Jump to content

MalwareBytes blocking IP.....


fdgloworm

Recommended Posts

Hello,all. I am trying to clean a coworkers laptop and the infection is beyond my experience. I found another thread here, and followed the same steps as he was experiencing the same problem, but it didn't solve the problem. HEre are the files as requested in your sticky post.

MBAM:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7702

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/12/2011 4:36:48 PM

mbam-log-2011-09-12 (16-36-48).txt

Scan type: Full scan (C:\|)

Objects scanned: 323207

Time elapsed: 1 hour(s), 38 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 6

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 2

Files Infected: 11

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Typelib\{A8954909-1F0F-41A5-A7FA-3B376D69E226} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\toolbar.TB (Adware.Admedia) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\toolbar.TB.1 (Adware.Admedia) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

c:\program files\winbudget (Adware.Admedia) -> Quarantined and deleted successfully.

c:\program files\winbudget\bin (Adware.Admedia) -> Quarantined and deleted successfully.

Files Infected:

c:\documents and settings\all users\application data\defender.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\documents and settings\danielle soto\my documents\downloads\IWON(2).exe (Adware.FunWeb) -> Quarantined and deleted successfully.

c:\documents and settings\danielle soto\my documents\downloads\IWON.exe (Adware.FunWeb) -> Quarantined and deleted successfully.

c:\program files\panda security\panda cloud antivirus\lostandfound\a0330245.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{970bf179-4538-46f7-a171-f13cfc09440b}\rp1\a0000002.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{970bf179-4538-46f7-a171-f13cfc09440b}\rp1\a0000003.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\148.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\windows\temp\wpbt0.dll (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\documents and settings\danielle soto\Cookies\MM2048.DAT (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\danielle soto\Cookies\MM256.DAT (Trojan.Agent) -> Quarantined and deleted successfully.

c:\program files\winbudget\bin\matrix.dat (Adware.Admedia) -> Quarantined and deleted successfully.

DDS:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Run by Carlos Soto at 22:46:56 on 2011-09-12

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.92 [GMT -4:00]

.

AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxecserv.exe

C:\WINDOWS\system32\lxeccoms.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll

BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll

BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll

TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

EB: {FE54FA40-D68C-11D2-98FA-00C0F0318AFE} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar

mRun: [Panda Security URL Filtering] "c:\documents and settings\all users\application data\panda security url filtering\Panda_URL_Filtering.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: doginhispen.com

Trusted Zone: whataboutadog.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 68.87.72.134 68.87.77.134

TCP: Interfaces\{1E5CC9EF-5BA4-4000-9099-399F01BDA9D8} : DhcpNameServer = 68.87.72.134 68.87.77.134

TCP: Interfaces\{667ACA36-51A1-4814-B620-43E56FB896B0} : DhcpNameServer = 68.87.72.134 68.87.77.134

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\carlos soto\application data\mozilla\firefox\profiles\7nbi8z24.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\carlos soto\application data\mozilla\firefox\profiles\7nbi8z24.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\documents and settings\carlos soto\application data\mozilla\firefox\profiles\7nbi8z24.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll

FF - component: c:\documents and settings\carlos soto\application data\mozilla\firefox\profiles\7nbi8z24.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll

FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\picasa2\npPicasa2.dll

FF - plugin: c:\program files\picasa2\npPicasa3.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord\firefox\ext

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}

.

============= SERVICES / DRIVERS ===============

.

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-4-28 129992]

R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]

R2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [2011-7-1 193192]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-12 366640]

R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608]

R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2011-8-1 143752]

R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 97096]

R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111688]

R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-4-28 112456]

R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [2003-8-15 68480]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-12 22712]

S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-9-12 41272]

S3 SQTECH913D;913D Camera;c:\windows\system32\drivers\Capt913D.sys [2007-11-21 29696]

S3 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]

.

=============== Created Last 30 ================

.

2011-09-13 01:07:23 -------- d-sha-r- C:\cmdcons

2011-09-13 00:59:14 98816 ----a-w- c:\windows\sed.exe

2011-09-13 00:59:14 518144 ----a-w- c:\windows\SWREG.exe

2011-09-13 00:59:14 256000 ----a-w- c:\windows\PEV.exe

2011-09-13 00:59:14 208896 ----a-w- c:\windows\MBR.exe

2011-09-12 18:25:19 -------- d-----w- c:\documents and settings\carlos soto\application data\Malwarebytes

2011-09-12 18:23:44 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-12 18:23:43 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-09-12 18:23:39 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-12 18:23:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-12 18:17:35 21504 ----a-w- c:\windows\system32\hidserv.dll

2011-09-12 18:17:35 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll

2011-09-12 18:17:32 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2011-09-12 18:17:32 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys

2011-09-12 18:17:27 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2011-09-12 18:17:27 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys

2011-09-12 01:29:16 -------- d-----w- c:\windows\system32\GroupPolicy

2011-09-11 15:29:27 249338 ----a-w- c:\windows\cc_20110911_112905.reg

2011-09-11 15:21:05 -------- d-----w- c:\program files\CCleaner

2011-09-11 00:58:07 -------- d-----w- c:\documents and settings\carlos soto\application data\Panda Security

2011-09-11 00:56:43 -------- d-----w- c:\documents and settings\carlos soto\local settings\application data\panda2_0dn

2011-09-11 00:56:39 -------- d-----w- c:\documents and settings\all users\application data\Panda Security URL Filtering

2011-09-11 00:56:18 -------- d-----w- c:\documents and settings\carlos soto\application data\pandasecuritytb

2011-09-11 00:55:15 -------- d-----w- c:\program files\Panda Security

2011-09-11 00:55:15 -------- d-----w- c:\documents and settings\all users\application data\Panda Security

2011-09-11 00:32:50 -------- d-----w- c:\windows\system32\LogFiles

2011-09-10 21:19:53 -------- d-----w- c:\windows\pss

2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll

.

