RickWeaver Posted March 4, 2012 ID:532508 Share Posted March 4, 2012 I have MB Pro and have scanned and cleaned but I still have re-directs and other warnings. I am getting a lot of outgoing malicious websites being blocked.Thanks for helping, here are the dds and attach logs:.DDS (Ver_2011-08-26.01) - NTFSx86Internet Explorer: 8.0.6001.18702Run by Administrator at 18:45:50 on 2012-03-03Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.480 [GMT -6:00].AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}.============== Running Processes ===============.C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Intel\AMT\atchksrv.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Intel\AMT\LMS.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\mfevtps.exeC:\Program Files\CDBurnerXP\NMSAccessU.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Intel\AMT\UNS.exeC:\Program Files\Common Files\McAfee\SystemCore\mcshield.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Intel\AMT\atchk.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\McAfee\Common Framework\udaterui.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\McAfee\Common Framework\McTray.exeC:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXEC:\Program Files\TRENDnet\TEW-649UB\WlanCU.exeC:\WINDOWS\system32\cidaemon.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Internet Explorer\iexplore.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.dogpile.com/BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111018140631.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -DelaymRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"mRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [Persistence] c:\windows\system32\igfxpers.exemRun: [atchk] "c:\program files\intel\amt\atchk.exe"mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exemRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKeymRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONEmRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttraydRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -tStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\trendnet\tew-649ub\WlanCU.exeIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLLLSP: mswsock.dllDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237586612703DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cabTCP: DhcpNameServer = 192.168.1.1TCP: Interfaces\{281678F0-3FF4-427B-891A-6BFB7FD89A7D} : DhcpNameServer = 192.168.0.1TCP: Interfaces\{3482D92F-2B8A-4733-A203-0658E54E932A} : DhcpNameServer = 192.168.1.1TCP: Interfaces\{D35D11C8-9B88-4D54-A627-5BD8E9C9A241} : DhcpNameServer = 192.168.0.8 192.168.0.1Notify: igfxcui - igfxdev.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllHosts: 66.197.194.231 www.google-analytics.com.Hosts: 66.197.194.231 ad-emea.doubleclick.net.Hosts: 66.197.194.231 www.statcounter.com.Hosts: 69.72.252.254 www.google-analytics.com.Hosts: 69.72.252.254 ad-emea.doubleclick.net..Note: multiple HOSTS entries found. Please refer to Attach.txt.================= FIREFOX ===================.FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\4zhz37dx.default\FF - plugin: c:\program files\google\picasa3\npPicasa3.dllFF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll.============= SERVICES / DRIVERS ===============.R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-10-18 436728]R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-10-18 88544]R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-14 652360]R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-1-12 120128]R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-10-18 159320]R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2011-1-12 209760]R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-10-18 145936]R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2011-5-19 2519040]R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [2012-3-3 20480]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-14 20464]R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-10-18 171296]R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-10-18 58456]R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [2012-3-3 588032]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 WLSVC;WLSVC;c:\program files\trendnet\tew-649ub\WLSVC.exe [2012-3-3 167936]S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-10-18 85152]S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-12-20 50704]S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504].=============== Created Last 30 ================.2012-03-04 00:23:06 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys2012-03-04 00:23:01 -------- d-----w- c:\program files\TRENDnet2012-03-03 20:57:16 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe2012-03-03 20:57:07 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys2012-03-03 20:57:05 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys2012-02-09 13:43:40 -------- d-----w- c:\windows\system32\wbem\repository\FS2012-02-09 13:43:39 -------- d-----w- c:\windows\system32\wbem\Repository2012-02-08 14:29:40 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Identities2012-02-08 14:29:27 -------- d-----w- c:\documents and settings\administrator\application data\Omiv2012-02-08 14:29:27 -------- d-----w- c:\documents and settings\administrator\application data\Inegy2012-02-05 14:23:00 0 --sha-w- c:\windows\system32\dds_trash_log.cmd.==================== Find3M ====================.2011-12-20 14:40:23 50704 ----a-w- c:\windows\system32\drivers\npf.sys2011-12-20 14:40:23 281104 ----a-w- c:\windows\system32\wpcap.dll2011-12-20 14:40:23 100880 ----a-w- c:\windows\system32\Packet.dll2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys.=================== ROOTKIT ====================.Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.netWindows 5.1.2600 Disk: WDC_WD800JD-75MSA3 rev.10.01E04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7.device: opened successfullyuser: MBR read successfully.Disk trace:called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xBA2ABFC0]<<_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A6C5AB8]3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89DB6C78]\Driver\00000796[0x89DB8880] -> IRP_MJ_CREATE -> 0xBA2ABFC0error: Read A device attached to the system is not functioning.kernel: MBR read successfully_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }detected disk devices:detected hooks:\Driver\atapi DriverStartIo -> 0x89D3A2C6user & kernel MBR OKWarning: possible TDL3 rootkit infection !.============= FINISH: 18:48:16.48 ===============.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2011-08-26.01).Microsoft Windows XP ProfessionalBoot Device: \Device\HarddiskVolume1Install Date: 3/20/2009 2:48:17 PMSystem Uptime: 3/3/2012 6:16:06 PM (0 hours ago).Motherboard: Dell Inc. | | 0HX555Processor: Intel® Core2 Duo CPU E6550 @ 2.33GHz | CPU | 2327/1333mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 75 GiB total, 57.849 GiB free.D: is CDROM (CDFS)Z: is NetworkDisk (NTFS) - 931 GiB total, 508.82 GiB free..==== Disabled Device Manager Items =============.Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}Description: Intel® Active Management Technology - SOLDevice ID: PCI\VEN_8086&DEV_29B7&SUBSYS_02111028&REV_02\3&172E68DD&0&1BManufacturer: IntelName: Intel® Active Management Technology - SOL (COM3)PNP Device ID: PCI\VEN_8086&DEV_29B7&SUBSYS_02111028&REV_02\3&172E68DD&0&1BService: Serial.Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}Description: Communications PortDevice ID: ACPI\PNP0501\1Manufacturer: (Standard port types)Name: Communications Port (COM1)PNP Device ID: ACPI\PNP0501\1Service: Serial.