Jump to content

Recommended Posts

I became infected with the System Security 2012 virus. I figured it was a virus so I did not click on the program. I was able to delete the executable file for it and then rebooted. I realized the virus was still there tho, as my computer was not behaving properly. I went on-line and googled for info about removing the virus. A post (not from here stated to download Spyware Doctor to remove it. To make a long story short, not only did it not get rid of it, but while running the scan (which took 6 hours) I left for an hour to get lunch and when I returned the anti-spyware program was no longer running and instead another spam anti-virus program had taken over (System Protection?? I think). I can no longer boot up except in safe mode. I went on-line on another computer and did more research, and it looks like your program offers a good chance of success. I bought Malewarebytes Pro and ran both a logs. Still won't boot up in regular mode, so I ran quick scan and then a complete scan (very fast I might add). I've copied the logs from those scans. Still won't boot up normally, so I ran dds. I've copied the one log and attached the other. Thanks so much for any help you can give me

Quick scan:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8166

Windows 5.1.2600 Service Pack 2 (Safe Mode)

Internet Explorer 6.0.2900.2180

11/15/2011 10:59:07 AM

mbam-log-2011-11-15 (10-59-06).txt

Scan type: Quick scan

Objects scanned: 200013

Time elapsed: 8 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\s3ppmGG5sQJdE8g (Malware.Packer) -> Value: s3ppmGG5sQJdE8g -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\I0uuccS2i8234A (Trojan.FakeAlert.CLGen) -> Value: I0uuccS2i8234A -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\Danny\application data\dwme.exe (Malware.Packer) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\privacy.exe (Exploit.Drop.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Danny\local settings\Temp\dwme.exe (Malware.Packer) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\84D.tmp (Exploit.Drop.Gen) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\852.tmp (Exploit.Drop.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Danny\application data\ldr.ini (Malware.Trace) -> Quarantined and deleted successfully.

Complete Scan:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8166

Windows 5.1.2600 Service Pack 2 (Safe Mode)

Internet Explorer 6.0.2900.2180

11/15/2011 12:05:48 PM

mbam-log-2011-11-15 (12-05-48).txt

Scan type: Full scan (C:\|)

Objects scanned: 303218

Time elapsed: 32 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\Danny\application data\Sun\Java\deployment\cache\6.0\5\35223b45-68aa7332 (Trojan.Exploit.Drop) -> Quarantined and deleted successfully.

c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1242\A0073725.exe (Malware.Packer) -> Quarantined and deleted successfully.

c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1245\A0083805.exe (Malware.Packer) -> Quarantined and deleted successfully.

c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1245\A0083806.exe (Exploit.Drop.Gen) -> Quarantined and deleted successfully.

DDS log:

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_24

Run by Danny at 13:55:14 on 2011-11-15

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.3145 [GMT -6:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=4080315

uSearch Bar = hxxp://www.google.com/ie

mDefault_Page_URL = hxxp://www.dell.com

mDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://www.dell.com

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe

mRun: [secureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

mRun: [KADxMain] c:\windows\system32\KADxMain.exe

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [Acrobat Speed Launch] "c:\program files\adobe\acrobat 8.0\acrobat\acrobat_sl.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [ECenter] c:\dell\e-center\EULALauncher.exe

mRun: [Net-It Launcher] c:\windows\system32\NILaunch.exe

mRun: [sSBkgdUpdate] c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe -Embedding -boot

mRun: [statusClient 2.6] c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe /auto

mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe

mRun: [Norton Save and Restore 2.0] "c:\program files\norton save and restore\agent\VProTray.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [<NO NAME>]

mRun: [Acrobat Synchronizer] "c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

uPolicies-explorer: NoViewOnDrive = 0 (0x0)

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks premier\norton cleanup\WCQuick.lnk

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll

LSP: mswsock.dll

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

TCP: Interfaces\{5E559A1B-79FC-43D2-BAFC-F66DD30E22F0} : DhcpNameServer = 192.168.1.1

Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll

Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll

AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 wvauth

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\danny\application data\mozilla\firefox\profiles\oplkkyif.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-11-8 218592]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2008-2-12 57440]

S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]

S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2011-11-8 112592]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]

S2 hpbecp00;hpbecp00;c:\windows\system32\drivers\HPBECP00.SYS [1997-11-17 28768]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-15 366152]

S2 Norton Save and Restore;Norton Save and Restore;c:\program files\norton save and restore\agent\VProSvc.exe [2007-6-27 3425632]

S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2011-11-8 366840]

S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2011-11-8 1142224]

S2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]

S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\netgear\wnda3100\jswpsapi.exe [2008-2-27 360547]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-15 22216]

S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]

S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [2011-2-21 704000]

S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [2011-2-21 24192]

S3 WNDA3100;NETGEAR WNDA3100 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WNDA31.sys [2008-7-6 437248]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2011-11-8 233136]

S4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2011-11-8 63360]

.

=============== Created Last 30 ================

.