==================== Find3M ====================

.

2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-01 11:23:20 143752 ----a-w- c:\windows\system32\drivers\PSINAflt.sys

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2002-05-20 09:57:58 24629 ----a-w- c:\program files\tx2for32.usa

2001-11-14 11:40:34 102453 ----a-w- c:\program files\pr2frm32.usa

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: FUJITSU_MHT2080AT_PL rev.0022 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x827EE4C0]<<

_asm { MOV EAX, [ESP+0x4]; MOV ECX, [0x827f58a4]; PUSH ESI; MOV ESI, [ESP+0xc]; PUSH EDI; MOV EDI, [ESI+0x60]; CMP EAX, [0x827f5730]; JNZ 0x1f; MOV [ESP+0xc], ECX; }

1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x82B60AB8]

3 CLASSPNP[0xF85D6FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000087[0x82B503B8]

5 ACPI[0xF852D620] -> nt!IofCallDriver[0x804E13B9] -> [0x82B4FD98]

\Driver\atapi[0x82814D28] -> IRP_MJ_CREATE -> 0x827EE4C0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [sI], CH; JL 0x2d; JNZ 0x3b; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x827EE2E0

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 22:49:56.00 ===============

GMER:

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-09-12 23:16:59

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 FUJITSU_MHT2080AT_PL rev.0022

Running: 3bcnhzer.exe; Driver: C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\fgriqfow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\PSINProc.sys (PSINProc Filter Driver for XP32/Panda Security, S.L.) ZwTerminateProcess [0xF1E51416]

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1312] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00DD000A

.text C:\WINDOWS\System32\svchost.exe[1312] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00DE000A

.text C:\WINDOWS\System32\svchost.exe[1312] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00DF000A

.text C:\WINDOWS\System32\svchost.exe[1312] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E1000A

.text C:\Program Files\internet explorer\iexplore.exe[2296] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00ED0001

.text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2546A6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2296] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2296] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB98 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2296] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E569F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2296] WS2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A60F5A

.text C:\Program Files\internet explorer\iexplore.exe[2296] WS2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A30F5A

.text C:\Program Files\internet explorer\iexplore.exe[2296] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A

.text C:\Program Files\internet explorer\iexplore.exe[2296] WS2_32.dll!send 71AB4C27 6 Bytes JMP 71A00F5A

.text C:\Program Files\internet explorer\iexplore.exe[2296] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71970F5A

.text C:\Program Files\internet explorer\iexplore.exe[2296] WS2_32.dll!recv 71AB676F 6 Bytes JMP 719D0F5A

.text C:\Program Files\internet explorer\iexplore.exe[2296] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 719A0F5A

.text C:\Program Files\internet explorer\iexplore.exe[2296] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71940F5A

.text C:\Program Files\internet explorer\iexplore.exe[3812] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FB0001

.text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3812] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3812] ws2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A60F5A

.text C:\Program Files\internet explorer\iexplore.exe[3812] ws2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A30F5A

.text C:\Program Files\internet explorer\iexplore.exe[3812] ws2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A

.text C:\Program Files\internet explorer\iexplore.exe[3812] ws2_32.dll!send 71AB4C27 6 Bytes JMP 71A00F5A

.text C:\Program Files\internet explorer\iexplore.exe[3812] ws2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71970F5A

.text C:\Program Files\internet explorer\iexplore.exe[3812] ws2_32.dll!recv 71AB676F 6 Bytes JMP 719D0F5A

.text C:\Program Files\internet explorer\iexplore.exe[3812] ws2_32.dll!WSASend 71AB68FA 6 Bytes JMP 719A0F5A

.text C:\Program Files\internet explorer\iexplore.exe[3812] ws2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71940F5A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 827EE2E0

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 827EE2E0

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 827EE2E0

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 827EE2E0

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\{A38D32BB-D6BD-4f94-8440-4256C5AD0899}@SN BCD86378-D3E8-4ED5-A0FF-AE619ACC25FC

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Also ComboFix:

ComboFix 11-09-12.04 - Carlos Soto 09/12/2011 21:37:18.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.111 [GMT -4:00]

Running from: c:\documents and settings\Carlos Soto\My Documents\Downloads\ComboFix.exe

AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator.TOUGHTURFCPU\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\Administrator.TOUGHTURFCPU\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini

c:\documents and settings\Administrator.TOUGHTURFCPU\Local Settings\Application Data\ApplicationHistory\MBKInstaller.exe.7de71b57.ini

c:\documents and settings\Carlos Soto\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\Carlos Soto\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini

c:\documents and settings\Carlos Soto\WINDOWS

c:\documents and settings\Danielle Soto\WINDOWS

c:\program files\messenger\msmsgsin.exe

c:\windows\help\wmplayer.bak

c:\windows\system32\drivers\OCA_LOG.TXT

.

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-08-13 to 2011-09-13 )))))))))))))))))))))))))))))))

.

.