==== System Restore Points ===================.RP77: 12/5/2011 8:06:38 AM - System CheckpointRP78: 12/6/2011 8:55:45 AM - System CheckpointRP79: 12/7/2011 9:34:23 AM - System CheckpointRP80: 12/8/2011 11:06:35 AM - System CheckpointRP81: 12/9/2011 11:16:49 AM - System CheckpointRP82: 12/12/2011 8:10:50 AM - System CheckpointRP83: 12/13/2011 8:52:52 AM - System CheckpointRP84: 12/14/2011 8:58:43 AM - System CheckpointRP85: 12/15/2011 9:42:36 AM - System CheckpointRP86: 12/15/2011 4:27:16 PM - Software Distribution Service 3.0RP87: 12/16/2011 12:31:17 PM - Software Distribution Service 3.0RP88: 12/16/2011 2:57:16 PM - Restore OperationRP89: 12/16/2011 3:09:12 PM - Restore OperationRP90: 12/17/2011 9:47:42 AM - Restore OperationRP91: 12/17/2011 9:49:49 AM - Restore OperationRP92: 12/17/2011 11:55:13 AM - Software Distribution Service 3.0RP93: 12/19/2011 9:25:43 AM - System CheckpointRP94: 12/20/2011 11:27:56 AM - System CheckpointRP95: 12/21/2011 11:56:46 AM - System CheckpointRP96: 12/27/2011 11:23:08 AM - System CheckpointRP97: 12/28/2011 1:45:29 PM - System CheckpointRP98: 12/29/2011 2:45:12 PM - System CheckpointRP99: 1/3/2012 10:49:09 AM - System CheckpointRP100: 1/5/2012 9:33:21 AM - System CheckpointRP101: 1/6/2012 9:49:42 AM - System CheckpointRP102: 1/9/2012 8:35:48 AM - System CheckpointRP103: 1/10/2012 4:23:16 PM - Software Distribution Service 3.0RP104: 1/11/2012 7:36:38 AM - Software Distribution Service 3.0RP105: 1/11/2012 4:34:33 PM - Software Distribution Service 3.0RP106: 1/13/2012 2:20:07 PM - System CheckpointRP107: 1/16/2012 9:01:17 AM - System CheckpointRP108: 1/17/2012 2:04:06 PM - System CheckpointRP109: 1/17/2012 4:24:59 PM - Software Distribution Service 3.0RP110: 1/19/2012 9:12:36 AM - System CheckpointRP111: 1/23/2012 10:00:50 AM - System CheckpointRP112: 1/25/2012 11:10:59 AM - System CheckpointRP113: 1/26/2012 12:01:32 PM - System CheckpointRP114: 1/30/2012 7:33:50 AM - System CheckpointRP115: 1/31/2012 1:43:49 PM - System CheckpointRP116: 2/2/2012 7:35:27 AM - System CheckpointRP117: 2/4/2012 7:58:58 AM - System CheckpointRP118: 2/4/2012 8:06:23 AM - Restore OperationRP119: 2/9/2012 7:41:07 AM - Restore OperationRP120: 2/9/2012 7:42:35 AM - Restore OperationRP121: 2/13/2012 8:04:28 AM - Restore OperationRP122: 3/3/2012 2:35:46 PM - Restore OperationRP123: 3/3/2012 2:46:10 PM - Restore OperationRP124: 3/3/2012 2:57:05 PM - Installed TRENDnet TEW-649UB Wireless N speed USB AdapterRP125: 3/3/2012 2:59:18 PM - Unsigned driver installRP126: 3/3/2012 6:22:22 PM - Removed TRENDnet TEW-649UB Wireless N speed USB AdapterRP127: 3/3/2012 6:23:00 PM - Installed TRENDnet TEW-649UB Wireless N speed USB AdapterRP128: 3/3/2012 6:24:19 PM - Unsigned driver install.==== Hosts File Hijack ======================.Hosts: 66.197.194.231 www.google-analytics.com.Hosts: 66.197.194.231 ad-emea.doubleclick.net.Hosts: 66.197.194.231 www.statcounter.com.Hosts: 69.72.252.254 www.google-analytics.com.Hosts: 69.72.252.254 ad-emea.doubleclick.net.Hosts: 69.72.252.254 www.statcounter.com..==== Installed Programs ======================.Acrobat.comAdobe AIRAdobe Flash Player 10 ActiveXAdobe Flash Player 10 PluginAdobe Reader X (10.1.1)Adobe Shockwave Player 11.5AnalogX POW!ATI - Software Uninstall UtilityATI Catalyst Control CenterATI Display DriverBroadcom Gigabit Integrated ControllerCDBurnerXPCole2k Media - Codec Pack (Standard) 6.0.9Critical Update for Windows Media Player 11 (KB959772)Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)Hotfix for Windows Media Format 11 SDK (KB929399)Hotfix for Windows Media Player 11 (KB939683)Hotfix for Windows XP (KB2443685)Hotfix for Windows XP (KB2570791)Hotfix for Windows XP (KB2633952)Hotfix for Windows XP (KB952287)Hotfix for Windows XP (KB954550-v5)Hotfix for Windows XP (KB961118)Intel® Graphics Media Accelerator DriverIntel® Management Engine InterfaceIntel® PRO Network Connections DriversIntel® Active Management TechnologyJava 6 Update 24K-Lite Codec Pack 7.1.0 (Full)Malwarebytes Anti-Malware version 1.60.1.1000McAfee AgentMcAfee VirusScan EnterpriseMicrosoft .NET Framework 1.1Microsoft .NET Framework 1.1 Security Update (KB2572067)Microsoft .NET Framework 2.0 Service Pack 2Microsoft .NET Framework 3.0 Service Pack 2Microsoft .NET Framework 3.5 SP1Microsoft .NET Framework 4 Client ProfileMicrosoft Base Smart Card Cryptographic Service Provider PackageMicrosoft Compression Client Pack 1.0 for Windows XPMicrosoft Internationalized Domain Names Mitigation APIsMicrosoft National Language Support Downlevel APIsMicrosoft Office Basic Edition 2003Microsoft SilverlightMicrosoft User-Mode Driver Framework Feature Pack 1.0Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Mozilla Firefox 4.0.1 (x86 en-US)OpenOffice.org 3.3Picasa 3Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft Windows (KB2564958)Security Update for Windows Internet Explorer 7 (KB938127-v2)Security Update for Windows Internet Explorer 7 (KB956390)Security Update for Windows Internet Explorer 7 (KB961260)Security Update for Windows Internet Explorer 7 (KB963027)Security Update for Windows Internet Explorer 8 (KB2497640)Security Update for Windows Internet Explorer 8 (KB2510531)Security Update for Windows Internet Explorer 8 (KB2544521)Security Update for Windows Internet Explorer 8 (KB2586448)Security Update for Windows Internet Explorer 8 (KB2618444)Security Update for Windows Media Player (KB2378111)Security Update for Windows Media Player (KB952069)Security Update for Windows Media Player (KB954155)Security Update for Windows Media Player (KB973540)Security Update for Windows Media Player (KB975558)Security Update for Windows Media Player (KB978695)Security Update for Windows Media Player 11 (KB936782)Security Update for Windows Media Player 11 (KB954154)Security Update for Windows XP (KB2079403)Security Update for Windows XP (KB2115168)Security Update for Windows XP (KB2121546)Security Update for Windows XP (KB2229593)Security Update for Windows XP (KB2296011)Security Update for Windows XP (KB2347290)Security Update for Windows XP (KB2360937)Security Update for Windows XP (KB2387149)Security Update for Windows XP (KB2393802)Security Update for Windows XP (KB2412687)Security Update for Windows XP (KB2419632)Security Update for Windows XP (KB2423089)Security Update for Windows XP (KB2440591)Security Update for Windows XP (KB2443105)Security Update for Windows XP (KB2476490)Security Update for Windows XP (KB2476687)Security Update for Windows XP (KB2478960)Security Update for Windows XP (KB2478971)Security Update for Windows XP (KB2479943)Security Update for Windows XP (KB2481109)Security Update for Windows XP (KB2483185)Security Update for Windows XP (KB2485663)Security Update for Windows XP (KB2503658)Security Update for Windows XP (KB2506212)Security Update for Windows XP (KB2506223)Security Update for Windows XP (KB2507618)Security Update for Windows XP (KB2507938)Security Update for Windows XP (KB2508272)Security Update for Windows XP (KB2508429)Security Update for Windows XP (KB2509553)Security Update for Windows XP (KB2511455)Security Update for Windows XP (KB2524375)Security Update for Windows XP (KB2535512)Security Update for Windows XP (KB2536276-v2)Security Update for Windows XP (KB2544893-v2)Security Update for Windows XP (KB2544893)Security Update for Windows XP (KB2562937)Security Update for Windows XP (KB2566454)Security Update for Windows XP (KB2567053)Security Update for Windows XP (KB2567680)Security Update for Windows XP (KB2570222)Security Update for Windows XP (KB2570947)Security Update for Windows XP (KB2584146)Security Update for Windows XP (KB2585542)Security Update for Windows XP (KB2592799)Security Update for Windows XP (KB2598479)Security Update for Windows XP (KB2603381)Security Update for Windows XP (KB2618451)Security Update for Windows XP (KB2619339)Security Update for Windows XP (KB2620712)Security Update for Windows XP (KB2624667)Security Update for Windows XP (KB2631813)Security Update for Windows XP (KB2633171)Security Update for Windows XP (KB2639417)Security Update for Windows XP (KB2646524)Security Update for Windows XP (KB923561)Security Update for Windows XP (KB923789)Security Update for Windows XP (KB938464-v2)Security Update for Windows XP (KB941569)Security Update for Windows XP (KB946648)Security Update for Windows XP (KB950760)Security Update for Windows XP (KB950762)Security Update for Windows XP (KB950974)Security Update for Windows XP (KB951066)Security Update for Windows XP (KB951376-v2)Security Update for Windows XP (KB951698)Security Update for Windows XP (KB951748)Security Update for Windows XP (KB952004)Security Update for Windows XP (KB952954)Security Update for Windows XP (KB954459)Security Update for Windows XP (KB954600)Security Update for Windows XP (KB955069)Security Update for Windows XP (KB956572)Security Update for Windows XP (KB956744)Security Update for Windows XP (KB956802)Security Update for Windows XP (KB956803)Security Update for Windows XP (KB956841)Security Update for Windows XP (KB956844)Security Update for Windows XP (KB957097)Security Update for Windows XP (KB958644)Security Update for Windows XP (KB958687)Security Update for Windows XP (KB958690)Security Update for Windows XP (KB959426)Security Update for Windows XP (KB960225)Security Update for Windows XP (KB960715)Security Update for Windows XP (KB960803)Security Update for Windows XP (KB960859)Security Update for Windows XP (KB961373)Security Update for Windows XP (KB961501)Security Update for Windows XP (KB969059)Security Update for Windows XP (KB970430)Security Update for Windows XP (KB971657)Security Update for Windows XP (KB972270)Security Update for Windows XP (KB973507)Security Update for Windows XP (KB973869)Security Update for Windows XP (KB973904)Security Update for Windows XP (KB974112)Security Update for Windows XP (KB974318)Security Update for Windows XP (KB974392)Security Update for Windows XP (KB974571)Security Update for Windows XP (KB975025)Security Update for Windows XP (KB975467)Security Update for Windows XP (KB975560)Security Update for Windows XP (KB975562)Security Update for Windows XP (KB975713)Security Update for Windows XP (KB977816)Security Update for Windows XP (KB977914)Security Update for Windows XP (KB978338)Security Update for Windows XP (KB978542)Security Update for Windows XP (KB978601)Security Update for Windows XP (KB978706)Security Update for Windows XP (KB979309)Security Update for Windows XP (KB979482)Security Update for Windows XP (KB979687)Security Update for Windows XP (KB980436)Security Update for Windows XP (KB981322)Security Update for Windows XP (KB981997)Security Update for Windows XP (KB982132)Security Update for Windows XP (KB982665)SoundMAXTRENDnet TEW-649UB Wireless N speed USB AdapterUpdate for Microsoft .NET Framework 3.5 SP1 (KB963707)Update for Microsoft Windows (KB971513)Update for Windows Internet Explorer 8 (KB2447568)Update for Windows Internet Explorer 8 (KB971180)Update for Windows XP (KB2345886)Update for Windows XP (KB2492386)Update for Windows XP (KB2541763)Update for Windows XP (KB2616676-v2)Update for Windows XP (KB2641690)Update for Windows XP (KB898461)Update for Windows XP (KB943729)Update for Windows XP (KB951978)Update for Windows XP (KB955759)Update for Windows XP (KB955839)Update for Windows XP (KB967715)Update for Windows XP (KB968389)Update for Windows XP (KB971029)Update for Windows XP (KB971737)Update for Windows XP (KB973687)Update for Windows XP (KB973815)VLC media player 1.1.9WebFldrs XPWindows Feature Pack for Storage (32-bit) - IMAPI update for Blu-RayWindows Genuine Advantage Notifications (KB905474)Windows Genuine Advantage Validation Tool (KB892130)Windows Internet Explorer 7Windows Internet Explorer 8Windows Management Framework CoreWindows Media Format 11 runtimeWindows Media Player 11Windows PowerShell 1.0 MUI packWinRAR 4.00 (32-bit)Yahoo! Detect.==== Event Viewer Messages From Past Week ========.3/3/2012 6:21:01 PM, error: Schedule [7901] - The At86.job command failed to start due to the following error: %%21479424023/3/2012 6:21:00 PM, error: Schedule [7901] - The At85.job command failed to start due to the following error: %%21479424023/3/2012 6:16:39 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.3/3/2012 5:21:00 PM, error: Schedule [7901] - The At84.job command failed to start due to the following error: %%21479424023/3/2012 5:21:00 PM, error: Schedule [7901] - The At83.job command failed to start due to the following error: %%21479424023/3/2012 4:21:00 PM, error: Schedule [7901] - The At82.job command failed to start due to the following error: %%21479424023/3/2012 4:21:00 PM, error: Schedule [7901] - The At81.job command failed to start due to the following error: %%21479424023/3/2012 3:21:00 PM, error: Schedule [7901] - The At80.job command failed to start due to the following error: %%21479424023/3/2012 3:21:00 PM, error: Schedule [7901] - The At79.job command failed to start due to the following error: %%21479424023/3/2012 2:52:46 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.3/3/2012 2:37:00 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}3/3/2012 2:36:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}3/3/2012 2:36:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning..==== End Of File =========================== Link to post Share on other sites More sharing options...
MrCharlie Posted March 6, 2012 ID:533105 Share Posted March 6, 2012 Welcome to the forum.Please remove any usb or external drives from the computer before you run this scan!Please download and run RogueKiller.Click Scan to scan the system (don't run any other options)Post back the report.MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 11, 2012 Author ID:533939 Share Posted March 11, 2012 MrC,I have tried to run RogueKiller but it keeps rebooting the computer when it says it is reading the MBR. What should I try next? Link to post Share on other sites More sharing options...
RickWeaver Posted March 11, 2012 Author ID:533941 Share Posted March 11, 2012 OK, I ran RogueKiller in Safe Mode and it completed with the following report:RogueKiller V7.3.1 [03/10/2012] by Tigzymail: tigzyRK<at>gmail<dot>comFeedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/Blog: http://tigzyrk.blogspot.comOperating System: Windows XP (5.1.2600 Service Pack 3) 32 bits versionStarted in : Safe mode with network supportUser: Administrator [Admin rights]Mode: Scan -- Date: 03/10/2012 18:40:40¤¤¤ Bad processes: 0 ¤¤¤¤¤¤ Registry Entries: 1 ¤¤¤[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤[FAKED] afd.sys : c:\windows\system32\drivers\afd.sys --> CANNOT FIX¤¤¤ Driver: [NOT LOADED] ¤¤¤¤¤¤ Infection : Root.MBR|ZeroAccess ¤¤¤[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!¤¤¤ HOSTS File: ¤¤¤127.0.0.1 localhost::1 localhost66.197.194.231 www.google-analytics.com.66.197.194.231 ad-emea.doubleclick.net.66.197.194.231 www.statcounter.com.69.72.252.254 www.google-analytics.com.69.72.252.254 ad-emea.doubleclick.net.69.72.252.254 www.statcounter.com.¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: +++++--- User ---[MBR] a456f312c0e435782971f94dba7cdfdf[bSP] bec400d75a08f6cdd3306fcc22e6a067 : Windows XP MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76293 MoUser = LL1 ... OK!User != LL2 ... KO!--- LL2 ---[MBR] c3cb072bf8e200fb802e1b0e690e1a00[bSP] eee50617a5d37a043311c472ae6d4d37 : PiHar MBR Code!Partition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76293 MoFinished : << RKreport[1].txt >>RKreport[1].txt Link to post Share on other sites More sharing options...
