281 0296 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/02/24 23:50:03.0343 0296 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/02/24 23:50:03.0390 0296 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/02/24 23:50:03.0484 0296 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys

2011/02/24 23:50:03.0546 0296 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/02/24 23:50:03.0625 0296 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/02/24 23:50:03.0687 0296 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/02/24 23:50:03.0875 0296 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/02/24 23:50:03.0921 0296 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/02/24 23:50:04.0390 0296 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/02/24 23:50:04.0484 0296 Processor (9e372a156f92425a1904b84589093a37) C:\WINDOWS\system32\DRIVERS\processr.sys

2011/02/24 23:50:04.0531 0296 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/02/24 23:50:04.0562 0296 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/02/24 23:50:04.0671 0296 PxHelp20 (617accada2e0a0f43ec6030bbac49513) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/02/24 23:50:04.0968 0296 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/02/24 23:50:05.0015 0296 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/02/24 23:50:05.0078 0296 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/02/24 23:50:05.0125 0296 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/02/24 23:50:05.0234 0296 Rdbss (809ca45caa9072b3176ad44579d7f688) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/02/24 23:50:05.0328 0296 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/02/24 23:50:05.0484 0296 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/02/24 23:50:05.0640 0296 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/02/24 23:50:05.0781 0296 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys

2011/02/24 23:50:05.0875 0296 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2011/02/24 23:50:06.0140 0296 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/02/24 23:50:06.0328 0296 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys

2011/02/24 23:50:06.0437 0296 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/02/24 23:50:06.0609 0296 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys

2011/02/24 23:50:06.0703 0296 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/02/24 23:50:06.0859 0296 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/02/24 23:50:06.0937 0296 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/02/24 23:50:06.0984 0296 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2011/02/24 23:50:07.0218 0296 SynTP (1dbc86da355b5db35174f862c110fd09) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2011/02/24 23:50:07.0328 0296 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/02/24 23:50:07.0484 0296 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/02/24 23:50:07.0609 0296 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/02/24 23:50:07.0718 0296 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/02/24 23:50:07.0750 0296 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/02/24 23:50:07.0906 0296 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2011/02/24 23:50:08.0093 0296 Update (cc6cb2d64603407da041edd611f321e1) C:\WINDOWS\system32\DRIVERS\update.sys

2011/02/24 23:50:08.0125 0296 Update - detected Rootkit.Win32.ZAccess.c (0)

2011/02/24 23:50:08.0234 0296 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/02/24 23:50:08.0375 0296 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/02/24 23:50:08.0500 0296 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/02/24 23:50:08.0578 0296 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/02/24 23:50:08.0671 0296 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/02/24 23:50:08.0734 0296 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/02/24 23:50:08.0875 0296 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/02/24 23:50:08.0968 0296 vbmab8c6 (10f2bac9c504fe5b409efda68c43b4e7) C:\WINDOWS\system32\drivers\vbmab8c6.sys

2011/02/24 23:50:08.0968 0296 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbmab8c6.sys. md5: 10f2bac9c504fe5b409efda68c43b4e7

2011/02/24 23:50:08.0984 0296 vbmab8c6 - detected Locked file (1)

2011/02/24 23:50:09.0218 0296 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2011/02/24 23:50:09.0375 0296 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/02/24 23:50:09.0500 0296 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/02/24 23:50:09.0625 0296 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2011/02/24 23:50:09.0765 0296 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/02/24 23:50:09.0921 0296 winachsf (473ee64c368ce2eed110376c11960259) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2011/02/24 23:50:10.0140 0296 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2011/02/24 23:50:10.0312 0296 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/02/24 23:50:10.0390 0296 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/02/24 23:50:10.0562 0296 xusb21 (f5e5f944e63a9b5f6e76c2ebb2ac462f) C:\WINDOWS\system32\DRIVERS\xusb21.sys

2011/02/24 23:50:10.0828 0296 ================================================================================

2011/02/24 23:50:10.0828 0296 Scan finished

2011/02/24 23:50:10.0828 0296 ================================================================================

2011/02/24 23:50:10.0843 0448 Detected object count: 4

2011/02/24 23:50:28.0984 0448 aswTdi (e27f0d0fe3a8d6fd07bb38c37faeed6b) C:\WINDOWS\system32\drivers\aswTdi.sys

2011/02/24 23:50:29.0187 0448 Backup copy not found, trying to cure infected file..

2011/02/24 23:50:29.0187 0448 C:\WINDOWS\system32\drivers\aswTdi.sys - Cure failed (FFFFFFFF)

2011/02/24 23:50:29.0187 0448 C:\WINDOWS\system32\drivers\aswTdi.sys - processing error

2011/02/24 23:50:29.0187 0448 Rootkit.Win32.ZAccess.c(aswTdi) - User select action: Cure

2011/02/24 23:50:29.0281 0448 NdisWan (f5986637fd42e3e1ed7d7fa131acaee9) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/02/24 23:50:29.0312 0448 Backup copy not found, trying to cure infected file..

2011/02/24 23:50:29.0312 0448 C:\WINDOWS\system32\DRIVERS\ndiswan.sys - Cure failed (FFFFFFFF)

2011/02/24 23:50:29.0312 0448 C:\WINDOWS\system32\DRIVERS\ndiswan.sys - processing error

2011/02/24 23:50:29.0312 0448 Rootkit.Win32.ZAccess.c(NdisWan) - User select action: Cure

2011/02/24 23:50:29.0484 0448 Update (cc6cb2d64603407da041edd611f321e1) C:\WINDOWS\system32\DRIVERS\update.sys

2011/02/24 23:50:29.0500 0448 Backup copy not found, trying to cure infected file..

2011/02/24 23:50:29.0500 0448 C:\WINDOWS\system32\DRIVERS\update.sys - Cure failed (FFFFFFFF)

2011/02/24 23:50:29.0500 0448 C:\WINDOWS\system32\DRIVERS\update.sys - processing error

2011/02/24 23:50:29.0500 0448 Rootkit.Win32.ZAccess.c(Update) - User select action: Cure

2011/02/24 23:50:29.0515 0448 Locked file(vbmab8c6) - User select action: Skip

2011/02/24 23:50:50.0484 0412 Deinitialize success

OTL launches, but shuts down immediately when I press "Run Scan." No logs are presented.

MBAM launches (after a fresh install), but shuts down 1-2 seconds into a Quick Scan.

So frustrating.

Link to post
Share on other sites

RKill (iexplore version) runs, here is the log:

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Rkill was run on 02/25/2011 at 0:18:59.

Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

\\.\globalroot\Device\svchost.exe\svchost.exe

Rkill completed on 02/25/2011 at 0:19:02.

Link to post
Share on other sites

  • Staff

Before doing anything else, let's run this scan which runs outside of Windows.

Read this page and download the ISO for the Avira Rescue System CD.

http://www.avira.com/en/support-download-avira-antivir-rescue-system

Boot from the CD, run the scan, and let me know what is detected. After that, boot into Windows Safe Mode, and do the following:

Rename MBAM.exe to IEXPLORE.exe; run RKill again, then try running MBAM as iexplore.exe; see if it will scan now. Also try renaming OTL to iexplore.exe and try running it again.

Let me know how it goes.

Link to post
Share on other sites

I tried Avira's rescue CD, but this laptop only has 512MB of RAM, which apparently isn't enough for the program to run properly. I tried running it anyway, but after detecting I'd say 100+ infected items, it just wouldn't continue, said not enough memory.

So, I improvised a bit... I got a fresh Kaspersky rescue CD and ran that. It found over 100 items. I couldn't figure out where it stored its log, but in general I'll tell you that there were a LOT of Trojan items found - many in the user's Temp Internet Files and some inside driver files. Kaspersky didn't bellyache when attempting to clean / delete them, so I guess that's a good sign.