2011-11-15 19:26:11 6850 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-11-15 15:09:44 -------- d-----w- c:\documents and settings\danny\application data\Malwarebytes

2011-11-15 15:09:18 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-15 15:09:15 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-15 15:09:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-08 16:11:23 767952 ----a-w- c:\windows\BDTSupport.dll

2011-11-08 16:11:23 165840 ----a-w- c:\windows\PCTBDRes.dll

2011-11-08 16:11:23 1652688 ----a-w- c:\windows\PCTBDCore.dll

2011-11-08 16:11:23 149456 ----a-w- c:\windows\SGDetectionTool.dll

2011-11-08 16:04:03 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2011-11-08 16:03:59 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2011-11-08 16:03:59 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2011-11-08 16:03:56 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2011-11-08 16:03:50 -------- d-----w- c:\program files\Spyware Doctor

2011-11-08 16:03:50 -------- d-----w- c:\program files\common files\PC Tools

2011-11-08 16:03:50 -------- d-----w- c:\documents and settings\danny\application data\PC Tools

2011-11-08 16:03:50 -------- d-----w- c:\documents and settings\all users\application data\PC Tools

2011-11-08 13:27:51 -------- d-----w- c:\documents and settings\danny\application data\ymmGG5sQJ6dE8gZ

2011-11-07 22:19:14 -------- d-----w- c:\documents and settings\danny\application data\fxxPP0ucS2

2011-11-07 22:19:13 -------- d-----w- c:\documents and settings\danny\application data\i22oobF4pmH5QJd

2011-11-07 22:14:22 -------- d-----w- c:\documents and settings\danny\application data\YEKK88gRZq

2011-11-07 22:14:22 -------- d-----w- c:\documents and settings\danny\application data\DhhYXXwkUVrlBt

2011-11-07 22:14:17 -------- d-----w- c:\documents and settings\danny\application data\fgTTZZqjYCekrON

2011-11-07 22:14:15 -------- d-----w- c:\documents and settings\danny\application data\KFF4ppmH5sW7dL8

2011-10-31 18:15:41 -------- d-----w- c:\program files\common files\Hewlett-Packard

2011-10-31 18:14:05 273408 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpcpp6de.DLL

2011-10-31 18:14:05 149504 ----a-w- c:\windows\system32\hpcpn6de.dll

.

==================== Find3M ====================

.

2011-08-22 10:39:52 52080 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\GoToPrintProcessor.dll

2011-08-22 10:39:46 113008 ----a-w- c:\windows\system32\gotomon.dll

.

============= FINISH: 13:55:32.23 ===============

attach.txt

Link to post
Share on other sites

:welcome:

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Thanks for the reply. Yes I would like to proceed with trying to clean the infection. As an update, after removing everything found by both an mbam quick scan and then a full scan (it found 2 more trojans on the full scan) and a few reboots, I am able to boot up in normal mode (XP svc pk 3). I get near constant notifications that Malwarebytes Pro has blocked an outgoing attempt to contact a malicious website. After some time Malwarebytes found another trojan and quarantined it. I have now disconnected the computer from the internet (I am on a different computer now).

:welcome:

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Next:

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Sorry I took so long. My infected computer was at another location. I now have them both here, so if you are still available I am here to follow any further instructions. Thanks so much for the help.

Ran the program. 1 threat was found and cured. A reboot was required. The contents of the log file is below. At the present time the computer is constantly trying to contact one of several malicious websites if connected to the internet, which it is not. Even w/o being connected to the Internet the computer shuts off onm its own if left on w/o any activity for a length of time.

16:32:13.0265 1968 TDSS rootkit removing tool 2.6.19.0 Nov 16 2011 12:18:50

16:32:13.0343 1968 ============================================================

16:32:13.0343 1968 Current date / time: 2011/11/19 16:32:13.0343

16:32:13.0343 1968 SystemInfo:

16:32:13.0343 1968

16:32:13.0343 1968 OS Version: 5.1.2600 ServicePack: 2.0

16:32:13.0343 1968 Product type: Workstation

16:32:13.0343 1968 ComputerName: SOAP-NOTES-2

16:32:13.0343 1968 UserName: Danny

16:32:13.0343 1968 Windows directory: C:\WINDOWS

16:32:13.0343 1968 System windows directory: C:\WINDOWS

16:32:13.0343 1968 Processor architecture: Intel x86

16:32:13.0343 1968 Number of processors: 2

16:32:13.0343 1968 Page size: 0x1000

16:32:13.0343 1968 Boot type: Normal boot

16:32:13.0343 1968 ============================================================

16:32:14.0906 1968 Initialize success

16:32:18.0015 6112 ============================================================

16:32:18.0015 6112 Scan started

16:32:18.0015 6112 Mode: Manual;

16:32:18.0015 6112 ============================================================

16:32:19.0703 6112 Abiosdsk - ok

16:32:19.0781 6112 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

16:32:19.0781 6112 abp480n5 - ok

16:32:19.0828 6112 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

16:32:19.0843 6112 ACPI - ok

16:32:19.0875 6112 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

16:32:19.0875 6112 ACPIEC - ok

16:32:19.0906 6112 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

16:32:19.0906 6112 adpu160m - ok

16:32:19.0953 6112 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys

16:32:19.0953 6112 aec - ok

16:32:20.0015 6112 AegisP (a1ad1a4a9f18d900ca9c93fa3efdcb56) C:\WINDOWS\system32\DRIVERS\AegisP.sys

16:32:20.0015 6112 AegisP - ok

16:32:20.0078 6112 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys

16:32:20.0078 6112 AFD - ok

16:32:20.0125 6112 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys

16:32:20.0125 6112 agp440 - ok

16:32:20.0140 6112 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

16:32:20.0140 6112 agpCPQ - ok

16:32:20.0203 6112 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

16:32:20.0203 6112 Aha154x - ok

16:32:20.0250 6112 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

16:32:20.0250 6112 aic78u2 - ok

16:32:20.0312 6112 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

16:32:20.0312 6112 aic78xx - ok

16:32:20.0437 6112 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

16:32:20.0437 6112 AliIde - ok

16:32:20.0500 6112 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys

16:32:20.0500 6112 alim1541 - ok

16:32:20.0546 6112 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys

16:32:20.0546 6112 amdagp - ok

16:32:20.0625 6112 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

16:32:20.0625 6112 amsint - ok

16:32:20.0750 6112 ApfiltrService (b8d65da679a4a8d048783ede2691b5d4) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