MrCharlie Posted March 11, 2012 ID:534001 Share Posted March 11, 2012 You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.Read this warning and let me know what you would like to do.Removing this infection can also disable the ability to connect to the internet which may result in a repair install.-----------------------If you wish to continue.............Please download and run TDSSKiller to your desktop as outlined below:Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.-------------------------Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.------------------------Click the Start Scan button.-----------------------If a suspicious object is detected, the default action will be Skip, click on ContinueIf you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please chooseSkip and click on Continue----------------------If malicious objects are found, they will show in the Scan results and offer three (3) options.Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.--------------------A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply. MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 11, 2012 Author ID:534011 Share Posted March 11, 2012 Again I had to run in Safe Mode (The "Internet Security" Fake Alert keeps popping up and no executables will run)Here is the log report:09:36:11.0578 1916 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:4309:36:11.0625 1916 ============================================================09:36:11.0625 1916 Current date / time: 2012/03/11 09:36:11.062509:36:11.0625 1916 SystemInfo:09:36:11.0625 1916 09:36:11.0625 1916 OS Version: 5.1.2600 ServicePack: 3.009:36:11.0625 1916 Product type: Workstation09:36:11.0625 1916 ComputerName: VALUED-CUSTOMER09:36:11.0625 1916 UserName: Administrator09:36:11.0625 1916 Windows directory: C:\WINDOWS09:36:11.0625 1916 System windows directory: C:\WINDOWS09:36:11.0625 1916 Processor architecture: Intel x8609:36:11.0625 1916 Number of processors: 209:36:11.0625 1916 Page size: 0x100009:36:11.0625 1916 Boot type: Safe boot with network09:36:11.0625 1916 ============================================================09:36:13.0234 1916 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x0000005409:36:13.0234 1916 Drive \Device\Harddisk1\DR2 - Size: 0xF4FD1C00 (3.83 Gb), SectorSize: 0x200, Cylinders: 0x1F3, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'09:36:13.0234 1916 \Device\Harddisk0\DR0:09:36:13.0234 1916 MBR used09:36:13.0234 1916 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950283F09:36:13.0234 1916 \Device\Harddisk1\DR2:09:36:13.0234 1916 MBR used09:36:13.0234 1916 \Device\Harddisk1\DR2\Partition0: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0x7A7E4F09:36:13.0281 1916 Initialize success09:36:13.0281 1916 ============================================================09:36:25.0234 1468 ============================================================09:36:25.0234 1468 Scan started09:36:25.0234 1468 Mode: Manual; SigCheck; TDLFS;09:36:25.0234 1468 ============================================================09:36:26.0312 1468 Abiosdsk - ok09:36:26.0328 1468 abp480n5 - ok09:36:26.0390 1468 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\drivers\ACPI.sys09:36:26.0625 1468 ACPI - ok09:36:26.0687 1468 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys09:36:26.0765 1468 ACPIEC - ok09:36:26.0828 1468 ADIHdAudAddService (307f5e03b02a3022d664c36d1ea25f2c) C:\WINDOWS\system32\drivers\ADIHdAud.sys09:36:26.0890 1468 ADIHdAudAddService - ok09:36:26.0906 1468 adpu160m - ok09:36:26.0968 1468 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys09:36:27.0046 1468 aec - ok09:36:27.0078 1468 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys09:36:27.0093 1468 AegisP ( UnsignedFile.Multi.Generic ) - warning09:36:27.0093 1468 AegisP - detected UnsignedFile.Multi.Generic (1)09:36:27.0140 1468 AFD (1d495ee1d3a836801d1fd816ff4a93f9) C:\WINDOWS\System32\drivers\afd.sys09:36:27.0140 1468 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 1d495ee1d3a836801d1fd816ff4a93f9, Fake md5: 1e44bc1e83d8fd2305f8d452db109cf909:36:27.0140 1468 AFD ( Virus.Win32.ZAccess.c ) - infected09:36:27.0140 1468 AFD - detected Virus.Win32.ZAccess.c (0)09:36:27.0156 1468 Aha154x - ok09:36:27.0171 1468 aic78u2 - ok09:36:27.0187 1468 aic78xx - ok09:36:27.0203 1468 AliIde - ok09:36:27.0218 1468 amsint - ok09:36:27.0250 1468 asc - ok09:36:27.0265 1468 asc3350p - ok09:36:27.0265 1468 asc3550 - ok09:36:27.0359 1468 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys09:36:27.0437 1468 AsyncMac - ok09:36:27.0515 1468 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys09:36:27.0578 1468 atapi - ok09:36:27.0593 1468 Atdisk - ok09:36:27.0687 1468 ati2mtag (f5fc6ac1e7bc776871361d463fc86be2) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys09:36:27.0812 1468 ati2mtag - ok09:36:27.0953 1468 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys09:36:28.0031 1468 Atmarpc - ok09:36:28.0093 1468 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys09:36:28.0171 1468 audstub - ok09:36:28.0218 1468 b57w2k (d0692f7b8217e3b82d2bfac535816117) C:\WINDOWS\system32\DRIVERS\b57xp32.sys09:36:28.0265 1468 b57w2k - ok09:36:28.0312 1468 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys09:36:28.0375 1468 Beep - ok09:36:28.0437 1468 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys09:36:28.0484 1468 BrScnUsb - ok09:36:28.0500 1468 BrSerIf (1a5fc78e41840edf79d65ec16eff2787) C:\WINDOWS\system32\Drivers\BrSerIf.sys09:36:28.0562 1468 BrSerIf - ok09:36:28.0578 1468 BrUsbSer (a24c7b39602218f8dbdb2b6704325fc7) C:\WINDOWS\system32\Drivers\BrUsbSer.sys09:36:28.0578 1468 BrUsbSer - ok09:36:28.0609 1468 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys09:36:28.0703 1468 cbidf2k - ok09:36:28.0718 1468 cd20xrnt - ok09:36:28.0765 1468 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys09:36:28.0843 1468 Cdaudio - ok09:36:28.0859 1468 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys09:36:28.0953 1468 Cdfs - ok09:36:29.0000 1468 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys09:36:29.0078 1468 Cdrom - ok09:36:29.0093 1468 Changer - ok09:36:29.0125 1468 CmdIde - ok09:36:29.0156 1468 Cpqarray - ok09:36:29.0187 1468 dac2w2k - ok09:36:29.0203 1468 dac960nt - ok09:36:29.0250 1468 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys09:36:29.0312 1468 Disk - ok09:36:29.0359 1468 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys09:36:29.0468 1468 dmboot - ok09:36:29.0500 1468 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys09:36:29.0578 1468 dmio - ok09:36:29.0578 1468 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys09:36:29.0656 1468 dmload - ok09:36:29.0734 1468 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys09:36:29.0812 1468 DMusic - ok09:36:29.0828 1468 dpti2o - ok09:36:29.0875 1468 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys09:36:29.0937 1468 drmkaud - ok09:36:29.0984 1468 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys09:36:30.0187 1468 e1express - ok09:36:30.0328 1468 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys09:36:30.0406 1468 Fastfat - ok09:36:30.0453 1468 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys09:36:30.0531 1468 Fdc - ok09:36:30.0578 1468 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys09:36:30.0656 1468 Fips - ok09:36:30.0671 1468 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys09:36:30.0750 1468 Flpydisk - ok09:36:30.0796 1468 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys09:36:30.0875 1468 FltMgr - ok09:36:30.0906 1468 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys09:36:31.0000 1468 Fs_Rec - ok09:36:31.0046 1468 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys09:36:31.0125 1468 Ftdisk - ok09:36:31.0140 1468 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys09:36:31.0203 1468 Gpc - ok09:36:31.0265 1468 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys09:36:31.0328 1468 HDAudBus - ok09:36:31.0375 1468 HECI (0bf1d760b05caaaf231123d53c4789e2) C:\WINDOWS\system32\DRIVERS\HECI.sys09:36:31.0421 1468 HECI - ok09:36:31.0468 1468 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys09:36:31.0546 1468 hidusb - ok09:36:31.0562 1468 hpn - ok09:36:31.0625 1468 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys09:36:31.0687 1468 HTTP - ok09:36:31.0703 