Then, as an extra measure, I got the latest AVG rescue CD and ran that too. It found nothing, so either Kaspersky did a bang up job or AVG isn't as good a sniffer.

Regardless, I then booted into Safe Mode w/ Networking and followed the rest of your directions.

RKill, for the first time, listed absolutely NOTHING after

"Processes terminated by Rkill or while it was running:"

That HAS to be a good sign, that crafty svchost.exe entry has at last disappeared.

Interestingly, Internet connectivity seems to have completely disappeared from the laptop, at least for the time being. Via wireless and wired, the NICs won't pick up an IP, and wired won't function when given an explicit (valid) IP / DNS / Gateway. But we can come back to that.

Distracted by that, I forgot to rename MBAM... but it ran anyway. And completed it's (Quick) scan! 884 Objects Infected. Log is attached (as attachment).

MBAM's removal process appears to have been successful, no errors reported on screen.

I then ran OTL, downloaded fresh (from a clean PC) and renamed iexplore.exe. Its scan completed, logs are copied below.

Both OTL and MBAM refused to run scans previously. I think we've got this legion of nastiness on the run now! Let me know what to do next, and THANK YOU so much for what you've accomplished already.

- - -

OTL.Txt log

OTL logfile created on: 2/26/2011 3:24:21 AM - Run 1

OTL by OldTimer - Version 3.2.22.0 Folder = C:\Documents and Settings\Heather Stumbaugh\Desktop

Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

382.00 Mb Total Physical Memory | 261.00 Mb Available Physical Memory | 68.00% Memory free

921.00 Mb Paging File | 858.00 Mb Available in Paging File | 93.00% Paging File free

Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 55.88 Gb Total Space | 46.39 Gb Free Space | 83.02% Space Free | Partition Type: NTFS

Drive D: | 7.47 Gb Total Space | 5.31 Gb Free Space | 71.15% Space Free | Partition Type: NTFS

Computer Name: HOME | User Name: Heather Stumbaugh | Logged in as Administrator.

Boot Mode: SafeMode with Networking | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/26 00:22:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Heather Stumbaugh\Desktop\iexplore.exe

PRC - [2004/08/04 04:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2011/02/26 00:22:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Heather Stumbaugh\Desktop\iexplore.exe

MOD - [2004/08/04 04:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RUBotSrv)

SRV - File not found [On_Demand | Stopped] -- -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)

SRV - File not found [On_Demand | Stopped] -- -- (avast! Web Scanner)

SRV - File not found [On_Demand | Stopped] -- -- (avast! Mail Scanner)

SRV - File not found [Auto | Stopped] -- -- (avast! Antivirus)

SRV - File not found [Auto | Stopped] -- -- (aswUpdSv)

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)

SRV - [2005/05/04 13:45:36 | 000,078,848 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\System32\msiexec.exe -- (MSIServer)

========== Driver Services (SafeList) ==========

DRV - [2011/02/23 22:57:49 | 000,034,560 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\tsk1B.tmp -- (NetBIOS)

DRV - [2009/10/20 10:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)

DRV - [2008/08/21 23:49:58 | 000,008,320 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgpfl.sys -- (motccgpfl)

DRV - [2008/08/21 23:49:22 | 000,018,688 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgp.sys -- (motccgp)

DRV - [2008/07/19 06:37:42 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)

DRV - [2008/07/19 06:37:21 | 000,094,416 | ---- | M] (ALWIL Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)

DRV - [2008/07/19 06:35:18 | 000,078,416 | ---- | M] (ALWIL Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)

DRV - [2008/07/19 06:33:42 | 000,023,152 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)

DRV - [2008/07/19 06:32:15 | 000,026,944 | ---- | M] (ALWIL Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)

DRV - [2007/11/06 13:22:00 | 000,036,224 | ---- | M] (ArcSoft Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\ArcCD.sys -- (ArcCD)

DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motport.sys -- (motport)

DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)

DRV - [2007/04/25 08:55:02 | 000,134,912 | ---- | M] (ArcSoft Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\ArcUdfs.sys -- (ArcUdfs)

DRV - [2006/11/10 15:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)

DRV - [2005/04/11 05:33:52 | 001,035,264 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2005/03/10 01:41:52 | 000,371,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)

DRV - [2005/03/03 11:10:26 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)

DRV - [2005/02/18 07:42:02 | 000,349,696 | R--- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)

DRV - [2005/02/18 07:41:18 | 000,038,016 | R--- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)

DRV - [2004/12/15 07:18:30 | 000,200,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWATI.sys -- (HSFHWATI)

DRV - [2004/12/15 07:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)

DRV - [2004/12/15 07:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)

DRV - [2004/08/11 15:30:00 | 000,039,424 | ---- | M] (Advanced Micro Devices) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)

DRV - [2004/08/03 14:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)

DRV - [2004/04/14 07:36:50 | 000,007,432 | ---- | M] (Hewlett-Packard Company) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)

DRV - [2003/06/06 11:46:16 | 000,005,220 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.bing.com [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:18810

FF - HKLM\software\mozilla\Firefox\Extensions\\{C956C14B-BCDC-4A20-94BA-A5966DCD2301}: C:\Documents and Settings\Heather Stumbaugh\Local Settings\Application Data\{C956C14B-BCDC-4A20-94BA-A5966DCD2301} [2010/06/22 13:49:08 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2011/02/23 01:17:48 | 000,002,087 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 64.34.212.70 www.google.com

O1 - Hosts: 64.34.212.70 google.com

O1 - Hosts: 64.34.212.70 google.com.au

O1 - Hosts: 64.34.212.70 www.google.com.au

O1 - Hosts: 64.34.212.70 google.be

O1 - Hosts: 64.34.212.70 www.google.be

O1 - Hosts: 64.34.212.70 google.com.br

O1 - Hosts: 64.34.212.70 www.google.com.br

O1 - Hosts: 64.34.212.70 google.ca

O1 - Hosts: 64.34.212.70 www.google.ca

O1 - Hosts: 64.34.212.70 google.ch

O1 - Hosts: 64.34.212.70 www.google.ch

O1 - Hosts: 64.34.212.70 google.de

O1 - Hosts: 64.34.212.70 www.google.de

O1 - Hosts: 64.34.212.70 google.dk

O1 - Hosts: 64.34.212.70 www.google.dk

O1 - Hosts: 64.34.212.70 google.fr

O1 - Hosts: 64.34.212.70 www.google.fr

O1 - Hosts: 64.34.212.70 google.ie

O1 - Hosts: 64.34.212.70 www.google.ie

O1 - Hosts: 64.34.212.70 google.it

O1 - Hosts: 64.34.212.70 www.google.it

O1 - Hosts: 64.34.212.70 google.co.jp

O1 - Hosts: 64.34.212.70 www.google.co.jp

O1 - Hosts: 23 more lines...

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.

O4 - HKLM..\Run: [avast!] File not found

O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()

O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )

O4 - HKLM..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)

O4 - HKLM..\Run: [Trend Micro RUBotted V2.0 Beta] File not found

O4 - HKLM..\Run: [uIUCU] File not found

O4 - HKLM..\Run: [uyixosafu] File not found

O4 - HKCU..\Run: [internet Security Essentials] File not found

O4 - HKCU..\Run: [Nbutesugune] File not found

O4 - HKCU..\Run: [sUPERAntiSpyware] File not found

O4 - HKCU..\Run: [ytrtrvyw] File not found

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 1

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_20.dll (Sun Microsystems, Inc.)

