Jump to content

Malwarebytes blocking potentially malicious IP addresses


BJK

Recommended Posts

MB is continually identifying and blocking outgoing IP addresses listed as 'potentially malicious'. I have used the tools identified and am posting the logs as requested. Thank you for your time and help.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7719

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/14/2011 11:11:59 PM

mbam-log-2011-09-14 (23-11-59).txt

Scan type: Quick scan

Objects scanned: 225958

Time elapsed: 17 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*****************

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 16:08 on 15/09/2011 (David)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

***********************************

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by David at 16:14:35 on 2011-09-15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.554 [GMT -4:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\system32\CmWatch.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe

C:\Program Files\Secunia\PSI\psi_tray.exe

svchost.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft\BingBar\SeaPort.EXE

C:\Program Files\Secunia\PSI\PSIA.exe

C:\Program Files\Secunia\PSI\sua.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\imapi.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll

BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File

BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll

TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll

EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [CmCardRun] c:\windows\system32\CmWatch.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

Trusted Zone: intuit.com\ttlc

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1281406498386

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1281495492359

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{35C8A351-8552-4549-9169-D55451528A47} : DhcpNameServer = 192.168.1.1

Notify: igfxcui - igfxsrvc.dll

Notify: TPSvc - TPSvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]

R1 MpKslcf6998b0;MpKslcf6998b0;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{24c9f138-5f65-40a6-bc08-687c40ec407f}\MpKslcf6998b0.sys [2011-9-15 28752]

R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [2010-8-9 8440]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-26 366152]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-26 22216]

R3 UMSSSTOR;C-Media Storage;c:\windows\system32\drivers\Umss.SYS [2004-7-13 48512]

S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]

S0 szkg5;szkg5;c:\windows\system32\drivers\szkg.sys --> c:\windows\system32\drivers\szkg.sys [?]

S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]

S1 MpKsl8baa065b;MpKsl8baa065b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{edf72fea-9935-41a3-a436-eeebad89b441}\mpksl8baa065b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{edf72fea-9935-41a3-a436-eeebad89b441}\MpKsl8baa065b.sys [?]

S1 MpKslab31b5c9;MpKslab31b5c9;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{43822624-be9c-4666-93e1-c84c86a9658e}\mpkslab31b5c9.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{43822624-be9c-4666-93e1-c84c86a9658e}\MpKslab31b5c9.sys [?]

S1 MpKslb35c1f44;MpKslb35c1f44;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{db0c7c3a-c850-4646-a21b-c96d1afc8871}\mpkslb35c1f44.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{db0c7c3a-c850-4646-a21b-c96d1afc8871}\MpKslb35c1f44.sys [?]

S1 MpKsle2db9a47;MpKsle2db9a47;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{536b9ada-c4cb-4bb0-a3fe-4877d93a9f5e}\mpksle2db9a47.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{536b9ada-c4cb-4bb0-a3fe-4877d93a9f5e}\MpKsle2db9a47.sys [?]

S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]

S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.181\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [?]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

.

=============== Created Last 30 ================

.

2011-09-15 20:14:07 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{24c9f138-5f65-40a6-bc08-687c40ec407f}\MpKslcf6998b0.sys

2011-09-14 01:35:03 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{24c9f138-5f65-40a6-bc08-687c40ec407f}\mpengine.dll

2011-09-05 17:04:56 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

2011-09-03 15:11:10 -------- d-----w- c:\documents and settings\all users\application data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}

2011-09-03 13:41:41 -------- d-----w- c:\documents and settings\david\local settings\application data\PackageAware

2011-09-03 13:26:04 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!

2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll

2011-08-23 23:55:46 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-23 23:54:42 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

==================== Find3M ====================

.

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-23 23:51:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-26 19:45:49 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-07-26 19:45:48 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-04-12 13:12:00 5221608 ----a-w- c:\program files\microsoft sec.exe

.

============= FINISH: 16:22:44.06 ===============

ark.zip

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

Thank you so much for your help.

Attached are the logs as you requested:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7733

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/17/2011 8:30:56 AM

mbam-log-2011-09-17 (08-30-56).txt

Scan type: Quick scan

Objects scanned: 228506

Time elapsed: 19 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*************************************

ComboFix 11-09-16.01 - David 09/17/2011 9:13.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.502 [GMT -4:00]

Running from: c:\documents and settings\David\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\CouponAlert_2pEI