1468 i2omgmt - ok09:36:31.0718 1468 i2omp - ok09:36:31.0781 1468 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys09:36:31.0859 1468 i8042prt - ok09:36:32.0062 1468 ialm (bd9462e346229f37fd5b95fbcb6d3d34) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys09:36:32.0406 1468 ialm - ok09:36:32.0546 1468 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys09:36:32.0625 1468 Imapi - ok09:36:32.0640 1468 ini910u - ok09:36:32.0671 1468 IntelIde - ok09:36:32.0718 1468 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\drivers\intelppm.sys09:36:32.0796 1468 intelppm - ok09:36:32.0828 1468 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys09:36:32.0890 1468 Ip6Fw - ok09:36:32.0937 1468 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys09:36:33.0015 1468 IpFilterDriver - ok09:36:33.0015 1468 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys09:36:33.0093 1468 IpInIp - ok09:36:33.0109 1468 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys09:36:33.0187 1468 IpNat - ok09:36:33.0250 1468 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys09:36:33.0312 1468 IPSec - ok09:36:33.0359 1468 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys09:36:33.0406 1468 IRENUM - ok09:36:33.0437 1468 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\drivers\isapnp.sys09:36:33.0531 1468 isapnp - ok09:36:33.0546 1468 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys09:36:33.0625 1468 Kbdclass - ok09:36:33.0640 1468 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys09:36:33.0703 1468 kbdhid - ok09:36:33.0765 1468 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys09:36:33.0843 1468 kmixer - ok09:36:33.0875 1468 KMWDFILTER (566c5fd480fdbce3ba5cf9fbcffaea9a) C:\WINDOWS\system32\DRIVERS\KMWDFILTER.sys09:36:33.0953 1468 KMWDFILTER - ok09:36:33.0984 1468 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys09:36:34.0062 1468 KSecDD - ok09:36:34.0078 1468 lbrtfdc - ok09:36:34.0140 1468 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys09:36:34.0156 1468 MBAMProtector - ok09:36:34.0250 1468 mfeapfk (c0d975d64c1af8057f2d75b1297a6979) C:\WINDOWS\system32\drivers\mfeapfk.sys09:36:34.0265 1468 mfeapfk - ok09:36:34.0312 1468 mfeavfk (c169326049a8a03d5f905b34f5a65f8c) C:\WINDOWS\system32\drivers\mfeavfk.sys09:36:34.0328 1468 mfeavfk - ok09:36:34.0343 1468 mfebopk (50b0253b2484a306a20d8695c5ae5858) C:\WINDOWS\system32\drivers\mfebopk.sys09:36:34.0359 1468 mfebopk - ok09:36:34.0500 1468 mfehidk (188b40866db2ab8ef262febc65291687) C:\WINDOWS\system32\drivers\mfehidk.sys09:36:34.0531 1468 mfehidk - ok09:36:34.0562 1468 mferkdet (c1b30af2e18e69bf8ceb39b33f32d3c1) C:\WINDOWS\system32\drivers\mferkdet.sys09:36:34.0578 1468 mferkdet - ok09:36:34.0625 1468 mfetdi2k (97ef4ca122ddda4781ff557e65dfb262) C:\WINDOWS\system32\drivers\mfetdi2k.sys09:36:34.0640 1468 mfetdi2k - ok09:36:34.0703 1468 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys09:36:34.0765 1468 mnmdd - ok09:36:34.0812 1468 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys09:36:34.0906 1468 Modem - ok09:36:34.0921 1468 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys09:36:35.0015 1468 Mouclass - ok09:36:35.0062 1468 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys09:36:35.0140 1468 mouhid - ok09:36:35.0156 1468 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys09:36:35.0218 1468 MountMgr - ok09:36:35.0234 1468 mraid35x - ok09:36:35.0265 1468 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys09:36:35.0328 1468 MRxDAV - ok09:36:35.0390 1468 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys09:36:35.0468 1468 MRxSmb - ok09:36:35.0531 1468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys09:36:35.0593 1468 Msfs - ok09:36:35.0625 1468 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys09:36:35.0687 1468 MSKSSRV - ok09:36:35.0703 1468 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys09:36:35.0765 1468 MSPCLOCK - ok09:36:35.0781 1468 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys09:36:35.0875 1468 MSPQM - ok09:36:35.0921 1468 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys09:36:36.0000 1468 mssmbios - ok09:36:36.0031 1468 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys09:36:36.0062 1468 Mup - ok09:36:36.0078 1468 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys09:36:36.0171 1468 NDIS - ok09:36:36.0218 1468 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys09:36:36.0250 1468 NdisTapi - ok09:36:36.0296 1468 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys09:36:36.0390 1468 Ndisuio - ok09:36:36.0390 1468 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys09:36:36.0500 1468 NdisWan - ok09:36:36.0609 1468 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys09:36:36.0687 1468 NDProxy - ok09:36:36.0734 1468 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys09:36:36.0812 1468 NetBIOS - ok09:36:36.0875 1468 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys09:36:36.0953 1468 NetBT - ok09:36:37.0062 1468 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\NPF.sys09:36:37.0078 1468 NPF - ok09:36:37.0093 1468 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys09:36:37.0156 1468 Npfs - ok09:36:37.0203 1468 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys09:36:37.0281 1468 Ntfs - ok09:36:37.0343 1468 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys09:36:37.0406 1468 Null - ok09:36:37.0468 1468 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys09:36:37.0546 1468 NwlnkFlt - ok09:36:37.0562 1468 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys09:36:37.0656 1468 NwlnkFwd - ok09:36:37.0687 1468 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys09:36:37.0765 1468 Parport - ok09:36:37.0781 1468 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys09:36:37.0843 1468 PartMgr - ok09:36:37.0906 1468 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys09:36:38.0000 1468 ParVdm - ok09:36:38.0031 1468 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\drivers\pci.sys09:36:38.0093 1468 PCI - ok09:36:38.0109 1468 PCIDump - ok09:36:38.0125 1468 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\pciide.sys09:36:38.0187 1468 PCIIde - ok09:36:38.0218 1468 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys09:36:38.0296 1468 Pcmcia - ok09:36:38.0312 1468 PDCOMP - ok09:36:38.0328 1468 PDFRAME - ok09:36:38.0343 1468 PDRELI - ok09:36:38.0359 1468 PDRFRAME - ok09:36:38.0359 1468 perc2 - ok09:36:38.0375 1468 perc2hib - ok09:36:38.0453 1468 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys09:36:38.0531 1468 PptpMiniport - ok09:36:38.0546 1468 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys09:36:38.0625 1468 PSched - ok09:36:38.0671 1468 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys09:36:38.0750 1468 Ptilink - ok09:36:38.0765 1468 ql1080 - ok09:36:38.0781 1468 Ql10wnt - ok09:36:38.0796 1468 ql12160 - ok09:36:38.0796 1468 ql1240 - ok09:36:38.0812 1468 ql1280 - ok09:36:38.0828 1468 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys09:36:38.0906 1468 RasAcd - ok09:36:38.0921 1468 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys09:36:39.0000 1468 Rasl2tp - ok09:36:39.0015 1468 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys09:36:39.0093 1468 RasPppoe - ok09:36:39.0203 1468 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys09:36:39.0265 1468 Raspti - ok09:36:39.0296 1468 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys09:36:39.0375 1468 Rdbss - ok09:36:39.0390 1468 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys09:36:39.0453 1468 RDPCDD - ok09:36:39.0500 1468 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys09:36:39.0578 1468 rdpdr - ok09:36:39.0625 1468 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys09:36:39.0703 1468 RDPWD - ok09:36:39.0750 1468 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys09:36:39.0812 1468 redbook - ok09:36:39.0890 1468 RTL8192su (7bfdf13721f0366212ab8e94361a05bd) C:\WINDOWS\system32\DRIVERS\RTL8192su.sys09:36:39.0921 1468 RTL8192su ( UnsignedFile.Multi.Generic ) - warning09:36:39.0921 1468 RTL8192su - detected UnsignedFile.Multi.Generic (1)09:36:39.0984 1468 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys09:36:40.0015 1468 Secdrv - ok09:36:40.0031 1468 senfilt - ok09:36:40.0046 1468 SenFiltService - ok09:36:40.0109 1468 