16:32:20.0750 6112 ApfiltrService - ok

16:32:20.0812 6112 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS

16:32:20.0812 6112 APPDRV - ok

16:32:20.0828 6112 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

16:32:20.0828 6112 Arp1394 - ok

16:32:20.0859 6112 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

16:32:20.0859 6112 asc - ok

16:32:20.0875 6112 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

16:32:20.0875 6112 asc3350p - ok

16:32:20.0937 6112 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

16:32:20.0937 6112 asc3550 - ok

16:32:21.0000 6112 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

16:32:21.0000 6112 AsyncMac - ok

16:32:21.0031 6112 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

16:32:21.0046 6112 atapi - ok

16:32:21.0046 6112 Atdisk - ok

16:32:21.0078 6112 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

16:32:21.0078 6112 Atmarpc - ok

16:32:21.0156 6112 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

16:32:21.0156 6112 audstub - ok

16:32:21.0203 6112 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

16:32:21.0203 6112 b57w2k - ok

16:32:21.0312 6112 BASFND (5c68ac6f3e5b3e6d6a78e97d05e42c3a) C:\Program Files\Broadcom\ASFIPMon\BASFND.sys

16:32:21.0312 6112 BASFND - ok

16:32:21.0343 6112 BCMTPM (09a41ba9dc48f2f52ade4a42fe945d98) C:\WINDOWS\system32\DRIVERS\btpmw32.sys

16:32:21.0359 6112 BCMTPM - ok

16:32:21.0390 6112 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

16:32:21.0390 6112 Beep - ok

16:32:21.0437 6112 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

16:32:21.0437 6112 cbidf - ok

16:32:21.0453 6112 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

16:32:21.0453 6112 cbidf2k - ok

16:32:21.0531 6112 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

16:32:21.0531 6112 cd20xrnt - ok

16:32:21.0531 6112 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

16:32:21.0546 6112 Cdaudio - ok

16:32:21.0578 6112 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

16:32:21.0578 6112 Cdfs - ok

16:32:21.0593 6112 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

16:32:21.0593 6112 Cdrom - ok

16:32:21.0609 6112 Changer - ok

16:32:21.0625 6112 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

16:32:21.0625 6112 CmBatt - ok

16:32:21.0656 6112 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

16:32:21.0656 6112 CmdIde - ok

16:32:21.0718 6112 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys

16:32:21.0718 6112 Compbatt - ok

16:32:21.0828 6112 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

16:32:21.0828 6112 Cpqarray - ok

16:32:21.0906 6112 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

16:32:21.0906 6112 dac2w2k - ok

16:32:21.0921 6112 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

16:32:21.0921 6112 dac960nt - ok

16:32:22.0000 6112 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

16:32:22.0015 6112 Disk - ok

16:32:22.0093 6112 DLABMFSM (0659e6e0a95564f958d9df7313f7701e) C:\WINDOWS\system32\DLA\DLABMFSM.SYS

16:32:22.0093 6112 DLABMFSM - ok

16:32:22.0093 6112 DLABOIOM (8691c78908f0bd66170669db268369f2) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

16:32:22.0093 6112 DLABOIOM - ok

16:32:22.0109 6112 DLACDBHM (76167b5eb2dffc729edc36386876b40b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

16:32:22.0109 6112 DLACDBHM - ok

16:32:22.0171 6112 DLADResM (5615744a1056933b90e6ac54feb86f35) C:\WINDOWS\system32\DLA\DLADResM.SYS

16:32:22.0171 6112 DLADResM - ok

16:32:22.0171 6112 DLAIFS_M (1aeca2afa5005ce4a550cf8eb55a8c88) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

16:32:22.0171 6112 DLAIFS_M - ok

16:32:22.0187 6112 DLAOPIOM (840e7f6abb885c72b9ffddb022ef5b6d) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

16:32:22.0187 6112 DLAOPIOM - ok

16:32:22.0203 6112 DLAPoolM (0294d18731ac05da80132ce88f8a876b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

16:32:22.0203 6112 DLAPoolM - ok

16:32:22.0218 6112 DLARTL_M (91886fed52a3f9966207bce46cfd794f) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS

16:32:22.0218 6112 DLARTL_M - ok

16:32:22.0218 6112 DLAUDFAM (cca4e121d599d7d1706a30f603731e59) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

16:32:22.0218 6112 DLAUDFAM - ok

16:32:22.0234 6112 DLAUDF_M (7dab85c33135df24419951da4e7d38e5) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

16:32:22.0234 6112 DLAUDF_M - ok

16:32:22.0312 6112 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

16:32:22.0343 6112 dmboot - ok

16:32:22.0390 6112 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

16:32:22.0390 6112 dmio - ok

16:32:22.0421 6112 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

16:32:22.0421 6112 dmload - ok

16:32:22.0468 6112 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

16:32:22.0468 6112 DMusic - ok

16:32:22.0515 6112 DNINDIS5 (d2ee54cdbced01d48f2b18642be79a98) C:\WINDOWS\system32\DNINDIS5.SYS

16:32:22.0515 6112 DNINDIS5 - ok

16:32:22.0546 6112 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

16:32:22.0546 6112 dpti2o - ok

16:32:22.0625 6112 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

16:32:22.0640 6112 drmkaud - ok

16:32:22.0718 6112 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

16:32:22.0718 6112 DRVMCDB - ok

16:32:22.0734 6112 DRVNDDM (6e6ab29d3c06e64ce81feacda85394b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

16:32:22.0734 6112 DRVNDDM - ok

16:32:22.0812 6112 DXEC01 (549734664886d91222969845e4311d1b) C:\WINDOWS\system32\drivers\dxec01.sys