c:\program files\messenger\msmsgsin.exe

c:\program files\Microsoft Office\OFFICE11\OSA.exe

c:\program files\Search Toolbar

c:\program files\Search Toolbar\icon.ico

c:\program files\Search Toolbar\SearchToolbar.dll

c:\program files\Search Toolbar\SearchToolbarUninstall.exe

c:\program files\Search Toolbar\SearchToolbarUpdater.exe

c:\program files\SelectRebates

c:\program files\SelectRebates\FFToolbar\chrome.manifest

c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar

c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js

c:\program files\SelectRebates\FFToolbar\install.rdf

c:\program files\SelectRebates\SelectAlerts.dat

c:\program files\SelectRebates\SelectRebates.ini

c:\program files\SelectRebates\SelectRebatesA.dat

c:\program files\SelectRebates\SelectRebatesApi.exe

c:\program files\SelectRebates\SelectRebatesB.dat

c:\program files\SelectRebates\SelectRebatesBT.dat

c:\program files\SelectRebates\SelectRebatesDownload.exe

c:\program files\SelectRebates\SelectRebatesUninstall.exe

c:\program files\SelectRebates\SRebates.dll

c:\program files\SelectRebates\SRFF3.dll

c:\program files\SelectRebates\Toolbar\AddtoList.bmp

c:\program files\SelectRebates\Toolbar\basis.xml

c:\program files\SelectRebates\Toolbar\Basis.xml.dym

c:\program files\SelectRebates\Toolbar\Blank.bmp

c:\program files\SelectRebates\Toolbar\CashBack.bmp

c:\program files\SelectRebates\Toolbar\Coupons.bmp

c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp

c:\program files\SelectRebates\Toolbar\i_magnifying.bmp

c:\program files\SelectRebates\Toolbar\icons.bmp

c:\program files\SelectRebates\Toolbar\ImageCache\alert-red.bmp

c:\program files\SelectRebates\Toolbar\logo.bmp

c:\program files\SelectRebates\Toolbar\logo_24.bmp

c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp

c:\program files\SelectRebates\Toolbar\ReviewSite.bmp

c:\program files\SelectRebates\Toolbar\RightControls.dym

c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp

c:\program files\SelectRebates\Toolbar\sahtb-go.bmp

c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp

c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp

c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp

c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp

c:\program files\SelectRebates\Toolbar\Scissors.bmp

c:\program files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll

c:\windows\system32\d3d9caps.dat

Pass LEGAL for license information. Built Sat Jun 25 23:20 2011c:\documents and settings\Administrator\NTUSER.DAT.LOG

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_COUPONALERT_2PSERVICE

.

.

((((((((((((((((((((((((( Files Created from 2011-08-17 to 2011-09-17 )))))))))))))))))))))))))))))))

.

.

2011-09-17 14:01 . 2011-09-17 14:01 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS

2011-09-17 14:01 . 2011-09-17 14:01 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS

2011-09-17 14:01 . 2011-09-17 14:01 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS

2011-09-17 14:01 . 2011-09-17 14:01 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS

2011-09-17 14:01 . 2011-09-17 14:01 5927 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS

2011-09-17 14:01 . 2011-09-17 14:01 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS

2011-09-17 14:01 . 2011-09-17 14:01 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS

2011-09-17 14:01 . 2011-09-17 14:01 1651 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS

2011-09-17 14:01 . 2011-09-17 14:01 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS

2011-09-17 14:01 . 2011-09-17 14:01 6208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS

2011-09-17 14:01 . 2011-09-17 14:01 18541 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS

2011-09-17 14:01 . 2011-09-17 14:01 8288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS

2011-09-17 14:00 . 2011-09-17 14:00 51852 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS

2011-09-17 14:00 . 2011-09-17 14:00 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS

2011-09-17 14:00 . 2011-09-17 14:00 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS

2011-09-17 14:00 . 2011-09-17 14:00 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS

2011-09-17 14:00 . 2011-09-17 14:00 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS

2011-09-17 12:05 . 2011-08-12 02:44 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8B583381-0168-42DC-92AF-D1B23C926C2F}\mpengine.dll

2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

2011-09-03 15:11 . 2011-09-03 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}

2011-09-03 13:41 . 2011-09-03 13:41 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\PackageAware

2011-09-03 13:26 . 2011-09-03 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll

2011-08-23 23:55 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-23 23:55 . 2011-08-23 23:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-08-23 23:54 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-09 09:12 . 2003-03-31 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-31 21:00 . 2011-07-26 17:34 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-23 23:51 . 2011-07-26 20:47 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-12 02:44 . 2011-04-12 15:22 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-07-26 19:45 . 2011-07-26 19:46 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-07-26 19:45 . 2010-10-05 23:57 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-07-15 13:29 . 2003-03-31 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2003-03-31 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2010-08-09 13:19 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2010-08-10 02:01 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2003-03-31 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-04-12 13:12 . 2011-04-12 12:41 5221608 ----a-w- c:\program files\microsoft sec.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]

"CmCardRun"="c:\windows\system32\CmWatch.exe" [2003-09-16 229376]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

.

R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [8/9/2010 9:31 PM 8440]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/26/2011 1:34 PM 366152]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 2:44 AM 993848]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [4/19/2011 2:44 AM 399416]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/26/2011 1:34 PM 22216]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]

R3 UMSSSTOR;C-Media Storage;c:\windows\system32\drivers\Umss.SYS [7/13/2004 12:40 PM 48512]

S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]

S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]

S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]

S1 MpKsl8baa065b;MpKsl8baa065b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EDF72FEA-9935-41A3-A436-EEEBAD89B441}\MpKsl8baa065b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EDF72FEA-9935-41A3-A436-EEEBAD89B441}\MpKsl8baa065b.sys [?]

S1 MpKslab31b5c9;MpKslab31b5c9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{43822624-BE9C-4666-93E1-C84C86A9658E}\MpKslab31b5c9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{43822624-BE9C-4666-93E1-C84C86A9658E}\MpKslab31b5c9.sys [?]

S1 MpKslb35c1f44;MpKslb35c1f44;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB0C7C3A-C850-4646-A21B-C96D1AFC8871}\MpKslb35c1f44.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB0C7C3A-C850-4646-A21B-C96D1AFC8871}\MpKslb35c1f44.sys [?]

S1 MpKsle2db9a47;MpKsle2db9a47;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{536B9ADA-C4CB-4BB0-A3FE-4877D93A9F5E}\MpKsle2db9a47.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{536B9ADA-C4CB-4BB0-A3FE-4877D93A9F5E}\MpKsle2db9a47.sys [?]

S1 MpKslf004dc8e;MpKslf004dc8e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8B583381-0168-42DC-92AF-D1B23C926C2F}\MpKslf004dc8e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8B583381-0168-42DC-92AF-D1B23C926C2F}\MpKslf004dc8e.sys [?]

S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]

S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-17 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]

.

2011-09-17 c:\windows\Tasks\User_Feed_Synchronization-{1F74A0FF-C5DC-4704-A2CC-B0023FFB09BE}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

.

2011-09-17 c:\windows\Tasks\User_Feed_Synchronization-{51F144FA-2754-415A-B407-D3BC405A5888}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

Trusted Zone: intuit.com\ttlc

TCP: DhcpNameServer = 192.168.1.1

.