O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} http://w4s2.work4sure.com/c/ge/w4sgeen9.exe (Reg Error: Key error.)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - File not found

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O24 - Desktop WallPaper: C:\Documents and Settings\Heather Stumbaugh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Heather Stumbaugh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O27 - HKLM IFEO\OLT.exe: Debugger - svchost.exe (Microsoft Corporation)

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - File not found

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2011/01/31 17:15:06 | 000,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O33 - MountPoints2\{9eeb12d0-12d4-11e0-b3bb-0016362531c2}\Shell - "" = AutoRun

O33 - MountPoints2\{9eeb12d0-12d4-11e0-b3bb-0016362531c2}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{9eeb12d0-12d4-11e0-b3bb-0016362531c2}\Shell\AutoRun\command - "" = E:\MI.exe

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/26 03:07:47 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2011/02/26 03:07:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware

[2011/02/26 03:07:43 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2011/02/25 15:34:25 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0

[2011/02/25 00:17:32 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Heather Stumbaugh\Desktop\iexplore.exe

[2011/02/24 23:55:22 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Heather Stumbaugh\Desktop\mbam-setup.exe

[2011/02/24 23:48:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood

[2011/02/24 23:05:21 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW

[2011/02/24 23:01:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heather Stumbaugh\Desktop\gmer

[2011/02/23 22:57:49 | 000,077,912 | ---- | C] (Kaspersky Lab, SLA) -- C:\WINDOWS\System32\drivers\klmdb.sys

[2011/02/23 22:56:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heather Stumbaugh\Desktop\tdsskiller

[2011/02/23 21:22:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heather Stumbaugh\My Documents\Downloads

[2011/02/23 21:19:54 | 000,692,696 | ---- | C] (PortableApps.com) -- C:\Documents and Settings\Heather Stumbaugh\Desktop\GoogleChromePortable.exe

[2011/02/23 21:19:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heather Stumbaugh\Desktop\Other

[2011/02/23 21:19:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heather Stumbaugh\Desktop\Data

[2011/02/23 21:19:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heather Stumbaugh\Desktop\App

[2011/02/22 21:07:51 | 000,258,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Heather Stumbaugh\Desktop\OTH.scr

[2011/02/22 20:32:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heather Stumbaugh\Application Data\Malwarebytes

[2011/02/22 20:32:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2011/02/22 20:32:11 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2011/02/22 20:21:48 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine

[2011/02/22 19:17:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2011/02/22 19:17:00 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT

[2011/02/22 19:17:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT

[2011/02/22 18:27:03 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF

[2011/02/22 16:39:02 | 000,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mouhid.sys

[2011/02/22 16:13:01 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip

[2011/02/22 16:13:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\7-Zip

[2011/02/22 16:05:09 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys

[2011/02/22 16:03:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinPcap

[2011/02/22 02:04:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware

[2011/02/16 13:42:36 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Heather Stumbaugh\Application Data\Internet Security Essentials

[2011/02/16 13:42:35 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\ISVYE

[2011/02/16 13:42:08 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\c28af1

[2011/01/31 17:36:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\InterVideo WinDVD

[2011/01/31 17:35:46 | 000,000,000 | ---D | C] -- C:\Program Files\InterVideo

[2011/01/31 17:18:28 | 000,007,432 | ---- | C] (Hewlett-Packard Company) -- C:\WINDOWS\System32\drivers\eabfiltr.sys

[2011/01/31 17:18:28 | 000,005,220 | ---- | C] (Hewlett-Packard Company) -- C:\WINDOWS\System32\drivers\EabUsb.sys

[2011/01/31 17:14:47 | 000,109,568 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxinsi64.exe

[2011/01/31 17:14:47 | 000,108,544 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxcpyi64.exe

[2011/01/31 17:14:47 | 000,061,440 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxhpinst.exe

[2011/01/31 17:14:47 | 000,056,832 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxcpya64.exe

[2011/01/31 17:14:47 | 000,056,320 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxinsa64.exe

[2011/01/31 17:14:46 | 000,401,408 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxdrv.dll

[2011/01/31 17:14:46 | 000,339,968 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxwave.dll

[2011/01/31 17:14:46 | 000,339,968 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\px.dll

[2011/01/31 17:14:46 | 000,172,032 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\pxmas.dll

[2011/01/31 17:14:46 | 000,028,672 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\vxblock.dll

[2011/01/31 17:14:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\muvee Technologies

[2011/01/31 17:14:27 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\muvee Technologies

[2011/01/31 17:06:17 | 000,069,632 | ---- | C] (Broadcom Corporation) -- C:\WINDOWS\System32\bcmwlD2K.EXE

[2011/01/31 16:46:35 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\lprmon.dll

[2011/01/31 16:46:35 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lprmon.dll

[2011/01/31 16:46:31 | 000,022,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\lpdsvc.dll

[2011/01/31 16:46:31 | 000,022,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lpdsvc.dll

[2011/01/28 23:33:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss

[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/02/26 03:07:47 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2011/02/26 02:24:05 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2011/02/26 00:22:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Heather Stumbaugh\Desktop\iexplore.exe

[2011/02/25 00:17:46 | 000,721,324 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\iExplore2rk.exe

[2011/02/24 23:56:22 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Heather Stumbaugh\Desktop\mbam-setup.exe

[2011/02/24 23:53:56 | 000,577,024 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\OTL.exe

[2011/02/24 23:01:45 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\gmer.zip

[2011/02/24 01:11:44 | 004,274,169 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\ComboFix.exe

[2011/02/23 22:57:49 | 000,077,912 | ---- | M] (Kaspersky Lab, SLA) -- C:\WINDOWS\System32\drivers\klmdb.sys

[2011/02/23 22:55:52 | 001,257,772 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\tdsskiller.zip

[2011/02/23 21:26:15 | 000,000,082 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\Internet Security Essentials - rootkit- - infection - Malwarebytes Forum.url

[2011/02/23 21:25:40 | 004,270,215 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\zsoverman.com

[2011/02/23 01:17:54 | 000,001,822 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security Essentials.lnk

[2011/02/23 01:17:53 | 000,001,802 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\Internet Security Essentials.lnk

[2011/02/23 01:17:48 | 000,002,087 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2011/02/23 01:17:17 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2011/02/23 00:56:10 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2011/02/23 00:51:40 | 000,012,904 | ---- | M] () -- C:\WINDOWS\Nyezahiga.dat

[2011/02/22 21:46:56 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[2011/02/22 21:19:35 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\defogger_reenable

[2011/02/22 21:17:27 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\3jz4zqqs.exe

[2011/02/22 21:17:09 | 000,624,128 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\dds.scr

[2011/02/22 21:16:30 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\Defogger.exe

[2011/02/22 21:08:08 | 000,577,024 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\OTL.scr

[2011/02/22 21:07:53 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Heather Stumbaugh\Desktop\OTH.scr

[2011/02/22 16:05:08 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys

[2011/02/22 16:03:49 | 000,000,082 | ---- | M] () -- C:\WINDOWS\System32\-1

[2011/02/21 04:59:45 | 000,001,492 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Application Data\wklnhst.dat

[2011/02/21 04:57:47 | 000,200,207 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\My Documents\USB002

[2011/02/21 04:49:51 | 000,236,760 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2011/02/12 00:37:17 | 000,003,584 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2011/02/10 23:06:54 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_xusb21_01005.Wdf

[2011/02/10 19:08:51 | 000,010,752 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\RICKYS BAD CREDIT LOG.xlr