16:32:22.0828 6112 DXEC01 - ok

16:32:22.0859 6112 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

16:32:22.0875 6112 E100B - ok

16:32:22.0921 6112 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

16:32:22.0921 6112 Fastfat - ok

16:32:22.0953 6112 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

16:32:22.0953 6112 Fdc - ok

16:32:23.0031 6112 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

16:32:23.0031 6112 Fips - ok

16:32:23.0078 6112 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

16:32:23.0078 6112 Flpydisk - ok

16:32:23.0125 6112 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

16:32:23.0125 6112 FltMgr - ok

16:32:23.0156 6112 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

16:32:23.0156 6112 Fs_Rec - ok

16:32:23.0171 6112 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

16:32:23.0171 6112 Ftdisk - ok

16:32:23.0218 6112 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

16:32:23.0218 6112 GEARAspiWDM - ok

16:32:23.0250 6112 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

16:32:23.0250 6112 Gpc - ok

16:32:23.0281 6112 guardian2 (7031a936832967a93b0e5d5f1c76745a) C:\WINDOWS\system32\Drivers\oz776.sys

16:32:23.0281 6112 guardian2 - ok

16:32:23.0343 6112 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

16:32:23.0343 6112 HDAudBus - ok

16:32:23.0421 6112 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

16:32:23.0421 6112 HidUsb - ok

16:32:23.0453 6112 hpbecp00 (119b3762c5180ae42788bbddb693ee26) C:\WINDOWS\system32\drivers\hpbecp00.sys

16:32:23.0468 6112 hpbecp00 - ok

16:32:23.0531 6112 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

16:32:23.0531 6112 hpn - ok

16:32:23.0578 6112 HSFHWAZL (290cdbb05903742ea06b7203c5a662f5) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys

16:32:23.0593 6112 HSFHWAZL - ok

16:32:23.0625 6112 HSF_DPV (7ab812355f98858b9ecdd46e6fcc221f) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

16:32:23.0718 6112 HSF_DPV - ok

16:32:23.0750 6112 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys

16:32:23.0750 6112 HTTP - ok

16:32:23.0781 6112 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys

16:32:23.0781 6112 i2omgmt - ok

16:32:23.0812 6112 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys

16:32:23.0812 6112 i2omp - ok

16:32:23.0859 6112 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

16:32:23.0859 6112 i8042prt - ok

16:32:23.0890 6112 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

16:32:23.0890 6112 Imapi - ok

16:32:23.0937 6112 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

16:32:23.0937 6112 ini910u - ok

16:32:23.0984 6112 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys

16:32:23.0984 6112 IntelIde - ok

16:32:24.0046 6112 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys

16:32:24.0046 6112 intelppm - ok

16:32:24.0078 6112 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

16:32:24.0078 6112 Ip6Fw - ok

16:32:24.0109 6112 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

16:32:24.0109 6112 IpFilterDriver - ok

16:32:24.0140 6112 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

16:32:24.0140 6112 IpInIp - ok

16:32:24.0187 6112 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys

16:32:24.0187 6112 IpNat - ok

16:32:24.0250 6112 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

16:32:24.0250 6112 IPSec - ok

16:32:24.0281 6112 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

16:32:24.0281 6112 IRENUM - ok

16:32:24.0312 6112 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

16:32:24.0312 6112 isapnp - ok

16:32:24.0375 6112 JSWSCIMD (335a35f4c6c3eee724201eafcd6ffc46) C:\WINDOWS\system32\DRIVERS\jswscimd.sys

16:32:24.0390 6112 JSWSCIMD - ok

16:32:24.0406 6112 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

16:32:24.0406 6112 Kbdclass - ok

16:32:24.0468 6112 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

16:32:24.0468 6112 kbdhid - ok

16:32:24.0531 6112 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys

16:32:24.0531 6112 kmixer - ok

16:32:24.0593 6112 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys

16:32:24.0593 6112 KSecDD - ok

16:32:24.0609 6112 lbrtfdc - ok

16:32:24.0656 6112 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys

16:32:24.0656 6112 MBAMProtector - ok

16:32:24.0703 6112 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

16:32:24.0703 6112 mdmxsdk - ok

16:32:24.0750 6112 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

16:32:24.0765 6112 mnmdd - ok

16:32:24.0781 6112 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

16:32:24.0781 6112 Modem - ok

16:32:24.0843 6112 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

16:32:24.0843 6112 Mouclass - ok

16:32:24.0890 6112 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

16:32:24.0890 6112 mouhid - ok

16:32:24.0921 6112 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

16:32:24.0921 6112 MountMgr - ok

16:32:24.0953 6112 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

16:32:24.0953 6112 mraid35x - ok

16:32:24.0968 6112 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

16:32:24.0968 6112 MRxDAV - ok

16:32:25.0078 6112 MRxSmb (5ddc9a1b2eb5a4bf010ce8c019a18c1f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

16:32:25.0078 6112 MRxSmb - ok

16:32:25.0093 6112 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

16:32:25.0109 6112 Msfs - ok

16:32:25.0156 6112 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

16:32:25.0156 6112 MSKSSRV - ok

16:32:25.0171 6112 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

16:32:25.0171 6112 MSPCLOCK - ok

16:32:25.0171 6112 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

16:32:25.0171 6112 MSPQM - ok

16:32:25.0234 6112 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

16:32:25.0234 6112 mssmbios - ok

16:32:25.0296 6112 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

16:32:25.0296 6112 Mup - ok

16:32:25.0390 6112 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

16:32:25.0390 6112 NDIS - ok

16:32:25.0406 6112 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

16:32:25.0406 6112 NdisTapi - ok

16:32:25.0421 6112 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

16:32:25.0421 6112 Ndisuio - ok

16:32:25.0453 6112 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

16:32:25.0453 6112 NdisWan - ok

16:32:25.0484 6112 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

16:32:25.0484 6112 NDProxy - ok

16:32:25.0500 6112 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

16:32:25.0500 6112 NetBIOS - ok

16:32:25.0515 6112 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

16:32:25.0515 6112 NetBT - ok

16:32:25.0671 6112 NETw4x32 (b5ab1108b377b5f3d37409fabda01453) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys

16:32:25.0796 6112 NETw4x32 - ok

16:32:25.0812 6112 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys

16:32:25.0812 6112 NIC1394 - ok

16:32:25.0843 6112 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

16:32:25.0843 6112 Npfs - ok

16:32:25.0859 6112 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys

16:32:25.0859 6112 Ntfs - ok

16:32:25.0906 6112 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

16:32:25.0906 6112 Null - ok

16:32:26.0265 6112 nv (8129d762cc3e3c5ab9cf2eabc377fb73) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

16:32:26.0562 6112 nv - ok

16:32:26.0609 6112 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

16:32:26.0609 6112 NwlnkFlt - ok

16:32:26.0640 6112 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

16:32:26.0640 6112 NwlnkFwd - ok

16:32:26.0734 6112 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

16:32:26.0734 6112 ohci1394 - ok

16:32:26.0828 6112 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

16:32:26.0843 6112 Parport - ok

16:32:26.0843 6112 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

16:32:26.0843 6112 PartMgr - ok

16:32:26.0890 6112 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

16:32:26.0890 6112 ParVdm - ok

16:32:26.0921 6112 PBADRV (9ec004140e1b675acdeb07f66ee797a4) C:\WINDOWS\system32\DRIVERS\PBADRV.sys

16:32:26.0921 6112 PBADRV - ok

16:32:27.0015 6112 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

16:32:27.0015 6112 PCI - ok

16:32:27.0078 6112 PCIDump - ok

16:32:27.0140 6112 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

16:32:27.0140 6112 PCIIde - ok

16:32:27.0156 6112 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

16:32:27.0156 6112 Pcmcia - ok

16:32:27.0265 6112 PDCOMP - ok

16:32:27.0265 6112 PDFRAME - ok

16:32:27.0281 6112 PDRELI - ok

16:32:27.0390 6112 PDRFRAME - ok

16:32:27.0453 6112 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

16:32:27.0453 6112 perc2 - ok

16:32:27.0500 6112 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

16:32:27.0500 6112 perc2hib - ok

16:32:27.0593 6112 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

16:32:27.0593 6112 PptpMiniport - ok

16:32:27.0609 6112 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

16:32:27.0609 6112 PSched - ok

16:32:27.0625 6112 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

16:32:27.0625 6112 Ptilink - ok

16:32:27.0671 6112 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys

16:32:27.0671 6112 PxHelp20 - ok

16:32:27.0750 6112 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

16:32:27.0750 6112 ql1080 - ok

16:32:27.0843 6112 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

16:32:27.0843 6112 Ql10wnt - ok

16:32:27.0937 6112 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

16:32:27.0937 6112 ql12160 - ok

16:32:28.0000 6112 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

16:32:28.0000 6112 ql1240 - ok

16:32:28.0093 6112 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

16:32:28.0093 6112 ql1280 - ok

16:32:28.0218 6112 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

16:32:28.0218 6112 RasAcd - ok

16:32:28.0328 6112 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

16:32:28.0328 6112 Rasl2tp - ok

16:32:28.0375 6112 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

16:32:28.0375 6112 RasPppoe - ok

16:32:28.0437 6112 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

16:32:28.0453 6112 Raspti - ok

16:32:28.0546 6112 Rdbss (809ca45caa9072b3176ad44579d7f688) C:\WINDOWS\system32\DRIVERS\rdbss.sys

16:32:28.0546 6112 Rdbss - ok

16:32:28.0578 6112 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

16:32:28.0578 6112 RDPCDD - ok

16:32:28.0640 6112 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

16:32:28.0656 6112 rdpdr - ok

16:32:28.0718 6112 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

16:32:28.0734 6112 RDPWD - ok

16:32:28.0765 6112 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

16:32:28.0765 6112 redbook - ok

16:32:28.0812 6112 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys

16:32:28.0828 6112 ROOTMODEM - ok

16:32:28.0875 6112 s24trans (eadfb87f911a7a75d1b80617f92901e8) C:\WINDOWS\system32\DRIVERS\s24trans.sys

16:32:28.0875 6112 s24trans - ok

16:32:28.0937 6112 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

16:32:28.0937 6112 Secdrv - ok

16:32:28.0984 6112 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

16:32:28.0984 6112 serenum - ok

16:32:29.0000 6112 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

16:32:29.0000 6112 Serial - ok

16:32:29.0046 6112 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

16:32:29.0046 6112 Sfloppy - ok

16:32:29.0062 6112 Simbad - ok

16:32:29.0109 6112 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys

16:32:29.0109 6112 sisagp - ok

16:32:29.0171 6112 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

16:32:29.0171 6112 Sparrow - ok

16:32:29.0250 6112 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys

16:32:29.0250 6112 splitter - ok

16:32:29.0328 6112 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

16:32:29.0328 6112 sr - ok

16:32:29.0375 6112 Srv (ea554a3ffc3f536fe8320eb38f5e4843) C:\WINDOWS\system32\DRIVERS\srv.sys

16:32:29.0375 6112 Srv - ok

16:32:29.0546 6112 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys

16:32:29.0562 6112 STHDA - ok

16:32:29.0625 6112 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

16:32:29.0625 6112 swenum - ok

16:32:29.0734 6112 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

16:32:29.0734 6112 swmidi - ok

16:32:29.0781 6112 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

16:32:29.0796 6112 symc810 - ok

16:32:29.0843 6112 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

16:32:29.0843 6112 symc8xx - ok

16:32:29.0890 6112 SymIM - ok

16:32:29.0890 6112 SymIMMP - ok

16:32:29.0953 6112 symsnap (66918794b1701990be8510565fbd4bc4) C:\WINDOWS\system32\DRIVERS\symsnap.sys