- - - - ORPHANS REMOVED - - - -

.

Notify-TPSvc - TPSvc.dll

AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}\bm_installer.exe

AddRemove-{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\Google\Google Toolbar\Component\GoogleToolbarManager_C8CBFED7F00D3A8C.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-17 10:13

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(992)

c:\windows\system32\WININET.dll

c:\windows\IME\SPGRMR.DLL

c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Microsoft\BingBar\SeaPort.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-09-17 10:30:19 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-17 14:29

.

Pre-Run: 129,867,108,352 bytes free

Post-Run: 130,504,245,248 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

.

- - End Of File - - E4C2985D2D5B39A4DC8BA221E81209DB

**************************

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by David at 10:35:27 on 2011-09-17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.490 [GMT -4:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft\BingBar\SeaPort.EXE

C:\Program Files\Secunia\PSI\PSIA.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Secunia\PSI\sua.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\system32\CmWatch.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Secunia\PSI\psi_tray.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Microsoft Security Client\msseces.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File

BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll

TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [CmCardRun] c:\windows\system32\CmWatch.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

Trusted Zone: intuit.com\ttlc

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1281406498386

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1281495492359

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{35C8A351-8552-4549-9169-D55451528A47} : DhcpNameServer = 192.168.1.1

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]

R1 MpKsl5c3fef32;MpKsl5c3fef32;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a2885eb5-c76e-457c-945a-223e335687e8}\MpKsl5c3fef32.sys [2011-9-17 28752]

R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [2010-8-9 8440]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-26 366152]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-26 22216]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

R3 UMSSSTOR;C-Media Storage;c:\windows\system32\drivers\Umss.SYS [2004-7-13 48512]

S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]

S0 szkg5;szkg5;c:\windows\system32\drivers\szkg.sys --> c:\windows\system32\drivers\szkg.sys [?]

S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]

S1 MpKsl8baa065b;MpKsl8baa065b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{edf72fea-9935-41a3-a436-eeebad89b441}\mpksl8baa065b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{edf72fea-9935-41a3-a436-eeebad89b441}\MpKsl8baa065b.sys [?]

S1 MpKslab31b5c9;MpKslab31b5c9;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{43822624-be9c-4666-93e1-c84c86a9658e}\mpkslab31b5c9.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{43822624-be9c-4666-93e1-c84c86a9658e}\MpKslab31b5c9.sys [?]

S1 MpKslb35c1f44;MpKslb35c1f44;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{db0c7c3a-c850-4646-a21b-c96d1afc8871}\mpkslb35c1f44.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{db0c7c3a-c850-4646-a21b-c96d1afc8871}\MpKslb35c1f44.sys [?]

S1 MpKsle2db9a47;MpKsle2db9a47;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{536b9ada-c4cb-4bb0-a3fe-4877d93a9f5e}\mpksle2db9a47.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{536b9ada-c4cb-4bb0-a3fe-4877d93a9f5e}\MpKsle2db9a47.sys [?]

S1 MpKslf004dc8e;MpKslf004dc8e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8b583381-0168-42dc-92af-d1b23c926c2f}\mpkslf004dc8e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8b583381-0168-42dc-92af-d1b23c926c2f}\MpKslf004dc8e.sys [?]

S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]

S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.181\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [?]

.

=============== Created Last 30 ================

.

2011-09-17 14:34:46 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a2885eb5-c76e-457c-945a-223e335687e8}\MpKsl5c3fef32.sys

2011-09-17 14:34:34 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a2885eb5-c76e-457c-945a-223e335687e8}\mpengine.dll

2011-09-17 13:08:24 -------- d-sha-r- C:\cmdcons

2011-09-17 13:02:01 98816 ----a-w- c:\windows\sed.exe

2011-09-17 13:02:01 518144 ----a-w- c:\windows\SWREG.exe

2011-09-17 13:02:01 256000 ----a-w- c:\windows\PEV.exe

2011-09-17 13:02:01 208896 ----a-w- c:\windows\MBR.exe

2011-09-17 13:00:42 -------- d-----w- C:\ComboFix

2011-09-05 17:04:56 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

2011-09-03 15:11:10 -------- d-----w- c:\documents and settings\all users\application data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}

2011-09-03 13:41:41 -------- d-----w- c:\documents and settings\david\local settings\application data\PackageAware

2011-09-03 13:26:04 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!

2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll

2011-08-23 23:55:46 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-23 23:54:42 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

==================== Find3M ====================

.

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-23 23:51:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-26 19:45:49 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-07-26 19:45:48 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-04-12 13:12:00 5221608 ----a-w- c:\program files\microsoft sec.exe

.

============= FINISH: 10:41:24.71 ===============

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

Hi - Two questions:

1. Do I need to turn off Microsoft Security Essentials for this scan? (I did, but the scan didn't run, so I thought I would check).

2. The scan wouldn't run because the proxies were not configured. Can I just check the box indicating "use custom proxies" or do I need to admit to my husband that I need his help in filling in the information?

Thanks!

Link to post
Share on other sites

Hi again,

I ran ESET Online Scanner and it downloaded. At the time of initialization, the message "Unexpected error 2002" came up and the program stopped initializing. The only option it gave me was to go "back". I tried it two more times with the same result.

Thank you again for your help.