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys09:36:40.0187 1468 serenum - ok09:36:40.0203 1468 Serial - ok09:36:40.0265 1468 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys09:36:40.0343 1468 Sfloppy - ok09:36:40.0375 1468 Simbad - ok09:36:40.0437 1468 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys09:36:40.0515 1468 smwdm - ok09:36:40.0515 1468 Sparrow - ok09:36:40.0562 1468 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys09:36:40.0625 1468 splitter - ok09:36:40.0687 1468 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys09:36:40.0734 1468 sr - ok09:36:40.0796 1468 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys09:36:40.0875 1468 Srv - ok09:36:41.0000 1468 StarOpen (e57b778208c783d8debab320c16a1b82) C:\WINDOWS\system32\drivers\StarOpen.sys09:36:41.0000 1468 StarOpen ( UnsignedFile.Multi.Generic ) - warning09:36:41.0000 1468 StarOpen - detected UnsignedFile.Multi.Generic (1)09:36:41.0015 1468 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys09:36:41.0125 1468 swenum - ok09:36:41.0140 1468 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys09:36:41.0218 1468 swmidi - ok09:36:41.0234 1468 symc810 - ok09:36:41.0250 1468 symc8xx - ok09:36:41.0265 1468 sym_hi - ok09:36:41.0281 1468 sym_u3 - ok09:36:41.0296 1468 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys09:36:41.0359 1468 sysaudio - ok09:36:41.0437 1468 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys09:36:41.0515 1468 Tcpip - ok09:36:41.0562 1468 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys09:36:41.0671 1468 TDPIPE - ok09:36:41.0687 1468 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys09:36:41.0765 1468 TDTCP - ok09:36:41.0796 1468 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys09:36:41.0859 1468 TermDD - ok09:36:41.0890 1468 TosIde - ok09:36:41.0953 1468 TrueSight (0455d57c7fdb1252784202f2f7deb1d5) c:\windows\system32\drivers\TrueSight.sys09:36:41.0968 1468 TrueSight ( UnsignedFile.Multi.Generic ) - warning09:36:41.0968 1468 TrueSight - detected UnsignedFile.Multi.Generic (1)09:36:42.0015 1468 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys09:36:42.0109 1468 Udfs - ok09:36:42.0125 1468 ultra - ok09:36:42.0187 1468 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys09:36:42.0265 1468 Update - ok09:36:42.0312 1468 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys09:36:42.0390 1468 usbccgp - ok09:36:42.0437 1468 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys09:36:42.0500 1468 usbehci - ok09:36:42.0515 1468 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys09:36:42.0593 1468 usbhub - ok09:36:42.0640 1468 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys09:36:42.0718 1468 usbprint - ok09:36:42.0781 1468 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS09:36:42.0843 1468 USBSTOR - ok09:36:42.0890 1468 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys09:36:42.0968 1468 usbuhci - ok09:36:43.0015 1468 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys09:36:43.0093 1468 VgaSave - ok09:36:43.0187 1468 ViaIde - ok09:36:43.0250 1468 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys09:36:43.0328 1468 VolSnap - ok09:36:43.0375 1468 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys09:36:43.0437 1468 Wanarp - ok09:36:43.0453 1468 WDICA - ok09:36:43.0500 1468 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys09:36:43.0578 1468 wdmaud - ok09:36:43.0671 1468 WLNdis50 (bb2c5a7a555b387b85481b8bde5370d7) C:\WINDOWS\system32\DRIVERS\wlndis50.sys09:36:43.0671 1468 WLNdis50 ( UnsignedFile.Multi.Generic ) - warning09:36:43.0671 1468 WLNdis50 - detected UnsignedFile.Multi.Generic (1)09:36:43.0796 1468 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys09:36:43.0890 1468 WudfPf - ok09:36:43.0921 1468 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys09:36:43.0937 1468 WudfRd - ok09:36:43.0984 1468 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR009:36:44.0015 1468 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected09:36:44.0015 1468 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)09:36:44.0031 1468 \Device\Harddisk0\DR0 ( TDSS File System ) - warning09:36:44.0031 1468 \Device\Harddisk0\DR0 - detected TDSS File System (1)09:36:44.0062 1468 Boot (0x1200) (694888c52288f863f3f9db47415c92fa) \Device\Harddisk0\DR0\Partition009:36:44.0062 1468 \Device\Harddisk0\DR0\Partition0 - ok09:36:44.0078 1468 ============================================================09:36:44.0078 1468 Scan finished09:36:44.0078 1468 ============================================================09:36:44.0203 1344 Detected object count: 809:36:44.0203 1344 Actual detected object count: 809:39:36.0234 1344 AegisP ( UnsignedFile.Multi.Generic ) - skipped by user09:39:36.0234 1344 AegisP ( UnsignedFile.Multi.Generic ) - User select action: Skip09:39:36.0375 1344 C:\WINDOWS\System32\drivers\afd.sys - copied to quarantine09:39:36.0500 1344 Backup copy found, using it..09:39:36.0515 1344 C:\WINDOWS\System32\drivers\afd.sys - will be cured on reboot09:39:38.0562 1344 AFD ( Virus.Win32.ZAccess.c ) - User select action: Cure09:39:38.0562 1344 RTL8192su ( UnsignedFile.Multi.Generic ) - skipped by user09:39:38.0562 1344 RTL8192su ( UnsignedFile.Multi.Generic ) - User select action: Skip09:39:38.0562 1344 StarOpen ( UnsignedFile.Multi.Generic ) - skipped by user09:39:38.0562 1344 StarOpen ( UnsignedFile.Multi.Generic ) - User select action: Skip09:39:38.0578 1344 TrueSight ( UnsignedFile.Multi.Generic ) - skipped by user09:39:38.0578 1344 TrueSight ( UnsignedFile.Multi.Generic ) - User select action: Skip09:39:38.0578 1344 WLNdis50 ( UnsignedFile.Multi.Generic ) - skipped by user09:39:38.0578 1344 WLNdis50 ( UnsignedFile.Multi.Generic ) - User select action: Skip09:39:39.0046 1344 \Device\Harddisk0\DR0\# - copied to quarantine09:39:39.0046 1344 \Device\Harddisk0\DR0 - copied to quarantine09:39:39.0062 1344 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine09:39:39.0109 1344 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine09:39:39.0109 1344 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine09:39:39.0109 1344 \Device\Harddisk0\DR0\TDLFS\xh.dll - copied to quarantine09:39:39.0109 1344 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine09:39:39.0125 1344 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine09:39:39.0125 1344 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine09:39:39.0125 1344 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine09:39:39.0187 1344 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine09:39:39.0187 1344 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine09:39:39.0187 1344 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine09:39:39.0234 1344 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot09:39:39.0234 1344 \Device\Harddisk0\DR0 - ok09:39:39.0234 1344 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure09:39:39.0234 1344 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user09:39:39.0234 1344 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip09:39:47.0343 1848 Deinitialize success Link to post Share on other sites More sharing options...
MrCharlie Posted March 11, 2012 ID:534014 Share Posted March 11, 2012 Please download and run ComboFix.The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.Please visit this webpage for download links, and instructions for running ComboFixhttp://www.bleepingc...to-use-combofixEnsure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Information on disabling your malware programs can be found Here.Make sure you run ComboFix from your desktop. Please include the C:\ComboFix.txt in your next reply for further review.MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 11, 2012 Author ID:534021 Share Posted March 11, 2012 Is it OK to run ComboFix in Safe Mode? I can't get anything to run in Windows Full Mode. Link to post Share on other sites More sharing options...
MrCharlie Posted March 11, 2012 ID:534025 Share Posted March 11, 2012 Yes it is, MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 11, 2012 Author ID:534030 Share Posted March 11, 2012 ComboFix detected the rootkit and warned that it was going to reboot the computer and now I've had the Black Safe Mode screen with no taskbar or icons for almost 20 minutes. Is this normal? Link to post Share on other sites More sharing options...