16:32:29.0953 6112 symsnap - ok

16:32:29.0984 6112 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

16:32:29.0984 6112 sym_hi - ok

16:32:30.0000 6112 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

16:32:30.0015 6112 sym_u3 - ok

16:32:30.0078 6112 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

16:32:30.0078 6112 sysaudio - ok

16:32:30.0187 6112 Tcpip (90caff4b094573449a0872a0f919b178) C:\WINDOWS\system32\DRIVERS\tcpip.sys

16:32:30.0187 6112 Tcpip - ok

16:32:30.0281 6112 TcUsb (5ca437a08509fb7ecf843480fc1232e2) C:\WINDOWS\system32\Drivers\tcusb.sys

16:32:30.0281 6112 TcUsb - ok

16:32:30.0328 6112 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

16:32:30.0328 6112 TDPIPE - ok

16:32:30.0484 6112 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

16:32:30.0484 6112 TDTCP - ok

16:32:30.0562 6112 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

16:32:30.0562 6112 TermDD - ok

16:32:30.0609 6112 TfNetMon - ok

16:32:30.0656 6112 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

16:32:30.0656 6112 TosIde - ok

16:32:30.0765 6112 tosporte (8d624d3bd1f2d78bd1c01a2d4e954b4e) C:\WINDOWS\system32\DRIVERS\tosporte.sys

16:32:30.0765 6112 tosporte - ok

16:32:30.0859 6112 tosrfbd (435ac6cc2abed508ac5a495658cbaf0f) C:\WINDOWS\system32\DRIVERS\tosrfbd.sys

16:32:30.0859 6112 tosrfbd - ok

16:32:30.0890 6112 tosrfbnp (90c8525bc578aaffe87c2d0ed4379e9e) C:\WINDOWS\system32\Drivers\tosrfbnp.sys

16:32:30.0890 6112 tosrfbnp - ok

16:32:30.0906 6112 Tosrfcom (4c56f3afc7186335d366e10dd489e852) C:\WINDOWS\system32\Drivers\tosrfcom.sys

16:32:30.0906 6112 Suspicious file (Forged): C:\WINDOWS\system32\Drivers\tosrfcom.sys. Real md5: 4c56f3afc7186335d366e10dd489e852, Fake md5: 5ba1ca3b3cddb1ddc67df473f05d1ec2

16:32:30.0906 6112 Tosrfcom ( Rootkit.Win32.ZAccess.k ) - infected

16:32:30.0906 6112 Tosrfcom - detected Rootkit.Win32.ZAccess.k (0)

16:32:30.0937 6112 Tosrfhid (28099a4e52148319afa685d93a2244d0) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys

16:32:30.0937 6112 Tosrfhid - ok

16:32:30.0937 6112 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys

16:32:30.0937 6112 tosrfnds - ok

16:32:30.0968 6112 Tosrfusb (6bc529c5eca0c7654943fd6fab21c5fa) C:\WINDOWS\system32\DRIVERS\tosrfusb.sys

16:32:30.0968 6112 Tosrfusb - ok

16:32:31.0015 6112 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

16:32:31.0015 6112 Udfs - ok

16:32:31.0109 6112 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

16:32:31.0109 6112 ultra - ok

16:32:31.0171 6112 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys

16:32:31.0171 6112 Update - ok

16:32:31.0234 6112 USA19H (6d1e41657fdb48f9147598c773297513) C:\WINDOWS\system32\DRIVERS\USA19H2k.sys

16:32:31.0281 6112 USA19H - ok

16:32:31.0296 6112 USA19H2KP (8a217fc16dd14ab8ad2eaa1f08b3b5c5) C:\WINDOWS\system32\DRIVERS\USA19H2kp.SYS

16:32:31.0296 6112 USA19H2KP - ok

16:32:31.0406 6112 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys

16:32:31.0406 6112 usbaudio - ok

16:32:31.0484 6112 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

16:32:31.0484 6112 usbccgp - ok

16:32:31.0593 6112 usbehci (708579b01fed227aadb393cb0c3b4a2c) C:\WINDOWS\system32\DRIVERS\usbehci.sys

16:32:31.0593 6112 usbehci - ok

16:32:31.0640 6112 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

16:32:31.0656 6112 usbhub - ok

16:32:31.0703 6112 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

16:32:31.0703 6112 usbprint - ok

16:32:31.0781 6112 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

16:32:31.0781 6112 USBSTOR - ok

16:32:31.0843 6112 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

16:32:31.0843 6112 usbuhci - ok

16:32:31.0906 6112 v2imount (16662738e1ab857fb91ed2d4065440b0) C:\WINDOWS\system32\DRIVERS\v2imount.sys

16:32:31.0906 6112 v2imount - ok

16:32:31.0937 6112 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

16:32:31.0937 6112 VgaSave - ok

16:32:31.0968 6112 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys

16:32:31.0968 6112 viaagp - ok

16:32:32.0031 6112 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys

16:32:32.0031 6112 ViaIde - ok

16:32:32.0062 6112 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

16:32:32.0078 6112 VolSnap - ok

16:32:32.0125 6112 VProEventMonitor (e14b7ae35be1e97830d42ec191d0dea2) C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys

16:32:32.0125 6112 VProEventMonitor - ok

16:32:32.0203 6112 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

16:32:32.0218 6112 Wanarp - ok

16:32:32.0296 6112 WaveFDE (db626c46997c2430d4958da5c7ffb969) C:\WINDOWS\system32\DRIVERS\WaveFDE.sys