[2011/01/31 17:23:29 | 000,001,603 | RHS- | M] () -- C:\WINDOWS\System32\drivers\103C_HP_NTBK_Presario V2000 (EP386UA#ABA)_YN_0Pres_QCNF60512B0_EU_46_I3097_SQuanta_V47.0E_BF.22_T060102_WXH2_L409_M383_J60_7AMD_8Sempron_91.79_#091020_N10EC8139_(EP386UA#ABA)_XMOBILE_CN10_Z10024378_2Rev 1_G10025955.MRK

[2011/01/31 17:15:06 | 000,000,100 | ---- | M] () -- C:\AUTOEXEC.BAT

[2011/01/31 17:07:06 | 000,000,133 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Create & Print.URL

[2011/01/31 17:07:06 | 000,000,124 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Online Music.URL

[2011/01/31 17:07:06 | 000,000,116 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Accessories.URL

[2011/01/31 16:46:38 | 000,380,918 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2011/01/31 16:46:38 | 000,053,166 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2011/01/28 22:48:12 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Heather Stumbaugh\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

[2011/01/28 22:46:10 | 000,003,739 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2011/01/28 18:54:30 | 000,000,732 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\.wtav

[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/02/26 03:07:47 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2011/02/25 00:17:32 | 000,721,324 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\iExplore2rk.exe

[2011/02/24 23:53:59 | 000,577,024 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\OTL.exe

[2011/02/24 23:01:45 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\gmer.zip

[2011/02/23 22:55:28 | 001,257,772 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\tdsskiller.zip

[2011/02/23 21:26:15 | 000,000,082 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\Internet Security Essentials - rootkit- - infection - Malwarebytes Forum.url

[2011/02/23 21:22:52 | 004,270,215 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\zsoverman.com

[2011/02/23 21:19:54 | 000,029,484 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\help.html

[2011/02/23 01:15:13 | 004,274,169 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\ComboFix.exe

[2011/02/22 21:19:35 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\defogger_reenable

[2011/02/22 21:17:25 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\3jz4zqqs.exe

[2011/02/22 21:17:05 | 000,624,128 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\dds.scr

[2011/02/22 21:16:30 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\Defogger.exe

[2011/02/22 21:08:02 | 000,577,024 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\OTL.scr

[2011/02/22 20:07:11 | 000,001,822 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security Essentials.lnk

[2011/02/22 20:07:11 | 000,001,802 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Desktop\Internet Security Essentials.lnk

[2011/02/22 16:03:48 | 000,000,082 | ---- | C] () -- C:\WINDOWS\System32\-1

[2011/02/18 01:09:01 | 000,001,810 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Start Menu\Programs\Internet Security Essentials.lnk

[2011/02/10 23:06:54 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_xusb21_01005.Wdf

[2011/02/02 01:27:19 | 000,236,760 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2011/01/31 17:35:57 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll

[2011/01/31 17:35:57 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll

[2011/01/31 17:35:57 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll

[2011/01/31 17:35:57 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll

[2011/01/31 17:35:57 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll

[2011/01/31 17:35:57 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll

[2011/01/31 17:07:06 | 000,000,133 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Create & Print.URL

[2011/01/31 17:07:06 | 000,000,124 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Online Music.URL

[2011/01/31 17:07:06 | 000,000,116 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Accessories.URL

[2011/01/22 23:10:43 | 000,000,732 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\.wtav

[2010/09/27 09:53:30 | 000,000,024 | ---- | C] () -- C:\WINDOWS\cdplayer.ini

[2010/08/01 12:35:34 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/07/14 21:40:51 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI

[2010/06/22 13:49:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Lcolunitobabuyu.bin

[2010/06/22 13:49:10 | 000,012,904 | ---- | C] () -- C:\WINDOWS\Nyezahiga.dat

[2010/03/05 14:00:07 | 000,001,492 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Application Data\wklnhst.dat

[2009/10/20 21:10:22 | 000,015,669 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

[2009/10/20 20:43:02 | 000,081,342 | R--- | C] () -- C:\WINDOWS\System32\atiicdxx.dat

[2009/10/20 19:47:14 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Heather Stumbaugh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/10/20 19:33:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2009/10/20 12:17:06 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2009/10/20 10:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll

[2004/08/04 04:00:00 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll

[2004/08/04 04:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2004/08/04 04:00:00 | 000,380,918 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2004/08/04 04:00:00 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll

[2004/08/04 04:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2004/08/04 04:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2004/08/04 04:00:00 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll

[2004/08/04 04:00:00 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll

[2004/08/04 04:00:00 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll

[2004/08/04 04:00:00 | 000,078,848 | ---- | C] () -- C:\WINDOWS\System32\msiexec.exe

[2004/08/04 04:00:00 | 000,053,166 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2004/08/04 04:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2004/08/04 04:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2004/08/04 04:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

[2004/08/04 04:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2004/08/04 04:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin

[2004/08/04 04:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

[2002/05/28 09:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2002/05/28 09:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

< End of report >

- - -

Extras.Txt (from OTL) log:

OTL Extras logfile created on: 2/26/2011 3:24:21 AM - Run 1

OTL by OldTimer - Version 3.2.22.0 Folder = C:\Documents and Settings\Heather Stumbaugh\Desktop

Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

382.00 Mb Total Physical Memory | 261.00 Mb Available Physical Memory | 68.00% Memory free

921.00 Mb Paging File | 858.00 Mb Available in Paging File | 93.00% Paging File free

Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 55.88 Gb Total Space | 46.39 Gb Free Space | 83.02% Space Free | Partition Type: NTFS

Drive D: | 7.47 Gb Total Space | 5.31 Gb Free Space | 71.15% Space Free | Partition Type: NTFS

Computer Name: HOME | User Name: Heather Stumbaugh | Logged in as Administrator.

Boot Mode: SafeMode with Networking | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

htmlfile [edit] -- Reg Error: Key error.

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 1

"FirewallOverride" = 1

"AntiSpywareOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Documents and Settings\All Users\Application Data\c28af1\ISc28_2164.exe" = C:\Documents and Settings\All Users\Application Data\c28af1\ISc28_2164.exe:*:Enabled:Internet Security Essentials

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{06ECCCF4-9295-468E-851C-9529A7C181E8}" = HP User Guides 0001

"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel

"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update

"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java 6 Update 20

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works

"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 1.01 A2

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{534AA552-E1F1-4965-B2AA-FBDEB0730D60}" = muvee autoProducer 4.0 - SE

"{612DC38A-B36A-4699-88EB-12C7394DE2FC}" = TIxx21

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD

"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver

"{9EDE7573-F2B0-4FAC-8928-A7E9381BCB91}" = ArcSoft MediaImpression for Kodak

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support

"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0

"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan

"{BE20E2F5-1903-4AAE-B1AF-2046E586C925}" = iTunes

"{C151CE54-E7EA-4804-854B-F515368B0798}" = Athlon 64 Processor Driver

"{C1CCF2E9-4851-4783-8076-D9C3F7DDD487}" = Citrix XenApp Plugin for Hosted Apps

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CEB326EC-8F40-47B2-BA22-BB092565D66F}" = Quick Launch Buttons 5.10 B2

"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox

"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer

"7-Zip" = 7-Zip 9.20

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"All ATI Software" = ATI - Software Uninstall Utility

"ATI Display Driver" = ATI Display Driver

"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter

"CNXT_AUDIO" = Conexant AC-Link Audio

"CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_3091103C" = Data Fax SoftModem with SmartCP

"ERUNT_is1" = ERUNT 1.1j

"ie8" = Windows Internet Explorer 8

"InstallShield_{612DC38A-B36A-4699-88EB-12C7394DE2FC}" = Texas Instruments PCIxx21/x515 drivers.