2011-09-12 18:25 . 2011-09-12 18:25 -------- d-----w- c:\documents and settings\Carlos Soto\Application Data\Malwarebytes

2011-09-12 18:23 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-12 18:23 . 2011-09-12 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-09-12 18:23 . 2011-09-12 18:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-12 18:23 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-12 18:17 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2011-09-12 18:17 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll

2011-09-12 18:17 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2011-09-12 18:17 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys

2011-09-12 18:17 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2011-09-12 18:17 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys

2011-09-12 01:29 . 2011-09-12 01:29 -------- d-----w- c:\windows\system32\GroupPolicy

2011-09-11 15:29 . 2011-09-11 15:29 249338 ----a-w- c:\windows\cc_20110911_112905.reg

2011-09-11 15:21 . 2011-09-11 15:21 -------- d-----w- c:\program files\CCleaner

2011-09-11 00:58 . 2011-09-11 00:58 -------- d-----w- c:\documents and settings\Carlos Soto\Application Data\Panda Security

2011-09-11 00:56 . 2011-09-11 01:40 -------- d-----w- c:\documents and settings\Carlos Soto\Local Settings\Application Data\panda2_0dn

2011-09-11 00:56 . 2011-09-13 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security URL Filtering

2011-09-11 00:56 . 2011-09-11 15:01 -------- d-----w- c:\documents and settings\Carlos Soto\Application Data\pandasecuritytb

2011-09-11 00:55 . 2011-09-11 00:56 -------- d-----w- c:\program files\Panda Security

2011-09-11 00:55 . 2011-09-11 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security

2011-09-11 00:32 . 2011-09-11 00:32 -------- d-----w- c:\windows\system32\LogFiles

2011-09-10 20:48 . 2011-09-10 20:49 -------- d-----w- c:\documents and settings\Administrator.TOUGHTURFCPU

2011-09-03 17:22 . 2011-09-03 17:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-09-03 10:17 . 2011-09-03 10:17 599040 ------w- c:\windows\system32\dllcache\crypt32.dll

2011-08-27 22:59 . 2011-08-27 22:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-08-21 17:19 . 2011-08-21 17:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\HP

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-03 10:17 . 2003-05-03 09:39 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-01 11:23 . 2011-08-01 11:23 143752 ----a-w- c:\windows\system32\drivers\PSINAflt.sys

2011-07-15 13:29 . 2003-03-31 02:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2003-03-31 02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2003-03-31 02:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36 . 2003-03-31 02:00 43520 ------w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36 . 2003-03-31 02:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2003-03-31 02:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2002-05-20 09:57 . 2004-09-15 18:20 24629 ----a-w- c:\program files\tx2for32.usa

2001-11-14 11:40 . 2004-09-15 18:20 102453 ----a-w- c:\program files\pr2frm32.usa

.

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]

2011-06-24 17:37 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2011-06-24 86696]

.

[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 618496]

"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]

"Panda Security URL Filtering"="c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe" [2011-05-17 231592]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-12 3067904]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"navapsvc"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\CCleaner\\CCleaner.exe"=

"c:\\Program Files\\Panda Security\\Panda Cloud Antivirus\\PSUNMain.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\WINDOWS\\system32\\lxeccoms.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

.

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [4/28/2011 1:57 PM 129992]

R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]

R2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [7/1/2011 4:59 PM 193192]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/12/2011 2:23 PM 366640]

R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/28/2011 1:58 PM 140608]

R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [8/1/2011 7:23 AM 143752]

R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/28/2011 1:57 PM 97096]

R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/28/2011 1:57 PM 111688]

R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [4/28/2011 1:57 PM 112456]

R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [8/15/2003 11:10 AM 68480]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/12/2011 2:23 PM 22712]

S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 3:24 PM 135664]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 3:24 PM 135664]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/12/2011 2:23 PM 41272]

S3 SQTECH913D;913D Camera;c:\windows\system32\drivers\Capt913D.sys [11/21/2007 10:46 PM 29696]

S3 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/22/2011 8:21 AM 92592]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

.

2011-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 19:24]

.

2011-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 19:24]

.

2011-06-07 c:\windows\Tasks\WebReg .job

- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2009-05-22 01:40]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: doginhispen.com

Trusted Zone: whataboutadog.com

TCP: DhcpNameServer = 68.87.72.134 68.87.77.134

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Carlos Soto\Application Data\Mozilla\Firefox\Profiles\7nbi8z24.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=

FF - prefs.js: network.proxy.type - 4

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord\firefox\ext

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

SafeBoot-mcmscsvc

SafeBoot-MCODS

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-12 21:57

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: FUJITSU_MHT2080AT_PL rev.0022 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

.

device: opened successfully

user: MBR read successfully

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x829E12E0

user & kernel MBR OK

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2012)

c:\windows\system32\WININET.dll

c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\panda_url_filtering.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\lxeccoms.exe

c:\windows\System32\nvsvc32.exe

.

**************************************************************************

.

Completion time: 2011-09-12 22:14:35 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-13 02:14

.

Pre-Run: 58,480,381,952 bytes free

Post-Run: 59,893,768,192 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

.

- - End Of File - - 47FB91353A93157C64E66C370A8A8639

I have also attached a zip file with ARK and attach.txt files.

Aaron

logarchive.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, delete your copy of ComboFix, grab a fresh copy, run it, and post its log. Also post a new DDS log.

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Thank you, Screen317. I appreciate it.

Here is the tdss log you requested.