16:32:32.0312 6112 WaveFDE - ok

16:32:32.0390 6112 WavxDMgr (51e756f2bfb5e3adcb15f966ad293231) C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys

16:32:32.0390 6112 WavxDMgr - ok

16:32:32.0453 6112 WDICA - ok

16:32:32.0515 6112 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys

16:32:32.0515 6112 wdmaud - ok

16:32:32.0578 6112 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys

16:32:32.0578 6112 WimFltr - ok

16:32:32.0656 6112 winachsf (a8596cf86d445269a42ecc08b7066a4c) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

16:32:32.0687 6112 winachsf - ok

16:32:32.0781 6112 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

16:32:32.0781 6112 WmiAcpi - ok

16:32:32.0843 6112 WNDA3100 (e7531e0a85c328a4fdffce5f59959f07) C:\WINDOWS\system32\DRIVERS\WNDA31.sys

16:32:32.0875 6112 WNDA3100 - ok

16:32:32.0906 6112 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

16:32:32.0906 6112 WS2IFSL - ok

16:32:33.0000 6112 WSIMD (43f767d59bfc25d8f4fc2eb42043ec1e) C:\WINDOWS\system32\DRIVERS\wsimd.sys

16:32:33.0000 6112 WSIMD - ok

16:32:33.0046 6112 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

16:32:33.0046 6112 WudfPf - ok

16:32:33.0062 6112 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

16:32:33.0062 6112 WudfRd - ok

16:32:33.0140 6112 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

16:32:33.0312 6112 \Device\Harddisk0\DR0 - ok

16:32:33.0312 6112 Boot (0x1200) (856ce1f650c9f84ef91cb6523cfa341d) \Device\Harddisk0\DR0\Partition0

16:32:33.0312 6112 \Device\Harddisk0\DR0\Partition0 - ok

16:32:33.0328 6112 ============================================================

16:32:33.0328 6112 Scan finished

16:32:33.0328 6112 ============================================================

16:32:33.0343 5492 Detected object count: 1

16:32:33.0343 5492 Actual detected object count: 1

16:33:00.0546 5492 Backup copy found, using it..

16:33:00.0546 5492 C:\WINDOWS\system32\Drivers\tosrfcom.sys - will be cured on reboot

16:33:03.0171 5492 Tosrfcom ( Rootkit.Win32.ZAccess.k ) - User select action: Cure

16:33:11.0937 4604 Deinitialize success

Link to post
Share on other sites

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Ran ComboFix. Said it found a Rootkit.ZeroAccess infection. Log is as follows:

ComboFix 11-11-19.04 - Danny 11/19/2011 22:34:45.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.3116 [GMT -6:00]

Running from: c:\documents and settings\Danny\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Danny\g2mdlhlpx.exe

c:\documents and settings\Danny\WINDOWS

c:\windows\$NtUninstallKB18987$

c:\windows\$NtUninstallKB18987$\2659429918

c:\windows\$NtUninstallKB18987$\2752048675\@

c:\windows\$NtUninstallKB18987$\2752048675\bckfg.tmp

c:\windows\$NtUninstallKB18987$\2752048675\cfg.ini

c:\windows\$NtUninstallKB18987$\2752048675\Desktop.ini

c:\windows\$NtUninstallKB18987$\2752048675\keywords

c:\windows\$NtUninstallKB18987$\2752048675\kwrd.dll

c:\windows\$NtUninstallKB18987$\2752048675\L\iahonoel

c:\windows\$NtUninstallKB18987$\2752048675\lsflt7.ver

c:\windows\$NtUninstallKB18987$\2752048675\U\00000001.@

c:\windows\$NtUninstallKB18987$\2752048675\U\00000002.@

c:\windows\$NtUninstallKB18987$\2752048675\U\00000004.@

c:\windows\$NtUninstallKB18987$\2752048675\U\80000000.@

c:\windows\$NtUninstallKB18987$\2752048675\U\80000004.@

c:\windows\$NtUninstallKB18987$\2752048675\U\80000032.@

c:\windows\CSC\d6

c:\windows\dasetup.log

c:\windows\system32\AutoRun.inf

c:\windows\system32\gotomon.log

c:\windows\system32\waveGina.dll

c:\windows\winhelp.ini

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_COMSYSAPP

-------\Service_COMSysApp

.

.

((((((((((((((((((((((((( Files Created from 2011-10-20 to 2011-11-20 )))))))))))))))))))))))))))))))

.

.

2011-11-16 03:33 . 2011-11-16 04:15 6850 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-11-16 02:10 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-11-15 15:09 . 2011-11-15 15:09 -------- d-----w- c:\documents and settings\Danny\Application Data\Malwarebytes

2011-11-15 15:09 . 2011-11-15 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-11-15 15:09 . 2011-11-15 19:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-15 15:09 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-09 19:42 . 2011-11-09 19:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-11-09 18:55 . 2011-11-09 18:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird

2011-11-09 18:55 . 2011-11-09 18:55 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird

2011-11-08 16:03 . 2011-11-16 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2011-11-08 13:51 . 2011-11-08 13:51 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-11-08 13:27 . 2011-11-08 13:27 -------- d-----w- c:\documents and settings\Danny\Application Data\ymmGG5sQJ6dE8gZ

2011-11-07 22:19 . 2011-11-07 22:19 -------- d-----w- c:\documents and settings\Danny\Application Data\fxxPP0ucS2

2011-11-07 22:19 . 2011-11-07 22:19 -------- d-----w- c:\documents and settings\Danny\Application Data\i22oobF4pmH5QJd

2011-11-07 22:14 . 2011-11-07 22:14 -------- d-----w- c:\documents and settings\Danny\Application Data\YEKK88gRZq

2011-11-07 22:14 . 2011-11-07 22:14 -------- d-----w- c:\documents and settings\Danny\Application Data\DhhYXXwkUVrlBt