"InstallShield_{BE20E2F5-1903-4AAE-B1AF-2046E586C925}" = iTunes

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"QuickTime" = QuickTime

"SynTPDeinstKey" = Synaptics Pointing Device Driver

"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]

Error - 10/29/2009 5:13:28 PM | Computer Name = HOME-280F592B69 | Source = avast! | ID = 33554522

Description =

Error - 10/29/2009 5:13:28 PM | Computer Name = HOME-280F592B69 | Source = avast! | ID = 33554522

Description =

Error - 4/30/2010 6:17:43 PM | Computer Name = HOME-280F592B69 | Source = avast! | ID = 33554522

Description =

[ Application Events ]

Error - 1/20/2011 2:04:11 AM | Computer Name = HOME-280F592B69 | Source = Application Hang | ID = 1002

Description = Hanging application FixCleaner.exe, version 2.0.4045.907, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/20/2011 3:41:33 AM | Computer Name = HOME-280F592B69 | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/20/2011 3:43:36 AM | Computer Name = HOME-280F592B69 | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/21/2011 4:18:42 AM | Computer Name = HOME-280F592B69 | Source = Application Error | ID = 1000

Description = Faulting application mscoff.exe, version 0.0.0.0, faulting module

mscoff.exe, version 0.0.0.0, fault address 0x0000154a.

Error - 1/21/2011 4:19:20 AM | Computer Name = HOME-280F592B69 | Source = Application Error | ID = 1000

Description = Faulting application mscoff.exe, version 0.0.0.0, faulting module

mscoff.exe, version 0.0.0.0, fault address 0x0000154a.

Error - 1/29/2011 2:42:18 AM | Computer Name = HOME-280F592B69 | Source = MsiInstaller | ID = 11719

Description = Product: iTunes -- Error 1719.The Windows Installer Service could

not be accessed. This can occur if you are running Windows in safe mode, or if the

Windows Installer is not correctly installed. Contact your support personnel for

assistance.

Error - 2/9/2011 6:10:45 PM | Computer Name = HOME | Source = Application Error | ID = 1000

Description = Faulting application at.exe, version 0.0.0.0, faulting module at.exe,

version 0.0.0.0, fault address 0x00003d51.

Error - 2/9/2011 7:48:42 PM | Computer Name = HOME | Source = Application Error | ID = 1000

Description = Faulting application at.exe, version 0.0.0.0, faulting module at.exe,

version 0.0.0.0, fault address 0x00003d51.

Error - 2/21/2011 8:55:26 AM | Computer Name = HOME | Source = Application Error | ID = 1000

Description = Faulting application explorer.exe, version 6.0.2900.2180, faulting

module ilucuvuh.dll, version 0.0.0.0, fault address 0x000119aa.

Error - 2/23/2011 12:20:48 AM | Computer Name = HOME | Source = Application Hang | ID = 1002

Description = Hanging application 7zG.exe, version 9.20.0.0, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

[ System Events ]

Error - 2/26/2011 6:53:31 AM | Computer Name = HOME | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/26/2011 6:57:37 AM | Computer Name = HOME | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/26/2011 6:58:47 AM | Computer Name = HOME | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/26/2011 7:05:47 AM | Computer Name = HOME | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/26/2011 7:06:53 AM | Computer Name = HOME | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/26/2011 7:17:35 AM | Computer Name = HOME | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/26/2011 7:18:45 AM | Computer Name = HOME | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/26/2011 7:18:49 AM | Computer Name = HOME | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 2/26/2011 7:19:38 AM | Computer Name = HOME | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 2/26/2011 7:23:05 AM | Computer Name = HOME | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

< End of report >

mbam-log-2011-02-26 (03-16-46).zip

Link to post
Share on other sites

  • Staff

Excellent news!

Looks like the Kaspersky Rescue CD freed up enough of the permissions to let things run.

Yes, let's worry about the connection issue later; it might be better that it can't connect right now since it means that the malware can't call up its buddies. :(

Let's see if we can get MBAM updated and run (the database you ran is several hundred versions behind). Download this file and transfer it over to the infected computer:

http://data.mbamupdates.com/tools/mbam-rules.exe

Execute it on the infected computer and MBAM should be updated. After that, run a Quick Scan and post its log.

After that, I'd like to try running ComboFix again. Grab a fresh copy, rename it to hahaha.com, and transfer it to the Desktop of the infected computer.

Run it as follows:

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\hahaha.com" /killall

See if it will run to completion now.

Link to post
Share on other sites

I applied the MBAM update and ran a Quick Scan again, it found three (3) more items. Log is below.

I then downloaded/renamed ComboFix and ran it as instructed, and hooray! It actually ran. Because the laptop doesn't have Internet again, I couldn't download the recovery console as ComboFix wanted, but I went ahead and ran it anyway. I'm thinking what I'll do is go back once we're all done here and connectivity is restored, and run ComboFix one more time, just for the sake of getting that installed for the future.

ComboFix log is also below. Thank you so much, again. I'll await further instruction...

- Phil

- - - - -

MBAM Log

- - - - -

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5750

Windows 5.1.2600 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18702

2/27/2011 4:16:58 AM

mbam-log-2011-02-27 (04-16-58).txt

Scan type: Quick scan

Objects scanned: 139104

Time elapsed: 2 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\ndo8thb2ikwe (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ytrtrvyw (Trojan.FakeAlert.Gen) -> Value: ytrtrvyw -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

- - - - - - -

ComboFix Log

- - - - - - -

ComboFix 11-02-26.01 - Heather Stumbaugh 02/27/2011 4:23.1.1 - x86 NETWORK

Running from: c:\documents and settings\Heather Stumbaugh\desktop\hahaha.com

Command switches used :: /killall

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\.wtav

c:\documents and settings\All Users\Application Data\c28af1

c:\documents and settings\All Users\Application Data\c28af1\37.mof

c:\documents and settings\All Users\Application Data\c28af1\BackUp\Adobe Reader Speed Launch.lnk

c:\documents and settings\All Users\Application Data\c28af1\c28af1dc426c1a35283d62d7e5445d0c.ocx

c:\documents and settings\All Users\Application Data\c28af1\ISE.ico

c:\documents and settings\All Users\Application Data\c28af1\xkgc9q0xkgbgrgjfw.dll

c:\documents and settings\Heather Stumbaugh\Application Data\Internet Security Essentials

c:\documents and settings\Heather Stumbaugh\Application Data\Internet Security Essentials\Instructions.ini

c:\documents and settings\Heather Stumbaugh\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security Essentials.lnk

c:\documents and settings\Heather Stumbaugh\Desktop\Internet Security Essentials.lnk

c:\documents and settings\Heather Stumbaugh\Local Settings\Application Data\{C956C14B-BCDC-4A20-94BA-A5966DCD2301}

c:\documents and settings\Heather Stumbaugh\Local Settings\Application Data\{C956C14B-BCDC-4A20-94BA-A5966DCD2301}\chrome.manifest

c:\documents and settings\Heather Stumbaugh\Local Settings\Application Data\{C956C14B-BCDC-4A20-94BA-A5966DCD2301}\chrome\content\_cfg.js

c:\documents and settings\Heather Stumbaugh\Local Settings\Application Data\{C956C14B-BCDC-4A20-94BA-A5966DCD2301}\chrome\content\overlay.xul

c:\documents and settings\Heather Stumbaugh\Local Settings\Application Data\{C956C14B-BCDC-4A20-94BA-A5966DCD2301}\install.rdf