2011/09/15 16:32:28.0328 3120 TDSS rootkit removing tool 2.5.22.0 Sep 13 2011 15:55:17

2011/09/15 16:32:28.0843 3120 ================================================================================

2011/09/15 16:32:28.0843 3120 SystemInfo:

2011/09/15 16:32:28.0843 3120

2011/09/15 16:32:28.0843 3120 OS Version: 5.1.2600 ServicePack: 3.0

2011/09/15 16:32:28.0843 3120 Product type: Workstation

2011/09/15 16:32:28.0843 3120 ComputerName: TOUGHTURFCPU

2011/09/15 16:32:28.0843 3120 UserName: Carlos Soto

2011/09/15 16:32:28.0843 3120 Windows directory: C:\WINDOWS

2011/09/15 16:32:28.0843 3120 System windows directory: C:\WINDOWS

2011/09/15 16:32:28.0843 3120 Processor architecture: Intel x86

2011/09/15 16:32:28.0843 3120 Number of processors: 2

2011/09/15 16:32:28.0843 3120 Page size: 0x1000

2011/09/15 16:32:28.0843 3120 Boot type: Normal boot

2011/09/15 16:32:28.0843 3120 ================================================================================

2011/09/15 16:32:32.0093 3120 Initialize success

2011/09/15 16:32:36.0968 0192 ================================================================================

2011/09/15 16:32:36.0968 0192 Scan started

2011/09/15 16:32:36.0968 0192 Mode: Manual;

2011/09/15 16:32:36.0968 0192 ================================================================================

2011/09/15 16:32:41.0265 0192 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/09/15 16:32:41.0406 0192 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2011/09/15 16:32:41.0546 0192 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/09/15 16:32:41.0656 0192 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys

2011/09/15 16:32:41.0828 0192 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys

2011/09/15 16:32:42.0000 0192 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/09/15 16:32:42.0703 0192 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/09/15 16:32:43.0046 0192 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/09/15 16:32:43.0171 0192 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/09/15 16:32:43.0406 0192 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/09/15 16:32:43.0546 0192 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/09/15 16:32:43.0765 0192 BCM43XX (e7debb46b9ef1f28932e533be4a3d1a9) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2011/09/15 16:32:43.0921 0192 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/09/15 16:32:44.0046 0192 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys

2011/09/15 16:32:44.0062 0192 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys

2011/09/15 16:32:44.0281 0192 CAMCAUD (5a94e9d6e2716e38183959d8f4c2a5a9) C:\WINDOWS\system32\drivers\camcaud.sys

2011/09/15 16:32:44.0421 0192 CAMCHALA (e7e737bc125d6beb50669ff4b61ced19) C:\WINDOWS\system32\drivers\camchal.sys

2011/09/15 16:32:44.0609 0192 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/09/15 16:32:44.0703 0192 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/09/15 16:32:44.0906 0192 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/09/15 16:32:44.0984 0192 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/09/15 16:32:45.0187 0192 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/09/15 16:32:45.0375 0192 CE3 (6d63e366d96494336f375ff155d47ab3) C:\WINDOWS\system32\DRIVERS\ce3n5.sys

2011/09/15 16:32:45.0531 0192 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/09/15 16:32:45.0718 0192 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/09/15 16:32:46.0109 0192 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/09/15 16:32:46.0265 0192 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/09/15 16:32:46.0468 0192 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/09/15 16:32:46.0593 0192 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/09/15 16:32:46.0765 0192 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/09/15 16:32:47.0000 0192 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/09/15 16:32:47.0109 0192 eabfiltr (3020c34ffdadfd69004570f88ff44b33) C:\WINDOWS\System32\drivers\EABFiltr.sys

2011/09/15 16:32:47.0234 0192 eabusb (1ba14da377b66278335d4b9e8824cd42) C:\WINDOWS\system32\drivers\eabusb.sys

2011/09/15 16:32:47.0453 0192 EMCR (7f07571f50353b42e6a2d93f07bec118) C:\WINDOWS\system32\DRIVERS\EMCR7SK.sys

2011/09/15 16:32:47.0609 0192 ENECBPTH (1fec25c49afbc34accbf3dc53031affe) C:\WINDOWS\system32\drivers\ENECBPTH.sys

2011/09/15 16:32:47.0765 0192 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/09/15 16:32:47.0921 0192 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/09/15 16:32:47.0984 0192 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/09/15 16:32:48.0093 0192 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/09/15 16:32:48.0328 0192 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/09/15 16:32:48.0484 0192 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/09/15 16:32:49.0265 0192 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/09/15 16:32:49.0406 0192 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/09/15 16:32:49.0531 0192 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/09/15 16:32:49.0781 0192 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/09/15 16:32:50.0000 0192 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2011/09/15 16:32:50.0140 0192 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2011/09/15 16:32:50.0281 0192 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2011/09/15 16:32:50.0421 0192 HSFHWICH (2d9f10d6e7baa20c4526ce6a16444581) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys

2011/09/15 16:32:50.0562 0192 HSF_DP (2d566a7f0b4c54b417ac637cb608444b) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys

2011/09/15 16:32:50.0781 0192 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/09/15 16:32:51.0062 0192 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/09/15 16:32:51.0187 0192 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/09/15 16:32:51.0359 0192 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/09/15 16:32:51.0546 0192 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/09/15 16:32:51.0843 0192 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/09/15 16:32:52.0000 0192 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/09/15 16:32:52.0140 0192 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/09/15 16:32:52.0281 0192 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/09/15 16:32:52.0437 0192 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/09/15 16:32:52.0546 0192 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys

2011/09/15 16:32:52.0609 0192 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/09/15 16:32:52.0765 0192 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/09/15 16:32:52.0828 0192 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys

2011/09/15 16:32:53.0015 0192 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/09/15 16:32:53.0140 0192 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/09/15 16:32:53.0234 0192 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/09/15 16:32:53.0421 0192 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/09/15 16:32:53.0718 0192 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys

2011/09/15 16:32:53.0859 0192 mdmxsdk (b72d7ea394d5f1c5053368783ad7f7ed) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/09/15 16:32:54.0062 0192 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/09/15 16:32:54.0203 0192 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/09/15 16:32:54.0265 0192 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/09/15 16:32:54.0546 0192 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/09/15 16:32:54.0687 0192 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/09/15 16:32:54.0812 0192 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/09/15 16:32:54.0937 0192 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/09/15 16:32:55.0156 0192 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/09/15 16:32:55.0343 0192 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/09/15 16:32:55.0437 0192 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/09/15 16:32:55.0531 0192 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/09/15 16:32:55.0625 0192 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/09/15 16:32:55.0750 0192 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/09/15 16:32:55.0875 0192 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

2011/09/15 16:32:56.0093 0192 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/09/15 16:32:56.0265 0192 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/09/15 16:32:56.0375 0192 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/09/15 16:32:57.0187 0192 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/09/15 16:32:57.0312 0192 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/09/15 16:32:57.0437 0192 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/09/15 16:32:57.0562 0192 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/09/15 16:32:57.0703 0192 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/09/15 16:32:57.0812 0192 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/09/15 16:32:58.0000 0192 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/09/15 16:32:58.0140 0192 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/09/15 16:32:58.0281 0192 NSCIRDA (2adc0ca9945c65284b3d19bc18765974) C:\WINDOWS\system32\DRIVERS\nscirda.sys

2011/09/15 16:32:58.0468 0192 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/09/15 16:32:58.0656 0192 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/09/15 16:32:58.0921 0192 nv (06500516671f54f74672d99a6b26950d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/09/15 16:32:59.0125 0192 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/09/15 16:32:59.0250 0192 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/09/15 16:32:59.0406 0192 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/09/15 16:32:59.0640 0192 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/09/15 16:32:59.0750 0192 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/09/15 16:32:59.0890 0192 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/09/15 16:33:00.0031 0192 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/09/15 16:33:00.0187 0192 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/09/15 16:33:00.0312 0192 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/09/15 16:33:01.0015 0192 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys

2011/09/15 16:33:01.0234 0192 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/09/15 16:33:01.0406 0192 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2011/09/15 16:33:01.0546 0192 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/09/15 16:33:01.0656 0192 PSINAflt (9abf1d1da5afaaaa41fcbd940aa2e844) C:\WINDOWS\system32\DRIVERS\PSINAflt.sys

2011/09/15 16:33:01.0734 0192 PSINFile (5bab5fb4cb1963f643a1a8b4d816cf8f) C:\WINDOWS\system32\DRIVERS\PSINFile.sys

2011/09/15 16:33:01.0781 0192 PSINKNC (0518f472a69249e18612e29278bd58ec) C:\WINDOWS\system32\DRIVERS\psinknc.sys

2011/09/15 16:33:01.0859 0192 PSINProc (87b2fe6d7b427947541360f48c302054) C:\WINDOWS\system32\DRIVERS\PSINProc.sys

2011/09/15 16:33:01.0921 0192 PSINProt (f4804beb5ff6741019b56a02ead4d3b7) C:\WINDOWS\system32\DRIVERS\PSINProt.sys

2011/09/15 16:33:02.0062 0192 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/09/15 16:33:02.0218 0192 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys

2011/09/15 16:33:02.0781 0192 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/09/15 16:33:02.0921 0192 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys

2011/09/15 16:33:03.0062 0192 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/09/15 16:33:03.0218 0192 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/09/15 16:33:03.0359 0192 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/09/15 16:33:03.0500 0192 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/09/15 16:33:03.0750 0192 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/09/15 16:33:03.0890 0192 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/09/15 16:33:04.0015 0192 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/09/15 16:33:04.0390 0192 RTL8023 (d88f6c53b637abe4c23de29db40a9f05) C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys

2011/09/15 16:33:04.0515 0192 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2011/09/15 16:33:04.0750 0192 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/09/15 16:33:04.0890 0192 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/09/15 16:33:05.0015 0192 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/09/15 16:33:05.0250 0192 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2011/09/15 16:33:05.0593 0192 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/09/15 16:33:05.0953 0192 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/09/15 16:33:06.0093 0192 SQTECH913D (1bd690b1be4c70107a48d73a7def6024) C:\WINDOWS\system32\Drivers\Capt913D.sys

2011/09/15 16:33:06.0281 0192 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys

2011/09/15 16:33:06.0484 0192 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/09/15 16:33:06.0781 0192 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys

2011/09/15 16:33:06.0984 0192 StreamDispatcher (3e5aa17e13fba9969d17b5455bde8efd) C:\WINDOWS\system32\DRIVERS\strmdisp.sys

2011/09/15 16:33:07.0218 0192 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/09/15 16:33:07.0375 0192 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/09/15 16:33:07.0546 0192 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/09/15 16:33:08.0109 0192 SynTP (0c1762fef34b265498ef2f3bef7f1d64) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2011/09/15 16:33:08.0343 0192 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/09/15 16:33:08.0562 0192 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/09/15 16:33:08.0828 0192 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys

2011/09/15 16:33:08.0937 0192 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/09/15 16:33:09.0125 0192 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/09/15 16:33:09.0234 0192 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/09/15 16:33:10.0343 0192 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys

2011/09/15 16:33:10.0437 0192 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/09/15 16:33:10.0656 0192 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/09/15 16:33:10.0859 0192 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys

2011/09/15 16:33:11.0062 0192 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/09/15 16:33:11.0218 0192 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/09/15 16:33:11.0359 0192 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/09/15 16:33:11.0562 0192 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/09/15 16:33:11.0671 0192 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/09/15 16:33:11.0796 0192 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/09/15 16:33:11.0890 0192 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/09/15 16:33:12.0015 0192 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/09/15 16:33:12.0093 0192 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/09/15 16:33:12.0234 0192 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/09/15 16:33:12.0406 0192 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/09/15 16:33:12.0546 0192 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/09/15 16:33:12.0687 0192 winachsf (88a5f20c6c221e50f01c00d8235db8c4) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2011/09/15 16:33:12.0875 0192 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2011/09/15 16:33:13.0000 0192 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/09/15 16:33:13.0093 0192 MBR (0x1B8) (fa77ac5cf1ecfef0c3c51e42cd2557f5) \Device\Harddisk0\DR0

2011/09/15 16:33:13.0109 0192 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.a (0)

2011/09/15 16:33:13.0125 0192 Boot (0x1200) (aded37a154c467c15d40c6079bf0b331) \Device\Harddisk0\DR0\Partition0

2011/09/15 16:33:13.0125 0192 ================================================================================

2011/09/15 16:33:13.0125 0192 Scan finished

2011/09/15 16:33:13.0125 0192 ================================================================================

2011/09/15 16:33:13.0156 3004 Detected object count: 1

2011/09/15 16:33:13.0156 3004 Actual detected object count: 1

2011/09/15 16:35:47.0703 3004 \Device\Harddisk0\DR0 (Rootkit.Boot.Pihar.a) - will be cured after reboot

2011/09/15 16:35:47.0812 3004 \Device\Harddisk0\DR0 - ok

2011/09/15 16:35:47.0812 3004 Rootkit.Boot.Pihar.a(\Device\Harddisk0\DR0) - User select action: Cure

2011/09/15 16:38:27.0875 1912 Deinitialize success

And a new ComboFix.txt file:

ComboFix 11-09-15.05 - Carlos Soto 09/15/2011 17:57:45.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.249 [GMT -4:00]

Running from: c:\documents and settings\Carlos Soto\Desktop\ComboFix.exe

AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}

.

.

((((((((((((((((((((((((( Files Created from 2011-08-15 to 2011-09-15 )))))))))))))))))))))))))))))))

.

.

2011-09-15 20:24 . 2011-09-15 20:24 -------- d-----w- C:\tdsskller

2011-09-13 04:05 . 2011-09-13 04:05 -------- d-----w- c:\documents and settings\Carlos Soto\Local Settings\Application Data\WinZip

2011-09-13 03:58 . 2011-09-13 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

2011-09-12 18:25 . 2011-09-12 18:25 -------- d-----w- c:\documents and settings\Carlos Soto\Application Data\Malwarebytes

2011-09-12 18:23 . 2011-09-12 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-09-12 18:23 . 2011-09-13 04:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-12 18:23 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-12 18:17 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2011-09-12 18:17 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll

2011-09-12 18:17 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2011-09-12 18:17 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys

2011-09-12 18:17 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2011-09-12 18:17 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys

2011-09-12 01:29 . 2011-09-12 01:29 -------- d-----w- c:\windows\system32\GroupPolicy

2011-09-11 15:29 . 2011-09-11 15:29 249338 ----a-w- c:\windows\cc_20110911_112905.reg

2011-09-11 15:21 . 2011-09-11 15:21 -------- d-----w- c:\program files\CCleaner

2011-09-11 00:58 . 2011-09-11 00:58 -------- d-----w- c:\documents and settings\Carlos Soto\Application Data\Panda Security

2011-09-11 00:56 . 2011-09-11 01:40 -------- d-----w- c:\documents and settings\Carlos Soto\Local Settings\Application Data\panda2_0dn

2011-09-11 00:56 . 2011-09-15 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security URL Filtering

2011-09-11 00:56 . 2011-09-11 15:01 -------- d-----w- c:\documents and settings\Carlos Soto\Application Data\pandasecuritytb

2011-09-11 00:55 . 2011-09-11 00:56 -------- d-----w- c:\program files\Panda Security

2011-09-11 00:55 . 2011-09-11 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security

2011-09-11 00:32 . 2011-09-11 00:32 -------- d-----w- c:\windows\system32\LogFiles

2011-09-10 20:48 . 2011-09-10 20:49 -------- d-----w- c:\documents and settings\Administrator.TOUGHTURFCPU

2011-09-03 17:22 . 2011-09-03 17:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-09-03 10:17 . 2011-09-03 10:17 599040 ------w- c:\windows\system32\dllcache\crypt32.dll

2011-08-27 22:59 . 2011-08-27 22:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-08-21 17:19 . 2011-08-21 17:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\HP

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-03 10:17 . 2003-05-03 09:39 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-01 11:23 . 2011-08-01 11:23 143752 ----a-w- c:\windows\system32\drivers\PSINAflt.sys

2011-07-15 13:29 . 2003-03-31 02:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2003-03-31 02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2003-03-31 02:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36 . 2003-03-31 02:00 43520 ------w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36 . 2003-03-31 02:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2003-03-31 02:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2002-05-20 09:57 . 2004-09-15 18:20 24629 ----a-w- c:\program files\tx2for32.usa

2001-11-14 11:40 . 2004-09-15 18:20 102453 ----a-w- c:\program files\pr2frm32.usa

.