MrCharlie Posted March 11, 2012 ID:534031 Share Posted March 11, 2012 Give it 15 more minutes then reboot the computer and run ComboFix again.I warned you about this infection up front......it's nasty!!MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 11, 2012 Author ID:534044 Share Posted March 11, 2012 When I powered off and rebooted, ComboFix continued and I will paste the results below. I got numerous errors about can't find 'NIRKMD' but it continued when I closed the alert. I could not disable McAfee in Safe Mode and had no internet access in Safe Mode.Thanks MrCComboFix 12-03-10.02 - Administrator 03/11/2012 11:39:13.1.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1515 [GMT -5:00]Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exeAV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} * Resident AV is active..WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\documents and settings\Administrator\Application Data\mapbin.exec:\documents and settings\All Users\Application Data\isecurity.exec:\documents and settings\All Users\imigdevice.exec:\windows\$NtUninstallKB21571$\1802059562\@c:\windows\$NtUninstallKB21571$\1802059562\cfg.inic:\windows\$NtUninstallKB21571$\1802059562\Desktop.inic:\windows\$NtUninstallKB21571$\1802059562\L\nqegsstuc:\windows\$NtUninstallKB21571$\3947074288c:\windows\system32\dds_trash_log.cmdc:\windows\system32\drivers\npf.sysc:\windows\system32\Packet.dllc:\windows\system32\wpcap.dll.Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfectedRestored copy from - The cat found it c:\windows\system32\drivers\Serial.sys was missingRestored copy from - c:\system volume information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP91\A0012325.sys..((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))..-------\Legacy_NPF-------\Service_NPF..((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))..2012-03-11 17:01 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\Serial.sys2012-03-11 16:18 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys2012-03-11 16:05 . 2012-03-11 16:05 -------- d-----w- C:\Malwarebytes2012-03-11 14:39 . 2012-03-11 14:39 -------- d-----w- C:\TDSSKiller_Quarantine2012-03-10 15:53 . 2012-03-10 15:53 -------- d-----w- C:\db7192cfa1af5015e0615d002012-03-10 15:48 . 2012-03-11 00:38 16256 ----a-w- c:\windows\system32\drivers\TrueSight.sys2012-03-10 15:33 . 2012-03-10 15:33 -------- d-----w- C:\6e08c0a2436134c4733bee5ca36ca32012-03-04 09:01 . 2012-03-04 09:01 -------- d-----w- C:\433ac744c28f5b209cd11ad12012-03-04 00:23 . 2012-03-04 00:23 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys2012-03-04 00:23 . 2012-03-04 00:23 -------- d-----w- c:\program files\TRENDnet2012-03-03 21:03 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll2012-03-03 21:03 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll2012-03-03 20:57 . 2012-03-04 00:23 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe2012-03-03 20:57 . 2008-02-27 16:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys2012-03-03 20:57 . 2009-08-06 04:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2012-03-11 14:40 . 2008-04-14 05:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys2011-12-17 19:46 . 2008-04-14 10:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec2011-04-14 16:26 . 2011-05-19 15:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872].[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264].c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-649UB\WlanCU.exe [2012-3-3 368640].[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management.R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/18/2011 2:06 PM 88544]R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2011 12:02 PM 652360]R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/18/2011 2:06 PM 145936]R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/19/2011 12:40 PM 2519040]R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/3/2012 3:57 PM 20480]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2011 12:02 PM 20464]R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [3/3/2012 3:57 PM 588032]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-649UB\WLSVC.exe [3/3/2012 7:23 PM 167936]S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/18/2011 2:06 PM 85152]S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504].--- Other Services/Drivers In Memory ---.*Deregistered* - mfeavfk01.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]WINRM REG_MULTI_SZ WINRM.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsATKFUSServiceScanUSBEMPIA.Contents of the 'Scheduled Tasks' folder.2012-03-11 c:\windows\Tasks\User_Feed_Synchronization-{EA4F660E-E6D3-46ED-8BBF-99549F8DE551}.job- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]..------- Supplementary Scan -------.uStart Page = hxxp://www.dogpile.com/IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4zhz37dx.default\.- - - - ORPHANS REMOVED - - - -.HKCU-Run-Internet Security - c:\documents and settings\All Users\Application Data\isecurity.exeHKCU-Run-imigdevice - c:\documents and settings\All Users\imigdevice.exeHKCU-Run-mapbin - c:\documents and settings\Administrator\Application Data\mapbin.exeHKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exeHKLM-Run-imigdevice - c:\documents and settings\All Users\imigdevice.exeHKLM-Run-mapbin - c:\documents and settings\Administrator\Application Data\mapbin.exeHKLM-Run-dplaysvr - c:\documents and settings\Administrator\Application Data\dplaysvr.exeHKU-Default-Run-imigdevice - c:\documents and settings\All Users\imigdevice.exeHKU-Default-Run-mapbin - c:\documents and settings\Administrator\Application Data\mapbin.exeHKU-Default-Run-dplaysvr - c:\documents and settings\Administrator\Application Data\dplaysvr.exeSafeBoot-86601328.sys...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2012-03-11 12:05Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ....scanning hidden files ... ..c:\windows\$NtUninstallKB21571$:SummaryInformation 0 bytes hidden from API.scan completed successfullyhidden files: 1.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (LocalSystem)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\.[HKEY_USERS\S-1-5-21-1844237615-507921405-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (Administrator)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'explorer.exe'(2824)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dllc:\program files\McAfee\Common Framework\McTrayInterfaceLib.dllc:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dllc:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Intel\AMT\atchksrv.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Intel\AMT\LMS.exec:\program files\McAfee\Common Framework\FrameworkService.exec:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exec:\program files\McAfee\VirusScan Enterprise\mfeann.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\program files\McAfee\Common Framework\naPrdMgr.exec:\program files\CDBurnerXP\NMSAccessU.exec:\program files\Common Files\McAfee\SystemCore\mcshield.exec:\windows\system32\igfxsrvc.exec:\program files\McAfee\Common Framework\McTray.exec:\windows\system32\wscntfy.exec:\windows\system32\msiexec.exec:\windows\system32\taskmgr.exe.**************************************************************************.Completion time: 2012-03-11 12:19:54 - machine was rebootedComboFix-quarantined-files.txt 2012-03-11 17:19.Pre-Run: 60,895,137,792 bytes freePost-Run: 62,333,325,312 bytes free.- - End Of File - - 96C79734B862A48748B31C6DAB906FAF Link to post Share on other sites More sharing options...
MrCharlie Posted March 11, 2012 ID:534049 Share Posted March 11, 2012 See if you can run ComboFix again, MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 11, 2012 Author ID:534062 Share Posted March 11, 2012 ComboFix ran successfully and rebooted. I still have no Internect Access so the Windows Recovery Console could not be loaded. Here is the Log. Thanks again:ComboFix 12-03-10.02 - Administrator 03/11/2012 13:01:36.2.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1441 [GMT -5:00]Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exeAV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}.WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\windows\$NtUninstallKB21571$\2983939250c:\windows\$NtUninstallKB21571$ . . . . Failed to delete..((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))..2012-03-11 17:01 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\Serial.sys2012-03-11 16:18 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys2012-03-11 16:05 . 2012-03-11 16:05 -------- d-----w- C:\Malwarebytes2012-03-11 14:39 . 2012-03-11 14:39 -------- d-----w- C:\TDSSKiller_Quarantine2012-03-10 15:53 . 2012-03-10 15:53 -------- d-----w- C:\db7192cfa1af5015e0615d002012-03-10 15:48 . 2012-03-11 00:38 16256 ----a-w- c:\windows\system32\drivers\TrueSight.sys2012-03-10 15:33 . 2012-03-10 15:33 -------- d-----w- C:\6e08c0a2436134c4733bee5ca36ca32012-03-04 09:01 . 2012-03-04 09:01 -------- d-----w- C:\433ac744c28f5b209cd11ad12012-03-04 00:23 . 2012-03-04 00:23 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys2012-03-04 00:23 . 2012-03-04 00:23 -------- d-----w- c:\program files\TRENDnet2012-03-03 21:03 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll2012-03-03 21:03 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll2012-03-03 20:57 . 2012-03-04 00:23 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe2012-03-03 20:57 . 2008-02-27 16:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys2012-03-03 20:57 . 2009-08-06 04:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2012-03-11 14:40 . 2008-04-14 05:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys2011-12-17 19:46 . 2008-04-14 10:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec2011-04-14 16:26 . 2011-05-19 15:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..((((((((((((((((((((((((((((( SnapShot@2012-03-11_17.05.19 ))))))))))))))))))))))))))))))))))))))))).+ 2012-03-11 18:10 . 2012-03-11 18:10 16384 c:\windows\Temp\Perflib_Perfdata_760.dat- 2009-03-20 22:32 . 2003-02-21 01:09 77824 c:\windows\system32\URTTemp\mscorsn.dll+ 2009-03-20 22:32 . 2003-02-21 00:09 77824 c:\windows\system32\URTTemp\mscorsn.dll+ 2009-03-20 22:32 . 2003-02-21 00:06 155648 c:\windows\system32\URTTemp\mscoree.dll- 2009-03-20 22:32 . 2003-02-21 01:06 155648 c:\windows\system32\URTTemp\mscoree.dll- 2009-03-20 22:32 . 2003-02-21 01:06 282624 c:\windows\system32\URTTemp\fusion.dll+ 2009-03-20 22:32 . 2003-02-21 00:06 282624 c:\windows\system32\URTTemp\fusion.dll+ 2009-03-20 22:32 . 2003-02-21 00:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll- 2009-03-20 22:32 . 2003-02-21 01:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872].[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264].c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-649UB\WlanCU.exe [2012-3-3 368640].[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management.R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/18/2011 2:06 PM 88544]R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2011 12:02 PM 652360]R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/18/2011 2:06 PM 145936]R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/19/2011 12:40 PM 2519040]R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/3/2012 3:57 PM 20480]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2011 12:02 PM 20464]R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [3/3/2012 3:57 PM 588032]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-649UB\WLSVC.exe [3/3/2012 7:23 PM 167936]S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/18/2011 2:06 PM 85152]S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504].--- Other Services/Drivers In Memory ---.*Deregistered* - mfeavfk01.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]WINRM REG_MULTI_SZ WINRM.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsATKFUSServiceScanUSBEMPIA.Contents of the 'Scheduled Tasks' folder.2012-03-11 c:\windows\Tasks\User_Feed_Synchronization-{EA4F660E-E6D3-46ED-8BBF-99549F8DE551}.job- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]..------- Supplementary Scan -------.uStart Page = hxxp://www.dogpile.com/IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4zhz37dx.default\..**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2012-03-11 13:11Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ....scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (LocalSystem)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\.[HKEY_USERS\S-1-5-21-1844237615-507921405-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (Administrator)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'explorer.exe'(3568)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dllc:\program files\McAfee\Common Framework\McTrayInterfaceLib.dllc:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dllc:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Intel\AMT\atchksrv.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Intel\AMT\LMS.exec:\program files\McAfee\Common Framework\FrameworkService.exec:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\program files\McAfee\VirusScan Enterprise\mfeann.exec:\program files\CDBurnerXP\NMSAccessU.exec:\program files\McAfee\Common Framework\naPrdMgr.exec:\program files\Common Files\McAfee\SystemCore\mcshield.exec:\windows\system32\wscntfy.exec:\windows\system32\igfxsrvc.exec:\program files\McAfee\Common Framework\McTray.exec:\windows\system32\msiexec.exe.**************************************************************************.Completion time: 2012-03-11 13:15:49 - machine was rebootedComboFix-quarantined-files.txt 2012-03-11 18:15ComboFix2.txt 2012-03-11 17:19.Pre-Run: 62,330,703,872 bytes freePost-Run: 62,323,326,976 bytes free.- - End Of File - - 94B90A52137D4E8E13E79D261E6B2F07 Link to post Share on other sites More sharing options...