c:\documents and settings\Heather Stumbaugh\Recent\ANTIGEN.dll

c:\documents and settings\Heather Stumbaugh\Recent\ANTIGEN.drv

c:\documents and settings\Heather Stumbaugh\Recent\ANTIGEN.exe

c:\documents and settings\Heather Stumbaugh\Recent\ANTIGEN.sys

c:\documents and settings\Heather Stumbaugh\Recent\ANTIGEN.tmp

c:\documents and settings\Heather Stumbaugh\Recent\cb.dll

c:\documents and settings\Heather Stumbaugh\Recent\cb.drv

c:\documents and settings\Heather Stumbaugh\Recent\cb.sys

c:\documents and settings\Heather Stumbaugh\Recent\cb.tmp

c:\documents and settings\Heather Stumbaugh\Recent\cid.dll

c:\documents and settings\Heather Stumbaugh\Recent\cid.exe

c:\documents and settings\Heather Stumbaugh\Recent\cid.sys

c:\documents and settings\Heather Stumbaugh\Recent\cid.tmp

c:\documents and settings\Heather Stumbaugh\Recent\CLSV.dll

c:\documents and settings\Heather Stumbaugh\Recent\CLSV.drv

c:\documents and settings\Heather Stumbaugh\Recent\CLSV.exe

c:\documents and settings\Heather Stumbaugh\Recent\CLSV.sys

c:\documents and settings\Heather Stumbaugh\Recent\CLSV.tmp

c:\documents and settings\Heather Stumbaugh\Recent\DBOLE.dll

c:\documents and settings\Heather Stumbaugh\Recent\DBOLE.drv

c:\documents and settings\Heather Stumbaugh\Recent\DBOLE.sys

c:\documents and settings\Heather Stumbaugh\Recent\DBOLE.tmp

c:\documents and settings\Heather Stumbaugh\Recent\ddv.dll

c:\documents and settings\Heather Stumbaugh\Recent\ddv.exe

c:\documents and settings\Heather Stumbaugh\Recent\ddv.sys

c:\documents and settings\Heather Stumbaugh\Recent\ddv.tmp

c:\documents and settings\Heather Stumbaugh\Recent\delfile.drv

c:\documents and settings\Heather Stumbaugh\Recent\delfile.sys

c:\documents and settings\Heather Stumbaugh\Recent\dudl.dll

c:\documents and settings\Heather Stumbaugh\Recent\dudl.exe

c:\documents and settings\Heather Stumbaugh\Recent\dudl.tmp

c:\documents and settings\Heather Stumbaugh\Recent\eb.dll

c:\documents and settings\Heather Stumbaugh\Recent\eb.drv

c:\documents and settings\Heather Stumbaugh\Recent\eb.exe

c:\documents and settings\Heather Stumbaugh\Recent\eb.sys

c:\documents and settings\Heather Stumbaugh\Recent\eb.tmp

c:\documents and settings\Heather Stumbaugh\Recent\energy.dll

c:\documents and settings\Heather Stumbaugh\Recent\energy.drv

c:\documents and settings\Heather Stumbaugh\Recent\energy.exe

c:\documents and settings\Heather Stumbaugh\Recent\energy.sys

c:\documents and settings\Heather Stumbaugh\Recent\energy.tmp

c:\documents and settings\Heather Stumbaugh\Recent\exec.dll

c:\documents and settings\Heather Stumbaugh\Recent\exec.drv

c:\documents and settings\Heather Stumbaugh\Recent\exec.exe

c:\documents and settings\Heather Stumbaugh\Recent\exec.sys

c:\documents and settings\Heather Stumbaugh\Recent\exec.tmp

c:\documents and settings\Heather Stumbaugh\Recent\fan.dll

c:\documents and settings\Heather Stumbaugh\Recent\fan.drv

c:\documents and settings\Heather Stumbaugh\Recent\fan.sys

c:\documents and settings\Heather Stumbaugh\Recent\fan.tmp

c:\documents and settings\Heather Stumbaugh\Recent\fix.drv

c:\documents and settings\Heather Stumbaugh\Recent\fix.exe

c:\documents and settings\Heather Stumbaugh\Recent\fix.sys

c:\documents and settings\Heather Stumbaugh\Recent\FS.dll

c:\documents and settings\Heather Stumbaugh\Recent\FS.drv

c:\documents and settings\Heather Stumbaugh\Recent\FS.tmp

c:\documents and settings\Heather Stumbaugh\Recent\FW.drv

c:\documents and settings\Heather Stumbaugh\Recent\FW.exe

c:\documents and settings\Heather Stumbaugh\Recent\FW.sys

c:\documents and settings\Heather Stumbaugh\Recent\gid.dll

c:\documents and settings\Heather Stumbaugh\Recent\gid.tmp

c:\documents and settings\Heather Stumbaugh\Recent\grid.dll

c:\documents and settings\Heather Stumbaugh\Recent\grid.drv

c:\documents and settings\Heather Stumbaugh\Recent\grid.tmp

c:\documents and settings\Heather Stumbaugh\Recent\hymt.drv

c:\documents and settings\Heather Stumbaugh\Recent\hymt.exe

c:\documents and settings\Heather Stumbaugh\Recent\hymt.sys

c:\documents and settings\Heather Stumbaugh\Recent\hymt.tmp

c:\documents and settings\Heather Stumbaugh\Recent\kernel32.dll

c:\documents and settings\Heather Stumbaugh\Recent\kernel32.drv

c:\documents and settings\Heather Stumbaugh\Recent\kernel32.exe

c:\documents and settings\Heather Stumbaugh\Recent\kernel32.sys

c:\documents and settings\Heather Stumbaugh\Recent\kernel32.tmp

c:\documents and settings\Heather Stumbaugh\Recent\pal.drv

c:\documents and settings\Heather Stumbaugh\Recent\pal.exe

c:\documents and settings\Heather Stumbaugh\Recent\pal.sys

c:\documents and settings\Heather Stumbaugh\Recent\pal.tmp

c:\documents and settings\Heather Stumbaugh\Recent\PE.dll

c:\documents and settings\Heather Stumbaugh\Recent\PE.drv

c:\documents and settings\Heather Stumbaugh\Recent\PE.exe

c:\documents and settings\Heather Stumbaugh\Recent\PE.sys

c:\documents and settings\Heather Stumbaugh\Recent\PE.tmp

c:\documents and settings\Heather Stumbaugh\Recent\ppal.dll

c:\documents and settings\Heather Stumbaugh\Recent\ppal.drv

c:\documents and settings\Heather Stumbaugh\Recent\ppal.sys

c:\documents and settings\Heather Stumbaugh\Recent\ppal.tmp

c:\documents and settings\Heather Stumbaugh\Recent\runddl.dll

c:\documents and settings\Heather Stumbaugh\Recent\runddl.drv

c:\documents and settings\Heather Stumbaugh\Recent\runddl.sys

c:\documents and settings\Heather Stumbaugh\Recent\runddl.tmp

c:\documents and settings\Heather Stumbaugh\Recent\runddlkey.exe

c:\documents and settings\Heather Stumbaugh\Recent\runddlkey.sys

c:\documents and settings\Heather Stumbaugh\Recent\runddlkey.tmp

c:\documents and settings\Heather Stumbaugh\Recent\SICKBOY.exe

c:\documents and settings\Heather Stumbaugh\Recent\SICKBOY.sys

c:\documents and settings\Heather Stumbaugh\Recent\SICKBOY.tmp

c:\documents and settings\Heather Stumbaugh\Recent\sld.dll

c:\documents and settings\Heather Stumbaugh\Recent\sld.exe

c:\documents and settings\Heather Stumbaugh\Recent\sld.sys

c:\documents and settings\Heather Stumbaugh\Recent\sld.tmp

c:\documents and settings\Heather Stumbaugh\Recent\SM.exe

c:\documents and settings\Heather Stumbaugh\Recent\SM.tmp

c:\documents and settings\Heather Stumbaugh\Recent\snl2w.drv

c:\documents and settings\Heather Stumbaugh\Recent\snl2w.exe

c:\documents and settings\Heather Stumbaugh\Recent\snl2w.sys

c:\documents and settings\Heather Stumbaugh\Recent\std.drv

c:\documents and settings\Heather Stumbaugh\Recent\std.sys

c:\documents and settings\Heather Stumbaugh\Recent\tempdoc.dll

c:\documents and settings\Heather Stumbaugh\Recent\tempdoc.exe

c:\documents and settings\Heather Stumbaugh\Recent\tempdoc.sys

c:\documents and settings\Heather Stumbaugh\Recent\tempdoc.tmp

c:\documents and settings\Heather Stumbaugh\Recent\tjd.dll

c:\documents and settings\Heather Stumbaugh\Recent\tjd.drv