Link to post
Share on other sites

  • Staff

Try this scanner instead:

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Here are the reports as requested:

Scanning Report

Saturday, September 24, 2011 19:31:46 - 20:33:30

Computer name: DAVID-KIM

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

--------------------------------------------------------------------------------

21 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.Adinterax (spyware)

System (Disinfected)

TrackingCookie.2o7 (spyware)

System (Disinfected)

TrackingCookie.Advertising (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

Suspicious:W32/Malware!Gemini (spyware)

System (Disinfected)

TrackingCookie.Adtech (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.WebTrendsLive (spyware)

System (Disinfected)

TrackingCookie.Clickbank (spyware)

System (Disinfected)

TrackingCookie.Fastclick (spyware)

System (Disinfected)

TrackingCookie.Adbrite (spyware)

System (Disinfected)

TrackingCookie.Webtrends (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

TrackingCookie.Liveperson (spyware)

System (Disinfected)

TrackingCookie.Statcounter (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\DAVID\DESKTOP\MALWARE DOWNLOADS\GMER ROOTKIT SCANNER.EXE (Not cleaned)

Exploit:Java/CVE-2010-0840.B (virus)

C:\DOCUMENTS AND SETTINGS\DAVID\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\6.0\0\43296140-70EDDA67 (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 50189

System: 3096

Not scanned: 10

Actions:

Disinfected: 19

Renamed: 1

Deleted: 0

Not cleaned: 1

Submitted: 1

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB

C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB

C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMP\HSPERFDATA_DAVID\2516

C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMP\HSPERFDATA_DAVID\3892

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

Microsoft Security Essentials

Antivirus up to date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

FixCleaner

Java 6 Update 26

Adobe Flash Player

Adobe Reader X (10.1.1)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

Malwarebytes' Anti-Malware mbamservice.exe

Malwarebytes' Anti-Malware mbamgui.exe

David LOCALS~1 Temp OnlineScanner\Anti-Virus\fsgk32.exe

David LOCALS~1 Temp OnlineScanner\Anti-Virus\fssm32.exe

Microsoft Security Client Antimalware MsMpEng.exe

David LOCALS~1 Temp fsonlinescanner.exe

``````````End of Log````````````

********************************************

There still appears to be one website that is trying to access this computer. Here is the protection log from MB:

19:05:07 (null) MESSAGE Protection started successfully

19:05:38 David MESSAGE IP Protection started successfully

19:06:45 David MESSAGE IP Protection stopped

19:06:46 David MESSAGE Scheduled update executed successfully

19:06:52 David MESSAGE Database updated successfully

19:06:57 David MESSAGE IP Protection started successfully

19:17:10 David IP-BLOCK 64.120.141.163 (Type: outgoing)

19:17:13 David IP-BLOCK 64.120.141.163 (Type: outgoing)

19:17:19 David IP-BLOCK 64.120.141.163 (Type: outgoing)

19:19:00 David IP-BLOCK 64.120.141.163 (Type: outgoing)

19:19:03 David IP-BLOCK 64.120.141.163 (Type: outgoing)

19:19:09 David IP-BLOCK 64.120.141.163 (Type: outgoing)

19:21:01 David IP-BLOCK 64.120.141.163 (Type: outgoing)

19:21:04 David IP-BLOCK 64.120.141.163 (Type: outgoing)

19:21:10 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:00:02 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:00:05 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:00:11 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:01:57 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:02:00 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:02:06 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:03:54 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:03:57 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:04:03 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:44:43 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:44:46 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:44:52 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:46:43 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:46:46 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:46:52 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:48:43 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:48:46 David IP-BLOCK 64.120.141.163 (Type: outgoing)

20:48:52 David IP-BLOCK 64.120.141.163 (Type: outgoing)

I will continue to monitor this.

Thank you.

Link to post
Share on other sites

  • Staff

Hmmm.

Please delete your copy of ComboFix, grab a fresh copy, run it, and post its log.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Link to post
Share on other sites

Hi again -

Here are the logs from the two scans:

ComboFix 11-09-28.01 - David 09/28/2011 9:40.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.553 [GMT -4:00]

Running from: c:\documents and settings\David\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-28 )))))))))))))))))))))))))))))))

.

.

2011-09-28 13:21 . 2011-09-28 13:21 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3C249432-B73F-4509-A79E-948A5E385746}\MpKslbbbb48fb.sys

2011-09-28 13:21 . 2011-09-28 13:21 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3C249432-B73F-4509-A79E-948A5E385746}\offreg.dll

2011-09-28 11:53 . 2011-09-12 23:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3C249432-B73F-4509-A79E-948A5E385746}\mpengine.dll

2011-09-24 23:31 . 2011-09-24 23:31 -------- d-----w- c:\documents and settings\David\Application Data\f-secure

2011-09-24 23:31 . 2011-09-24 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2011-09-18 13:39 . 2011-09-18 13:39 -------- d-----w- c:\program files\ESET

2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

2011-09-03 15:11 . 2011-09-03 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}

2011-09-03 13:41 . 2011-09-03 13:41 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\PackageAware

2011-09-03 13:26 . 2011-09-03 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-24 23:46 . 2011-07-26 20:47 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-12 23:14 . 2011-04-12 15:22 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-09-09 09:12 . 2003-03-31 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-31 21:00 . 2011-07-26 17:34 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-26 19:45 . 2011-07-26 19:46 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-07-26 19:45 . 2010-10-05 23:57 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-07-15 13:29 . 2003-03-31 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2003-03-31 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-04-12 13:12 . 2011-04-12 12:41 5221608 ----a-w- c:\program files\microsoft sec.exe

.

.

((((((((((((((((((((((((((((( SnapShot@2011-09-17_14.14.14 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-09-28 13:21 . 2011-09-28 13:21 16384 c:\windows\Temp\Perflib_Perfdata_39c.dat

+ 2011-09-24 23:45 . 2011-09-24 23:45 243360 c:\windows\system32\Macromed\Flash\FlashUtil10x_ActiveX.exe

+ 2011-09-24 23:46 . 2011-09-24 23:46 328864 c:\windows\system32\Macromed\Flash\FlashUtil10x_ActiveX.dll

+ 2010-08-10 02:43 . 2011-09-28 13:05 47369160 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]

"CmCardRun"="c:\windows\system32\CmWatch.exe" [2003-09-16 229376]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

.

R1 MpKslbbbb48fb;MpKslbbbb48fb;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3C249432-B73F-4509-A79E-948A5E385746}\MpKslbbbb48fb.sys [9/28/2011 9:21 AM 28752]

R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [8/9/2010 9:31 PM 8440]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/26/2011 1:34 PM 366152]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 2:44 AM 993848]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [4/19/2011 2:44 AM 399416]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/26/2011 1:34 PM 22216]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]

R3 UMSSSTOR;C-Media Storage;c:\windows\system32\drivers\Umss.SYS [7/13/2004 12:40 PM 48512]

S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]

S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]

S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]

S1 MpKsl8baa065b;MpKsl8baa065b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EDF72FEA-9935-41A3-A436-EEEBAD89B441}\MpKsl8baa065b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EDF72FEA-9935-41A3-A436-EEEBAD89B441}\MpKsl8baa065b.sys [?]

S1 MpKslab31b5c9;MpKslab31b5c9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{43822624-BE9C-4666-93E1-C84C86A9658E}\MpKslab31b5c9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{43822624-BE9C-4666-93E1-C84C86A9658E}\MpKslab31b5c9.sys [?]

S1 MpKslb35c1f44;MpKslb35c1f44;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB0C7C3A-C850-4646-A21B-C96D1AFC8871}\MpKslb35c1f44.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB0C7C3A-C850-4646-A21B-C96D1AFC8871}\MpKslb35c1f44.sys [?]

S1 MpKsle2db9a47;MpKsle2db9a47;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{536B9ADA-C4CB-4BB0-A3FE-4877D93A9F5E}\MpKsle2db9a47.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{536B9ADA-C4CB-4BB0-A3FE-4877D93A9F5E}\MpKsle2db9a47.sys [?]