2011-11-07 22:14 . 2011-11-07 22:14 -------- d-----w- c:\documents and settings\Danny\Application Data\fgTTZZqjYCekrON

2011-11-07 22:14 . 2011-11-07 22:14 -------- d-----w- c:\documents and settings\Danny\Application Data\KFF4ppmH5sW7dL8

2011-10-31 18:15 . 2011-10-31 18:15 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2011-10-31 18:14 . 2008-10-23 17:51 273408 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpcpp6de.DLL

2011-10-31 18:14 . 2008-10-23 17:50 149504 ----a-w- c:\windows\system32\hpcpn6de.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-20 04:47 . 2008-03-20 17:00 0 ----a-w- c:\documents and settings\Danny\Local Settings\Application Data\WavXMapDrive.bat

2011-11-19 22:34 . 2008-03-15 23:04 64896 ----a-w- c:\windows\system32\drivers\tosrfcom.sys

2011-08-22 10:39 . 2008-03-29 04:30 52080 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\GoToPrintProcessor.dll

2011-08-22 10:39 . 2008-03-29 04:30 113008 ----a-w- c:\windows\system32\gotomon.dll

2011-10-03 14:29 . 2011-05-13 18:40 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-15 68856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568]

"nwiz"="nwiz.exe" [2007-05-31 1626112]

"NVHotkey"="nvHotkey.dll" [2007-05-31 67584]

"NvMediaCenter"="NvMCTray.dll" [2007-05-31 81920]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]

"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]

"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-12-05 405504]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2011-08-30 624056]

"Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2011-08-30 46520]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-15 1838592]

"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]

"Net-It Launcher"="c:\windows\system32\NILaunch.exe" [1998-02-05 24576]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]

"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 61440]

"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-10 188416]

"Norton Save and Restore 2.0"="c:\program files\Norton Save and Restore\Agent\VProTray.exe" [2008-05-07 2037088]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-08 128560]

"Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2011-08-30 738776]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2009-9-23 1791320]

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-15 50688]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-4-5 1149440]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]

2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]

2011-08-22 10:39 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

.

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 1:21 PM 79432]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/15/2011 9:09 AM 366152]

R2 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [06/27/2007 5:45 PM 3425632]

R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/02/2006 11:32 AM 97536]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [02/12/2008 6:05 PM 57440]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/15/2011 9:09 AM 22216]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [03/18/2010 12:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/16/2010 9:58 PM 135664]

S2 hpbecp00;hpbecp00;c:\windows\system32\drivers\HPBECP00.SYS [11/17/1997 6:11 AM 28768]

S2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [08/11/2004 5:00 PM 5120]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [07/24/2003 12:10 PM 17149]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [02/16/2010 9:58 PM 135664]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\NETGEAR\WNDA3100\jswpsapi.exe [02/27/2008 11:54 AM 360547]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [02/21/2011 9:10 AM 704000]

S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [02/21/2011 9:10 AM 24192]

S3 WNDA3100;NETGEAR WNDA3100 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WNDA31.sys [07/06/2008 7:21 PM 437248]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [03/18/2010 12:16 PM 753504]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 03:58]

.

2011-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 03:58]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://www.dell.com

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\Danny\Application Data\Mozilla\Firefox\Profiles\oplkkyif.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-96238558.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-19 22:47

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1700)

c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

.

- - - - - - - > 'lsass.exe'(1756)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

.

- - - - - - - > 'explorer.exe'(2304)

c:\windows\system32\msi.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\windows\system32\CDRTC.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\windows\System32\SCardSvr.exe

c:\windows\system32\acs.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Citrix\GoToMyPC\g2svc.exe

c:\program files\Citrix\GoToMyPC\g2comm.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\program files\Citrix\GoToMyPC\g2pre.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\Citrix\GoToMyPC\g2tray.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\StacSV.exe

c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe

c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\RunDLL32.exe

c:\program files\Apoint\ApMsgFwd.exe

c:\program files\Apoint\HidFind.exe

c:\program files\Apoint\Apntex.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe

.

**************************************************************************

.

Completion time: 2011-11-19 22:52:09 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-20 04:52

.

Pre-Run: 56,571,392,000 bytes free

Post-Run: 57,562,374,144 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - D32A58446FD3C3C038826E9624C1CB91

Link to post
Share on other sites

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*]Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.

    •Free browser plug-in for Internet Explorer and Firefox

    •Real-time safety ratings

    •Ideal for Facebook, Twitter and LinkedIn

    [*] JAVA Click this link and click on the Free JAVA Download

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

Larry,

Thank you so much for your help! I have a few further questions for you. I already installed Malwarebytes Pro. My understanding is that this is to run in addition to an AV program. I'd love to know your suggestion(s) for a good AV program. Does Malwarebytes Pro also function as a firewall or do I also need an additional firewall program. I do not generally run Windows IE except in rare circumstances when it is the only browser that can do the particular task. I normally use FireFox. Are there settings in FireFox that I should adjust for more secure browsing?

A couple years ago this laptop that I have been using to communicate with you got infected with some sort of virus or malware (with AV software running) and within a few days died, unable to reboot. I was unable to reformat the hard drive, so I purchased a new hard drive and reinstalled the original OS (XP Pro) and software that came with the computer. It still has issues. I keep Windows explorer open at all times because my cursor will become inoperable (can move it but left and right mouse buttons will not do anything) but if I switch to Windows Explorer and move around in it with the arrow keys, I can alt-tab back to my previous window and the mouse buttons are active once again. I downloaded Malwarebytes onto this computer also, but it did not find anything on either a quick or full scan. Does this sound to you like I could still be infected somewhere other than the hard drive, or is this even possible?

Once again, Thank you so much for your valuable help.

Danny

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.