c:\documents and settings\Heather Stumbaugh\Recent\tjd.exe

c:\documents and settings\Heather Stumbaugh\Recent\tjd.sys

c:\documents and settings\Heather Stumbaugh\Recent\tjd.tmp

c:\documents and settings\Heather Stumbaugh\Start Menu\Internet Security Essentials.lnk

c:\documents and settings\Heather Stumbaugh\Start Menu\Programs\Internet Security Essentials.lnk

c:\windows\assembly\GAC\__AssemblyInfo__.ini

c:\windows\g32.txt

c:\windows\system32\AutoRun.inf

c:\windows\system32\config\lmbpwnvx

c:\windows\system32\drivers\npf.sys

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\wpcap.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2011-01-27 to 2011-02-27 )))))))))))))))))))))))))))))))

.

2011-02-26 11:07 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-26 11:07 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-25 23:34 . 2011-02-26 00:12 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

2011-02-25 07:48 . 2011-02-25 07:48 -------- d-----w- c:\windows\LastGood

2011-02-24 06:57 . 2011-02-24 06:57 77912 ----a-w- c:\windows\system32\drivers\klmdb.sys

2011-02-24 06:57 . 2011-02-24 06:57 34560 ----a-w- c:\windows\system32\drivers\tsk1B.tmp

2011-02-23 04:32 . 2011-02-23 04:32 -------- d-----w- c:\documents and settings\Heather Stumbaugh\Application Data\Malwarebytes

2011-02-23 04:32 . 2011-02-23 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-02-23 04:32 . 2011-02-26 11:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-23 04:21 . 2011-02-23 04:21 -------- d-----w- C:\TDSSKiller_Quarantine

2011-02-23 03:17 . 2011-02-23 03:17 -------- d-----w- c:\program files\ERUNT

2011-02-23 02:27 . 2011-02-23 02:27 -------- d--h--w- c:\windows\PIF

2011-02-23 00:39 . 2001-08-17 21:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2011-02-23 00:39 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2011-02-23 00:13 . 2011-02-23 00:13 -------- d-----w- c:\program files\7-Zip

2011-02-23 00:05 . 2011-02-23 00:05 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-02-22 10:00 . 2011-02-22 10:42 -------- d-----w- c:\documents and settings\Administrator

2011-02-16 21:42 . 2011-02-16 21:42 -------- d-sh--w- c:\documents and settings\All Users\Application Data\ISVYE

2011-02-01 01:35 . 2002-11-21 18:57 204800 ----a-w- c:\windows\system32\IVIresizeW7.dll

2011-02-01 01:35 . 2002-11-21 18:57 200704 ----a-w- c:\windows\system32\IVIresizeA6.dll

2011-02-01 01:35 . 2002-11-21 18:57 192512 ----a-w- c:\windows\system32\IVIresizeP6.dll

2011-02-01 01:35 . 2002-11-21 18:57 192512 ----a-w- c:\windows\system32\IVIresizeM6.dll

2011-02-01 01:35 . 2002-11-21 18:57 188416 ----a-w- c:\windows\system32\IVIresizePX.dll

2011-02-01 01:35 . 2002-11-21 18:57 20480 ----a-w- c:\windows\system32\IVIresize.dll

2011-02-01 01:35 . 2011-02-01 01:35 -------- d-----w- c:\program files\InterVideo

2011-02-01 01:18 . 2004-04-14 15:36 7432 ----a-w- c:\windows\system32\drivers\eabfiltr.sys

2011-02-01 01:18 . 2003-06-06 19:46 5220 ----a-w- c:\windows\system32\drivers\EabUsb.sys

2011-02-01 01:14 . 2005-01-12 10:03 20576 ------w- c:\windows\system32\drivers\PxHelp20.sys

2011-02-01 01:14 . 2005-01-12 10:03 109568 ------w- c:\windows\system32\pxinsi64.exe

2011-02-01 01:14 . 2004-09-27 08:00 108544 ------w- c:\windows\system32\pxcpyi64.exe

2011-02-01 01:14 . 2011-02-01 01:14 -------- d-----w- c:\program files\Common Files\muvee Technologies

2011-02-01 01:06 . 2005-03-10 09:41 69632 ----a-w- c:\windows\system32\bcmwlD2K.EXE

2011-02-01 00:46 . 2004-08-04 12:00 18944 -c--a-w- c:\windows\system32\dllcache\lprmon.dll

2011-02-01 00:46 . 2004-08-04 12:00 18944 ----a-w- c:\windows\system32\lprmon.dll

2011-02-01 00:46 . 2004-08-04 12:00 22528 -c--a-w- c:\windows\system32\dllcache\lpdsvc.dll

2011-02-01 00:46 . 2004-08-04 12:00 22528 ----a-w- c:\windows\system32\lpdsvc.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-26 00:03 . 2004-08-04 12:00 34560 ----a-w- c:\windows\system32\drivers\netbios.sys.vir

.

------- Sigcheck -------

[7] 2009-08-07 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\system32\dllcache\wuauclt.exe

[-] 2008-04-14 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\wuauclt.exe

c:\windows\System32\wuauclt.exe ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-10-21 98304]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection; [x]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 135664]

R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [x]

R3 ArcCD;ArcCD Filter Driver Service; [x]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]

R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-22 18688]

R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-22 8320]

R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-19 23680]

R3 Normandy;Normandy SR2; [x]

R4 ArcUdfs;ArcUdfs FileSystem Driver Service; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - ArcRec

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2011-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 19:17]

2011-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 19:17]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <local>

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

TCP: {2B52574A-3AFC-4E66-9DE5-A97069674B9E} = 192.168.20.1

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-Nbutesugune - c:\windows\wmtmsv.dll

HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

HKCU-Run-Internet Security Essentials - c:\documents and settings\All Users\Application Data\c28af1\ISc28_2164.exe

HKLM-Run-Uyixosafu - c:\windows\ilucuvuh.dll

HKLM-Run-Trend Micro RUBotted V2.0 Beta - c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL

Notify-!SASWinLogon - c:\program files\SUPERAntiSpyware\SASWINLO.DLL

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-27 04:28

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????<A?w?????????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.afd]

"ImagePath"="\*"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.aswTdi]

"ImagePath"="\*"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.ndiswan]

"ImagePath"="\*"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.SynTP]

"ImagePath"="\*"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.update]

"ImagePath"="\*"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.usbhub]

"ImagePath"="\*"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]

"ImagePath"="system32\drivers\tsk1B.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(352)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2011-02-27 04:30:54 - machine was rebooted

ComboFix-quarantined-files.txt 2011-02-27 12:30

Pre-Run: 49,757,851,648 bytes free

Post-Run: 49,669,074,944 bytes free

- - End Of File - - F2FF042246378EFFF559C46D4BB89970

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay. For some reason I wasn't notified about your previous response.