S1 MpKslf004dc8e;MpKslf004dc8e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8B583381-0168-42DC-92AF-D1B23C926C2F}\MpKslf004dc8e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8B583381-0168-42DC-92AF-D1B23C926C2F}\MpKslf004dc8e.sys [?]

S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]

S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MPKSLBBBB48FB

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-28 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]

.

2011-09-28 c:\windows\Tasks\User_Feed_Synchronization-{1F74A0FF-C5DC-4704-A2CC-B0023FFB09BE}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

.

2011-09-28 c:\windows\Tasks\User_Feed_Synchronization-{51F144FA-2754-415A-B407-D3BC405A5888}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

Trusted Zone: intuit.com\ttlc

TCP: DhcpNameServer = 192.168.1.1

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-28 10:11

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(1928)

c:\windows\system32\WININET.dll

c:\windows\IME\SPGRMR.DLL

c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-09-28 10:25:54

ComboFix-quarantined-files.txt 2011-09-28 14:25

ComboFix2.txt 2011-09-17 14:30

.

Pre-Run: 130,331,869,184 bytes free

Post-Run: 130,658,455,552 bytes free

.

- - End Of File - - BB541B778F1FEE2102ED1941AB4A3DDD

***********************

10:40:40.0843 3016 TDSS rootkit removing tool 2.6.2.0 Sep 26 2011 18:56:43

10:40:42.0843 3016 ============================================================

10:40:42.0843 3016 Current date / time: 2011/09/28 10:40:42.0843

10:40:42.0843 3016 SystemInfo:

10:40:42.0843 3016

10:40:42.0843 3016 OS Version: 5.1.2600 ServicePack: 3.0

10:40:42.0843 3016 Product type: Workstation

10:40:42.0843 3016 ComputerName: DAVID-KIM

10:40:42.0843 3016 UserName: David

10:40:42.0843 3016 Windows directory: C:\WINDOWS

10:40:42.0843 3016 System windows directory: C:\WINDOWS

10:40:42.0843 3016 Processor architecture: Intel x86

10:40:42.0843 3016 Number of processors: 2

10:40:42.0843 3016 Page size: 0x1000

10:40:42.0843 3016 Boot type: Normal boot

10:40:42.0843 3016 ============================================================

10:40:44.0359 3016 Initialize success

10:41:01.0296 3472 ============================================================

10:41:01.0296 3472 Scan started

10:41:01.0296 3472 Mode: Manual;

10:41:01.0296 3472 ============================================================

10:41:01.0765 3472 Abiosdsk - ok

10:41:01.0781 3472 abp480n5 - ok

10:41:01.0828 3472 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

10:41:01.0828 3472 ACPI - ok

10:41:01.0875 3472 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

10:41:01.0875 3472 ACPIEC - ok

10:41:01.0875 3472 adpu160m - ok

10:41:01.0921 3472 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

10:41:01.0921 3472 aec - ok

10:41:01.0984 3472 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys

10:41:01.0984 3472 AFD - ok

10:41:02.0000 3472 Aha154x - ok

10:41:02.0015 3472 aic78u2 - ok

10:41:02.0015 3472 aic78xx - ok

10:41:02.0171 3472 ALCXWDM (c881453898eec64027274ebb3c8cbc0f) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

10:41:02.0296 3472 ALCXWDM - ok

10:41:02.0312 3472 AliIde - ok

10:41:02.0328 3472 amsint - ok

10:41:02.0343 3472 asc - ok

10:41:02.0359 3472 asc3350p - ok

10:41:02.0375 3472 asc3550 - ok

10:41:02.0406 3472 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

10:41:02.0406 3472 AsyncMac - ok

10:41:02.0437 3472 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

10:41:02.0437 3472 atapi - ok

10:41:02.0453 3472 Atdisk - ok

10:41:02.0468 3472 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

10:41:02.0468 3472 Atmarpc - ok

10:41:02.0546 3472 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

10:41:02.0546 3472 audstub - ok

10:41:02.0625 3472 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

10:41:02.0625 3472 Beep - ok

10:41:02.0750 3472 catchme - ok

10:41:02.0781 3472 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

10:41:02.0781 3472 cbidf2k - ok

10:41:02.0828 3472 cd20xrnt - ok

10:41:02.0843 3472 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

10:41:02.0843 3472 Cdaudio - ok

10:41:02.0875 3472 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

10:41:02.0875 3472 Cdfs - ok

10:41:02.0906 3472 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

10:41:02.0906 3472 Cdrom - ok

10:41:02.0937 3472 Changer - ok

10:41:02.0953 3472 CmdIde - ok

10:41:02.0984 3472 Cpqarray - ok

10:41:03.0000 3472 dac2w2k - ok

10:41:03.0015 3472 dac960nt - ok

10:41:03.0031 3472 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

10:41:03.0031 3472 Disk - ok

10:41:03.0109 3472 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

10:41:03.0140 3472 dmboot - ok

10:41:03.0187 3472 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

10:41:03.0203 3472 dmio - ok

10:41:03.0203 3472 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

10:41:03.0218 3472 dmload - ok

10:41:03.0281 3472 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

10:41:03.0281 3472 DMusic - ok

10:41:03.0296 3472 dpti2o - ok

10:41:03.0312 3472 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

10:41:03.0312 3472 drmkaud - ok

10:41:03.0359 3472 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

10:41:03.0359 3472 Fastfat - ok

10:41:03.0390 3472 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

10:41:03.0406 3472 Fdc - ok

10:41:03.0437 3472 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

10:41:03.0437 3472 Fips - ok

10:41:03.0453 3472 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

10:41:03.0453 3472 Flpydisk - ok

10:41:03.0484 3472 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

10:41:03.0484 3472 FltMgr - ok

10:41:03.0500 3472 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

10:41:03.0500 3472 Fs_Rec - ok

10:41:03.0531 3472 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

10:41:03.0531 3472 Ftdisk - ok

10:41:03.0546 3472 GMSIPCI - ok

10:41:03.0593 3472 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

10:41:03.0593 3472 Gpc - ok

10:41:03.0640 3472 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

10:41:03.0656 3472 HidUsb - ok

10:41:03.0671 3472 hpn - ok

10:41:03.0703 3472 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

10:41:03.0718 3472 HTTP - ok

10:41:03.0734 3472 i2omgmt - ok

10:41:03.0750 3472 i2omp - ok

10:41:03.0781 3472 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

10:41:03.0781 3472 i8042prt - ok

10:41:03.0843 3472 ialm (1406d6ef4436aee970efe13193123965) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

10:41:03.0843 3472 ialm - ok

10:41:03.0859 3472 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

10:41:03.0859 3472 Imapi - ok

10:41:03.0890 3472 ini910u - ok

10:41:03.0906 3472 IntelIde - ok

10:41:03.0953 3472 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

10:41:03.0953 3472 intelppm - ok

10:41:04.0015 3472 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

10:41:04.0015 3472 ip6fw - ok

10:41:04.0031 3472 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

10:41:04.0046 3472 IpFilterDriver - ok

10:41:04.0078 3472 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

10:41:04.0078 3472 IpInIp - ok

10:41:04.0156 3472 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

10:41:04.0156 3472 IpNat - ok

10:41:04.0187 3472 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

10:41:04.0187 3472 IPSec - ok

10:41:04.0187 3472 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

10:41:04.0203 3472 IRENUM - ok

10:41:04.0218 3472 is3srv - ok

10:41:04.0281 3472 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

10:41:04.0281 3472 isapnp - ok