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2003-08-19 08:01 . 2003-08-19 08:01 110592 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

.

2003-11-10 07:30 . 2003-11-10 07:30 70816 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

.

2003-06-25 18:24 . 2003-06-25 18:24 49152 c:\program files\Hewlett-Packard\HP Software Update\bak\HPWuSchd.exe

.

2002-10-07 07:23 . 2002-10-07 07:23 90112 c:\program files\HP\Digital Imaging\Unload\bak\hpqcmon.exe

.

2002-04-17 17:42 . 2002-04-17 17:42 69632 c:\program files\HP\HP Share-to-Web\bak\hpgs2wnd.exe

.

2003-05-03 09:12 . 2003-11-18 13:31 241664 c:\program files\HPQ\Quick Launch Buttons\bak\EabServr.exe

2010-10-28 17:40 . 2003-11-18 13:31 241664 c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

.

2004-01-16 19:16 . 2004-01-16 19:16 229376 c:\program files\iTunes\bak\iTunesHelper.exe

2010-12-13 22:16 . 2010-12-13 22:16 421160 c:\program files\iTunes\iTunesHelper.exe

.

2007-10-23 01:29 . 2007-11-08 13:12 204 c:\program files\iTunes\bak\iTunesHelperAppLog.txt

.

2003-05-03 08:50 . 2003-05-03 08:50 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe

2010-10-28 17:50 . 2010-10-28 17:50 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

.

2003-05-03 09:06 . 2003-05-03 09:06 98304 c:\program files\QuickTime\bak\qttask.exe

2010-11-29 22:38 . 2010-11-29 22:38 421888 c:\program files\QuickTime\QTTask.exe

.

2004-08-15 17:32 . 2004-08-15 17:32 26112 c:\program files\Real\RealPlayer\bak\RealPlay.exe

2010-02-02 22:33 . 2010-02-02 22:33 222728 c:\program files\Real\RealPlayer\realplay.exe

.

2003-05-03 09:19 . 2003-07-15 19:08 618496 c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe

2003-05-03 09:19 . 2003-07-15 19:08 618496 c:\program files\Synaptics\SynTP\SynTPEnh.exe

.

2003-05-03 09:19 . 2003-07-15 19:09 110592 c:\program files\Synaptics\SynTP\bak\SynTPLpr.exe

2003-05-03 09:19 . 2003-07-15 19:09 110592 c:\program files\Synaptics\SynTP\SynTPLpr.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]

2011-06-24 17:37 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2011-06-24 86696]

.

[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 618496]

"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]

"Panda Security URL Filtering"="c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe" [2011-05-17 231592]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-12 3067904]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"navapsvc"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\CCleaner\\CCleaner.exe"=

"c:\\Program Files\\Panda Security\\Panda Cloud Antivirus\\PSUNMain.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\WINDOWS\\system32\\lxeccoms.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

.

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [4/28/2011 1:57 PM 129992]

R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]

R2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [7/1/2011 4:59 PM 193192]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/12/2011 2:23 PM 366152]

R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/28/2011 1:58 PM 140608]

R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [8/1/2011 7:23 AM 143752]

R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/28/2011 1:57 PM 97096]

R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/28/2011 1:57 PM 111688]

R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [4/28/2011 1:57 PM 112456]

R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [8/15/2003 11:10 AM 68480]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/12/2011 2:23 PM 22216]

S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 3:24 PM 135664]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 3:24 PM 135664]

S3 SQTECH913D;913D Camera;c:\windows\system32\drivers\Capt913D.sys [11/21/2007 10:46 PM 29696]

S3 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/22/2011 8:21 AM 92592]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

.

2011-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 19:24]

.

2011-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 19:24]

.

2011-06-07 c:\windows\Tasks\WebReg .job

- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2009-05-22 01:40]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: doginhispen.com

Trusted Zone: whataboutadog.com

TCP: DhcpNameServer = 68.87.72.134 68.87.77.134

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Carlos Soto\Application Data\Mozilla\Firefox\Profiles\7nbi8z24.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=

FF - prefs.js: network.proxy.type - 4

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord\firefox\ext

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-15 18:10

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2712)

c:\windows\system32\WININET.dll

c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\panda_url_filtering.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2011-09-15 18:14:41

ComboFix-quarantined-files.txt 2011-09-15 22:14

ComboFix2.txt 2011-09-13 02:14

.

Pre-Run: 59,689,119,744 bytes free

Post-Run: 59,816,394,752 bytes free

.

- - End Of File - - 47C5BDA58E3C23C41B42845E2F9A94F8

And the new DDS log with the attach.txt in a zip file and attached.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Run by Carlos Soto at 19:27:16 on 2011-09-15

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.206 [GMT -4:00]

.

AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxecserv.exe

C:\WINDOWS\system32\lxeccoms.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll

BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll

BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll

TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

EB: {FE54FA40-D68C-11D2-98FA-00C0F0318AFE} - No File

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar

mRun: [Panda Security URL Filtering] "c:\documents and settings\all users\application data\panda security url filtering\Panda_URL_Filtering.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: doginhispen.com

Trusted Zone: whataboutadog.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 68.87.72.134 68.87.77.134

TCP: Interfaces\{1E5CC9EF-5BA4-4000-9099-399F01BDA9D8} : DhcpNameServer = 68.87.72.134 68.87.77.134

TCP: Interfaces\{667ACA36-51A1-4814-B620-43E56FB896B0} : DhcpNameServer = 68.87.72.134 68.87.77.134

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\carlos soto\application data\mozilla\firefox\profiles\7nbi8z24.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\carlos soto\application data\mozilla\firefox\profiles\7nbi8z24.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\documents and settings\carlos soto\application data\mozilla\firefox\profiles\7nbi8z24.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll

FF - component: c:\documents and settings\carlos soto\application data\mozilla\firefox\profiles\7nbi8z24.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll

FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\picasa2\npPicasa2.dll

FF - plugin: c:\program files\picasa2\npPicasa3.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord\firefox\ext

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}

.

============= SERVICES / DRIVERS ===============

.

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-4-28 129992]

R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]

R2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [2011-7-1 193192]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-12 366152]

R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608]

R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2011-8-1 143752]

R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 97096]

R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111688]

R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-4-28 112456]

R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [2003-8-15 68480]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-12 22216]

S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S3 SQTECH913D;913D Camera;c:\windows\system32\drivers\Capt913D.sys [2007-11-21 29696]

S3 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]

.

=============== Created Last 30 ================

.

2011-09-15 20:24:04 -------- d-----w- C:\tdsskller

2011-09-13 04:05:00 -------- d-----w- c:\documents and settings\carlos soto\local settings\application data\WinZip

2011-09-13 01:07:23 -------- d-sha-r- C:\cmdcons

2011-09-13 00:59:14 98816 ----a-w- c:\windows\sed.exe

2011-09-13 00:59:14 518144 ----a-w- c:\windows\SWREG.exe

2011-09-13 00:59:14 256000 ----a-w- c:\windows\PEV.exe

2011-09-13 00:59:14 208896 ----a-w- c:\windows\MBR.exe

2011-09-12 18:25:19 -------- d-----w- c:\documents and settings\carlos soto\application data\Malwarebytes

2011-09-12 18:23:43 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-09-12 18:23:39 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-12 18:23:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-12 18:17:35 21504 ----a-w- c:\windows\system32\hidserv.dll

2011-09-12 18:17:35 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll

2011-09-12 18:17:32 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2011-09-12 18:17:32 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys

2011-09-12 18:17:27 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2011-09-12 18:17:27 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys

2011-09-12 01:29:16 -------- d-----w- c:\windows\system32\GroupPolicy

2011-09-11 15:29:27 249338 ----a-w- c:\windows\cc_20110911_112905.reg

2011-09-11 15:21:05 -------- d-----w- c:\program files\CCleaner

2011-09-11 00:58:07 -------- d-----w- c:\documents and settings\carlos soto\application data\Panda Security

2011-09-11 00:56:43 -------- d-----w- c:\documents and settings\carlos soto\local settings\application data\panda2_0dn

2011-09-11 00:56:39 -------- d-----w- c:\documents and settings\all users\application data\Panda Security URL Filtering

2011-09-11 00:56:18 -------- d-----w- c:\documents and settings\carlos soto\application data\pandasecuritytb

2011-09-11 00:55:15 -------- d-----w- c:\program files\Panda Security

2011-09-11 00:55:15 -------- d-----w- c:\documents and settings\all users\application data\Panda Security

2011-09-11 00:32:50 -------- d-----w- c:\windows\system32\LogFiles

2011-09-10 21:19:53 -------- d-----w- c:\windows\pss

2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll

.

==================== Find3M ====================

.

2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-01 11:23:20 143752 ----a-w- c:\windows\system32\drivers\PSINAflt.sys

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2002-05-20 09:57:58 24629 ----a-w- c:\program files\tx2for32.usa

2001-11-14 11:40:34 102453 ----a-w- c:\program files\pr2frm32.usa

.

============= FINISH: 19:27:53.89 ===============

attach.zip

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

KILLALL::
AWF::
c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe
c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
c:\program files\Hewlett-Packard\HP Software Update\bak\HPWuSchd.exe
c:\program files\HP\Digital Imaging\Unload\bak\hpqcmon.exe
c:\program files\HP\HP Share-to-Web\bak\hpgs2wnd.exe
c:\program files\HPQ\Quick Launch Buttons\bak\EabServr.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\iTunes\bak\iTunesHelperAppLog.txt
c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe
c:\program files\QuickTime\bak\qttask.exe
c:\program files\Real\RealPlayer\bak\RealPlay.exe
c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe
C:\program files\Synaptics\SynTP\bak\SynTPLpr.exe

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

  • 2 weeks later...

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

KILLALL::
AWF::
c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe
c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
c:\program files\Hewlett-Packard\HP Software Update\bak\HPWuSchd.exe
c:\program files\HP\Digital Imaging\Unload\bak\hpqcmon.exe
c:\program files\HP\HP Share-to-Web\bak\hpgs2wnd.exe
c:\program files\HPQ\Quick Launch Buttons\bak\EabServr.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\iTunes\bak\iTunesHelperAppLog.txt
c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe
c:\program files\QuickTime\bak\qttask.exe
c:\program files\Real\RealPlayer\bak\RealPlay.exe
c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe
C:\program files\Synaptics\SynTP\bak\SynTPLpr.exe

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Thank you for your time, Screen317. Unfortunately, my coworker wanted his computer back, and did not want to take the time to finish cleaning it. I could not convince him otherwise. This thread is not active anymore. I will start at new thread for my home machine, to troubleshoot but also to learn how to move through this process faster as I think my pace was not fast enough for my coworker.

Aaron

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.