Let's install the Recovery Console manually.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop (transfer as needed). Do not run it yet. Shouldn't need it rename it anymore.

Please download this file and save it as it's originally named, next to ComboFix.exe (again transfer as needed).

RC1-4.gif

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, it will ask you whether or not to continue with the malware scan. Select Yes, and post the resultant log.

-screen317

Link to post
Share on other sites

Done, thank you. Here is the resulting log:

ComboFix 11-02-28.07 - Heather Stumbaugh 03/01/2011 20:39:26.2.1 - x86

Running from: c:\documents and settings\Heather Stumbaugh\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Heather Stumbaugh\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2011-02-02 to 2011-03-02 )))))))))))))))))))))))))))))))

.

2011-02-26 11:07 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-26 11:07 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-25 23:34 . 2011-02-26 00:12 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

2011-02-24 06:57 . 2011-02-24 06:57 77912 ----a-w- c:\windows\system32\drivers\klmdb.sys

2011-02-24 06:57 . 2011-02-24 06:57 34560 ----a-w- c:\windows\system32\drivers\tsk1B.tmp

2011-02-23 04:32 . 2011-02-23 04:32 -------- d-----w- c:\documents and settings\Heather Stumbaugh\Application Data\Malwarebytes

2011-02-23 04:32 . 2011-02-23 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-02-23 04:32 . 2011-02-26 11:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-23 04:21 . 2011-02-23 04:21 -------- d-----w- C:\TDSSKiller_Quarantine

2011-02-23 03:17 . 2011-02-23 03:17 -------- d-----w- c:\program files\ERUNT

2011-02-23 02:27 . 2011-02-23 02:27 -------- d--h--w- c:\windows\PIF

2011-02-23 00:39 . 2001-08-17 21:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2011-02-23 00:39 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2011-02-23 00:13 . 2011-02-23 00:13 -------- d-----w- c:\program files\7-Zip

2011-02-23 00:05 . 2011-02-23 00:05 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-02-22 10:00 . 2011-02-22 10:42 -------- d-----w- c:\documents and settings\Administrator

2011-02-16 21:42 . 2011-02-16 21:42 -------- d-sh--w- c:\documents and settings\All Users\Application Data\ISVYE

2011-02-01 01:35 . 2002-11-21 18:57 204800 ----a-w- c:\windows\system32\IVIresizeW7.dll

2011-02-01 01:35 . 2002-11-21 18:57 200704 ----a-w- c:\windows\system32\IVIresizeA6.dll

2011-02-01 01:35 . 2002-11-21 18:57 192512 ----a-w- c:\windows\system32\IVIresizeP6.dll

2011-02-01 01:35 . 2002-11-21 18:57 192512 ----a-w- c:\windows\system32\IVIresizeM6.dll

2011-02-01 01:35 . 2002-11-21 18:57 188416 ----a-w- c:\windows\system32\IVIresizePX.dll

2011-02-01 01:35 . 2002-11-21 18:57 20480 ----a-w- c:\windows\system32\IVIresize.dll

2011-02-01 01:35 . 2011-02-01 01:35 -------- d-----w- c:\program files\InterVideo

2011-02-01 01:18 . 2004-04-14 15:36 7432 ----a-w- c:\windows\system32\drivers\eabfiltr.sys

2011-02-01 01:18 . 2003-06-06 19:46 5220 ----a-w- c:\windows\system32\drivers\EabUsb.sys

2011-02-01 01:14 . 2005-01-12 10:03 20576 ------w- c:\windows\system32\drivers\PxHelp20.sys

2011-02-01 01:14 . 2005-01-12 10:03 109568 ------w- c:\windows\system32\pxinsi64.exe

2011-02-01 01:14 . 2004-09-27 08:00 108544 ------w- c:\windows\system32\pxcpyi64.exe

2011-02-01 01:14 . 2011-02-01 01:14 -------- d-----w- c:\program files\Common Files\muvee Technologies

2011-02-01 01:06 . 2005-03-10 09:41 69632 ----a-w- c:\windows\system32\bcmwlD2K.EXE

2011-02-01 00:46 . 2004-08-04 12:00 18944 -c--a-w- c:\windows\system32\dllcache\lprmon.dll

2011-02-01 00:46 . 2004-08-04 12:00 18944 ----a-w- c:\windows\system32\lprmon.dll

2011-02-01 00:46 . 2004-08-04 12:00 22528 -c--a-w- c:\windows\system32\dllcache\lpdsvc.dll

2011-02-01 00:46 . 2004-08-04 12:00 22528 ----a-w- c:\windows\system32\lpdsvc.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-26 00:03 . 2004-08-04 12:00 34560 ----a-w- c:\windows\system32\drivers\netbios.sys.vir

.

------- Sigcheck -------

[7] 2009-08-07 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\system32\dllcache\wuauclt.exe

[-] 2008-04-14 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\wuauclt.exe

c:\windows\System32\wuauclt.exe ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-10-21 98304]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 135664]

R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [x]

R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-22 18688]

R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-22 8320]

R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-19 23680]

R3 Normandy;Normandy SR2; [x]

R4 ArcUdfs;ArcUdfs FileSystem Driver Service; [x]

S1 aswSP;avast! Self Protection; [x]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

S3 ArcCD;ArcCD Filter Driver Service; [x]

S3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]

--- Other Services/Drivers In Memory ---

*Deregistered* - ArcRec

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2011-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 19:17]

2011-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 19:17]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <local>

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-01 20:43

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?7?5?0??`???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.afd]

"ImagePath"="\*"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.aswTdi]

"ImagePath"="\*"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.ndiswan]

"ImagePath"="\*"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.SynTP]

"ImagePath"="\*"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.update]

"ImagePath"="\*"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.usbhub]

"ImagePath"="\*"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]

"ImagePath"="system32\drivers\tsk1B.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(308)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-03-01 20:46:18

ComboFix-quarantined-files.txt 2011-03-02 04:46

ComboFix2.txt 2011-02-27 12:30

Pre-Run: 49,251,233,792 bytes free

Post-Run: 49,241,464,832 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - BA4658B6414501F81E7359CB417AF312

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

FCOPY::
c:\windows\system32\dllcache\wuauclt.exe | c:\windows\System32\wuauclt.exe

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Sorry, I ran out of time with this client last Friday. Here's what I ended up doing as my final steps:

- Manually adjusted the following registry entry (first backing up the key):

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]

"ImagePath"="system32\drivers\tsk1B.tmp"

Changed it to point to system32\drivers\netbios.sys

(examined a clean XP machine to see what proper value was supposed to be)

- Recovered a good copy of netbios.sys from cached copies (the original was missing, having been renamed to netbios.sys.vir during our cleanup), placed it in system32\drivers\

- Manually deleted system32\drivers\tsk1B.tmp (had no difficulty doing so)

- Ran Windows Repair from an XP Home Edition CD (to restore wuauclt.exe and any other missing files)

- Internet connectivity was restored at this point.

- Ran freshly downloaded ComboFix (no red flags in log file this time), then ran full MBAM scan - clean.

- Booted into regular Windows mode, ran MBAM full scan again - clean.

- Manually cleaned up leftover junk from desktop and elsewhere. Used FileAssassin to delete files I couldn't remove via normal means.

- Used CCleaner to clean temp/junk files and clean registry leftover gunk.

- Applied all outstanding Windows Updates, Adobe Reader updates, and Java updates.

- Installed fresh antivirus, updated / scanned (clean), and advised user to strongly consider MBAM full version for added realtime protection.

The laptop runs like new, tests clean every which way, and the user didn't lose a single file / is very happy.

Thank you so much for your help getting it there!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.