10:41:04.0312 3472 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

10:41:04.0312 3472 Kbdclass - ok

10:41:04.0359 3472 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

10:41:04.0359 3472 kbdhid - ok

10:41:04.0437 3472 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

10:41:04.0437 3472 kmixer - ok

10:41:04.0453 3472 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

10:41:04.0468 3472 KSecDD - ok

10:41:04.0515 3472 LANPkt (8bbfbf256493035ae6105b334fce99df) C:\WINDOWS\system32\DRIVERS\LANPkt.sys

10:41:04.0531 3472 LANPkt - ok

10:41:04.0546 3472 lbrtfdc - ok

10:41:04.0593 3472 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys

10:41:04.0593 3472 MBAMProtector - ok

10:41:04.0671 3472 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

10:41:04.0671 3472 mnmdd - ok

10:41:04.0718 3472 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

10:41:04.0718 3472 Modem - ok

10:41:04.0765 3472 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

10:41:04.0765 3472 Mouclass - ok

10:41:04.0796 3472 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

10:41:04.0796 3472 mouhid - ok

10:41:04.0828 3472 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

10:41:04.0828 3472 MountMgr - ok

10:41:04.0875 3472 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys

10:41:04.0875 3472 MpFilter - ok

10:41:05.0000 3472 MpKsl8baa065b - ok

10:41:05.0015 3472 MpKslab31b5c9 - ok

10:41:05.0015 3472 MpKslb35c1f44 - ok

10:41:05.0031 3472 MpKsle2db9a47 - ok

10:41:05.0062 3472 MpKsle5ff24c5 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{ADFDA879-D22E-416B-827E-D76E372E16E0}\MpKsle5ff24c5.sys

10:41:05.0062 3472 MpKsle5ff24c5 - ok

10:41:05.0062 3472 MpKslf004dc8e - ok

10:41:05.0078 3472 mraid35x - ok

10:41:05.0109 3472 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

10:41:05.0109 3472 MRxDAV - ok

10:41:05.0187 3472 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

10:41:05.0218 3472 MRxSmb - ok

10:41:05.0234 3472 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

10:41:05.0234 3472 Msfs - ok

10:41:05.0281 3472 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

10:41:05.0281 3472 MSKSSRV - ok

10:41:05.0312 3472 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

10:41:05.0312 3472 MSPCLOCK - ok

10:41:05.0328 3472 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

10:41:05.0328 3472 MSPQM - ok

10:41:05.0359 3472 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

10:41:05.0359 3472 mssmbios - ok

10:41:05.0406 3472 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

10:41:05.0406 3472 Mup - ok

10:41:05.0421 3472 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

10:41:05.0421 3472 NDIS - ok

10:41:05.0468 3472 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

10:41:05.0484 3472 NdisTapi - ok

10:41:05.0500 3472 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

10:41:05.0500 3472 Ndisuio - ok

10:41:05.0515 3472 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

10:41:05.0515 3472 NdisWan - ok

10:41:05.0546 3472 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

10:41:05.0546 3472 NDProxy - ok

10:41:05.0562 3472 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

10:41:05.0562 3472 NetBIOS - ok

10:41:05.0593 3472 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

10:41:05.0609 3472 NetBT - ok

10:41:05.0640 3472 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

10:41:05.0640 3472 Npfs - ok

10:41:05.0671 3472 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

10:41:05.0671 3472 Ntfs - ok

10:41:05.0734 3472 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

10:41:05.0734 3472 Null - ok

10:41:05.0765 3472 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

10:41:05.0765 3472 NwlnkFlt - ok

10:41:05.0781 3472 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

10:41:05.0781 3472 NwlnkFwd - ok

10:41:05.0828 3472 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

10:41:05.0828 3472 Parport - ok

10:41:05.0843 3472 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

10:41:05.0843 3472 PartMgr - ok

10:41:05.0890 3472 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

10:41:05.0890 3472 ParVdm - ok

10:41:05.0921 3472 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

10:41:05.0921 3472 PCI - ok

10:41:05.0937 3472 PCIDump - ok

10:41:05.0953 3472 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

10:41:05.0953 3472 PCIIde - ok

10:41:05.0984 3472 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

10:41:05.0984 3472 Pcmcia - ok

10:41:06.0000 3472 PDCOMP - ok

10:41:06.0000 3472 PDFRAME - ok

10:41:06.0015 3472 PDRELI - ok

10:41:06.0031 3472 PDRFRAME - ok

10:41:06.0046 3472 perc2 - ok

10:41:06.0062 3472 perc2hib - ok

10:41:06.0156 3472 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

10:41:06.0156 3472 PptpMiniport - ok

10:41:06.0171 3472 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

10:41:06.0171 3472 Processor - ok

10:41:06.0187 3472 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

10:41:06.0187 3472 PSched - ok

10:41:06.0218 3472 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys

10:41:06.0234 3472 PSI - ok

10:41:06.0265 3472 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

10:41:06.0265 3472 Ptilink - ok

10:41:06.0281 3472 ql1080 - ok

10:41:06.0296 3472 Ql10wnt - ok

10:41:06.0312 3472 ql12160 - ok

10:41:06.0328 3472 ql1240 - ok

10:41:06.0343 3472 ql1280 - ok

10:41:06.0359 3472 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

10:41:06.0359 3472 RasAcd - ok

10:41:06.0390 3472 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

10:41:06.0390 3472 Rasl2tp - ok

10:41:06.0406 3472 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

10:41:06.0406 3472 RasPppoe - ok

10:41:06.0421 3472 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

10:41:06.0421 3472 Raspti - ok

10:41:06.0453 3472 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

10:41:06.0453 3472 Rdbss - ok

10:41:06.0468 3472 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

10:41:06.0468 3472 RDPCDD - ok

10:41:06.0484 3472 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

10:41:06.0484 3472 rdpdr - ok

10:41:06.0531 3472 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

10:41:06.0531 3472 RDPWD - ok

10:41:06.0546 3472 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

10:41:06.0546 3472 redbook - ok

10:41:06.0625 3472 RTL8023xp (1a2a445e8968b2019e75e08f3a1344fc) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys

10:41:06.0625 3472 RTL8023xp - ok

10:41:06.0671 3472 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

10:41:06.0671 3472 Secdrv - ok

10:41:06.0718 3472 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

10:41:06.0718 3472 serenum - ok

10:41:06.0734 3472 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

10:41:06.0734 3472 Serial - ok

10:41:06.0765 3472 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

10:41:06.0765 3472 Sfloppy - ok

10:41:06.0781 3472 Simbad - ok

10:41:06.0812 3472 Sparrow - ok

10:41:06.0859 3472 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

10:41:06.0859 3472 splitter - ok

10:41:06.0875 3472 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

10:41:06.0875 3472 sr - ok

10:41:06.0921 3472 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

10:41:06.0937 3472 Srv - ok

10:41:06.0968 3472 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

10:41:06.0968 3472 swenum - ok

10:41:06.0984 3472 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

10:41:06.0984 3472 swmidi - ok

10:41:07.0000 3472 symc810 - ok

10:41:07.0015 3472 symc8xx - ok

10:41:07.0031 3472 sym_hi - ok

10:41:07.0046 3472 sym_u3 - ok

10:41:07.0109 3472 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

10:41:07.0109 3472 sysaudio - ok

10:41:07.0125 3472 szkg5 - ok

10:41:07.0140 3472 szkgfs - ok

10:41:07.0203 3472 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

10:41:07.0203 3472 Tcpip - ok

10:41:07.0234 3472 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

10:41:07.0234 3472 TDPIPE - ok

10:41:07.0250 3472 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

10:41:07.0250 3472 TDTCP - ok

10:41:07.0281 3472 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

10:41:07.0281 3472 TermDD - ok

10:41:07.0312 3472 TosIde - ok

10:41:07.0359 3472 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

10:41:07.0359 3472 Udfs - ok

10:41:07.0375 3472 ultra - ok

10:41:07.0406 3472 UMSSSTOR (d3c985fa303bc571ce36fbd93b5355b5) C:\WINDOWS\system32\DRIVERS\UMSS.SYS

10:41:07.0406 3472 UMSSSTOR - ok

10:41:07.0453 3472 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

10:41:07.0453 3472 Update - ok

10:41:07.0515 3472 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

10:41:07.0515 3472 usbccgp - ok

10:41:07.0578 3472 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

10:41:07.0578 3472 usbehci - ok

10:41:07.0593 3472 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

10:41:07.0593 3472 usbhub - ok

10:41:07.0640 3472 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

10:41:07.0640 3472 usbprint - ok

10:41:07.0671 3472 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

10:41:07.0671 3472 usbscan - ok

10:41:07.0703 3472 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

10:41:07.0703 3472 USBSTOR - ok

10:41:07.0734 3472 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

10:41:07.0734 3472 usbuhci - ok

10:41:07.0781 3472 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

10:41:07.0781 3472 VgaSave - ok

10:41:07.0796 3472 ViaIde - ok

10:41:07.0843 3472 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

10:41:07.0843 3472 VolSnap - ok

10:41:07.0890 3472 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

10:41:07.0890 3472 Wanarp - ok

10:41:07.0906 3472 WDICA - ok

10:41:07.0953 3472 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

10:41:07.0953 3472 wdmaud - ok

10:41:08.0078 3472 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

10:41:08.0078 3472 WudfPf - ok

10:41:08.0093 3472 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

10:41:08.0093 3472 WudfRd - ok

10:41:08.0171 3472 {6080A529-897E-4629-A488-ABA0C29B635E} (fd1f4e9cf06c71c8d73a24acf18d8296) C:\WINDOWS\system32\drivers\ialmsbw.sys

10:41:08.0187 3472 {6080A529-897E-4629-A488-ABA0C29B635E} - ok

10:41:08.0218 3472 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d4d7331d33d1fa73e588e5ce0d90a4c1) C:\WINDOWS\system32\drivers\ialmkchw.sys

10:41:08.0218 3472 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok

10:41:08.0250 3472 MBR (0x1B8) (6f9a1d528242bc09104b85e0becf5554) \Device\Harddisk0\DR0

10:41:08.0250 3472 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.a ) - infected

10:41:08.0250 3472 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.a (0)

10:41:08.0250 3472 Boot (0x1200) (d418bd5a72b52a9f17372dacdbbb7513) \Device\Harddisk0\DR0\Partition0

10:41:08.0250 3472 \Device\Harddisk0\DR0\Partition0 - ok

10:41:08.0250 3472 ============================================================

10:41:08.0250 3472 Scan finished

10:41:08.0250 3472 ============================================================

10:41:08.0265 2584 Detected object count: 1

10:41:08.0265 2584 Actual detected object count: 1

10:42:55.0328 2584 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.a ) - will be cured on reboot

10:42:55.0328 2584 \Device\Harddisk0\DR0 - ok

10:42:55.0328 2584 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.a ) - User select action: Cure

10:43:07.0609 3584 Deinitialize success

Please don't give up on me. I am having some minor surgery today and will be out of commission for a bit. As soon as I am able, I will check back in and see if the problem is continuing with this computer. It's been okay for the past five minutes since the two scans were completed (and that is an accomplishment). Thank you again - I will log back in as soon as I can. BJK

Link to post
Share on other sites

  • Staff

Hi,

Hope your surgery went well.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hello again. Here are the logs:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=1

esets_scanner_update returned -1 esets_gle=1

esets_scanner_update returned -1 esets_gle=41217

esets_scanner_update returned -1 esets_gle=1

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=f1d348ec7339014288c87e28e1fd50b3

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-10-07 04:48:37

# local_time=2011-10-07 12:48:37 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5891 16776533 42 87 0 13934930 0 0

# compatibility_mode=8192 67108863 100 0 728894 728894 0 0

# scanned=68628

# found=9

# cleaned=9

# scan_time=2458

C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\6.0\0\43296140-70EDDA67.0 a variant of Java/TrojanDownloader.Agent.ME trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{C440701C-667C-4446-8927-3C6397F456E2}\RP265\A0036206.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{C440701C-667C-4446-8927-3C6397F456E2}\RP265\A0036207.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{C440701C-667C-4446-8927-3C6397F456E2}\RP265\A0036208.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{C440701C-667C-4446-8927-3C6397F456E2}\RP265\A0036209.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{C440701C-667C-4446-8927-3C6397F456E2}\RP265\A0036210.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{C440701C-667C-4446-8927-3C6397F456E2}\RP265\A0036211.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{C440701C-667C-4446-8927-3C6397F456E2}\RP273\A0036520.dll Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

*****************************

Results of screen317's Security Check version 0.99.21

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

Microsoft Security Essentials

Antivirus up to date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

FixCleaner

Java 6 Update 26

Out of date Java installed!

Adobe Reader X (10.1.1)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

Malwarebytes' Anti-Malware mbamservice.exe

Malwarebytes' Anti-Malware mbamgui.exe

ESET ESET Online Scanner OnlineCmdLineScanner.exe

Microsoft Security Client Antimalware MsMpEng.exe

``````````End of Log````````````

The computer seems to be operating normally. There have not been any attempts from the various "potentially malicious" websites since I re-ran ComboFix and TDSSKiller (your instructions from two times ago). So I think that you have fixed it!

Do I need to uninstall and/or delete any of the programs that I have used?

I am very appreciative of all of your help. This computer belongs to my brother and he too is thrilled it is fixed. Thank you very much!

Link to post
Share on other sites

  • Staff

Hi,

Please download ATF Cleaner by Atribune from here, and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

The rest are optional - if you want to remove the whole lot, check Select All.

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck, DDS, and all associated logs.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program(s) (if present):

ESET Online Scanner v3

Java™ 6 Update 26

Restart your computer.

Get the latest version of Java.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

Hi -

Yes, I am still here. I can't access the computer until next week (I returned it to my brother and won't get to his house until then). I will do all of the things that you have indicated and then let you know how things are going. Thank you for your patience.

BJK

Link to post
Share on other sites

  • Staff

Great!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.