MrCharlie Posted March 11, 2012 ID:534104 Share Posted March 11, 2012 Please delete your copy of ComboFix and download and run a fresh one.MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 11, 2012 Author ID:534116 Share Posted March 11, 2012 I installed the Windows Recovery Console from my XP Pro CD, Dleted ComboFix.exe and replaced it with a fresh copy. ComboFix again detected the RootKit and restarted then completed with no further alerts or errors. Here is the log:ComboFix 12-03-10.02 - Administrator 03/11/2012 13:01:36.2.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1441 [GMT -5:00]Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exeAV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}.WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\windows\$NtUninstallKB21571$\2983939250c:\windows\$NtUninstallKB21571$ . . . . Failed to delete..((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))..2012-03-11 17:01 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\Serial.sys2012-03-11 16:18 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys2012-03-11 16:05 . 2012-03-11 16:05 -------- d-----w- C:\Malwarebytes2012-03-11 14:39 . 2012-03-11 14:39 -------- d-----w- C:\TDSSKiller_Quarantine2012-03-10 15:53 . 2012-03-10 15:53 -------- d-----w- C:\db7192cfa1af5015e0615d002012-03-10 15:48 . 2012-03-11 00:38 16256 ----a-w- c:\windows\system32\drivers\TrueSight.sys2012-03-10 15:33 . 2012-03-10 15:33 -------- d-----w- C:\6e08c0a2436134c4733bee5ca36ca32012-03-04 09:01 . 2012-03-04 09:01 -------- d-----w- C:\433ac744c28f5b209cd11ad12012-03-04 00:23 . 2012-03-04 00:23 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys2012-03-04 00:23 . 2012-03-04 00:23 -------- d-----w- c:\program files\TRENDnet2012-03-03 21:03 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll2012-03-03 21:03 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll2012-03-03 20:57 . 2012-03-04 00:23 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe2012-03-03 20:57 . 2008-02-27 16:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys2012-03-03 20:57 . 2009-08-06 04:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2012-03-11 14:40 . 2008-04-14 05:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys2011-12-17 19:46 . 2008-04-14 10:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec2011-04-14 16:26 . 2011-05-19 15:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..((((((((((((((((((((((((((((( SnapShot@2012-03-11_17.05.19 ))))))))))))))))))))))))))))))))))))))))).+ 2012-03-11 18:10 . 2012-03-11 18:10 16384 c:\windows\Temp\Perflib_Perfdata_760.dat- 2009-03-20 22:32 . 2003-02-21 01:09 77824 c:\windows\system32\URTTemp\mscorsn.dll+ 2009-03-20 22:32 . 2003-02-21 00:09 77824 c:\windows\system32\URTTemp\mscorsn.dll+ 2009-03-20 22:32 . 2003-02-21 00:06 155648 c:\windows\system32\URTTemp\mscoree.dll- 2009-03-20 22:32 . 2003-02-21 01:06 155648 c:\windows\system32\URTTemp\mscoree.dll- 2009-03-20 22:32 . 2003-02-21 01:06 282624 c:\windows\system32\URTTemp\fusion.dll+ 2009-03-20 22:32 . 2003-02-21 00:06 282624 c:\windows\system32\URTTemp\fusion.dll+ 2009-03-20 22:32 . 2003-02-21 00:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll- 2009-03-20 22:32 . 2003-02-21 01:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872].[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264].c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-649UB\WlanCU.exe [2012-3-3 368640].[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management.R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/18/2011 2:06 PM 88544]R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2011 12:02 PM 652360]R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/18/2011 2:06 PM 145936]R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/19/2011 12:40 PM 2519040]R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/3/2012 3:57 PM 20480]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2011 12:02 PM 20464]R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [3/3/2012 3:57 PM 588032]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-649UB\WLSVC.exe [3/3/2012 7:23 PM 167936]S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/18/2011 2:06 PM 85152]S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504].--- Other Services/Drivers In Memory ---.*Deregistered* - mfeavfk01.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]WINRM REG_MULTI_SZ WINRM.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsATKFUSServiceScanUSBEMPIA.Contents of the 'Scheduled Tasks' folder.2012-03-11 c:\windows\Tasks\User_Feed_Synchronization-{EA4F660E-E6D3-46ED-8BBF-99549F8DE551}.job- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]..------- Supplementary Scan -------.uStart Page = hxxp://www.dogpile.com/IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4zhz37dx.default\..**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2012-03-11 13:11Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ....scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (LocalSystem)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\.[HKEY_USERS\S-1-5-21-1844237615-507921405-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (Administrator)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'explorer.exe'(3568)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dllc:\program files\McAfee\Common Framework\McTrayInterfaceLib.dllc:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dllc:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Intel\AMT\atchksrv.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Intel\AMT\LMS.exec:\program files\McAfee\Common Framework\FrameworkService.exec:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\program files\McAfee\VirusScan Enterprise\mfeann.exec:\program files\CDBurnerXP\NMSAccessU.exec:\program files\McAfee\Common Framework\naPrdMgr.exec:\program files\Common Files\McAfee\SystemCore\mcshield.exec:\windows\system32\wscntfy.exec:\windows\system32\igfxsrvc.exec:\program files\McAfee\Common Framework\McTray.exec:\windows\system32\msiexec.exe.**************************************************************************.Completion time: 2012-03-11 13:15:49 - machine was rebootedComboFix-quarantined-files.txt 2012-03-11 18:15ComboFix2.txt 2012-03-11 17:19.Pre-Run: 62,330,703,872 bytes freePost-Run: 62,323,326,976 bytes free.- - End Of File - - 94B90A52137D4E8E13E79D261E6B2F07 Link to post Share on other sites More sharing options...
RickWeaver Posted March 11, 2012 Author ID:534117 Share Posted March 11, 2012 Disregard previous post that was the wrong file (2nd one run today. I am reposting the correct most recent log file. Sorry, MrCComboFix 12-03-10.02 - Administrator 03/11/2012 17:41:07.3.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1461 [GMT -5:00]Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exeAV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}..((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))..2012-03-11 17:01 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\Serial.sys2012-03-11 16:18 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys2012-03-11 16:05 . 2012-03-11 16:05 -------- d-----w- C:\Malwarebytes2012-03-11 14:39 . 2012-03-11 14:39 -------- d-----w- C:\TDSSKiller_Quarantine2012-03-10 15:53 . 2012-03-10 15:53 -------- d-----w- C:\db7192cfa1af5015e0615d002012-03-10 15:48 . 2012-03-11 00:38 16256 ----a-w- c:\windows\system32\drivers\TrueSight.sys2012-03-10 15:33 . 2012-03-10 15:33 -------- d-----w- C:\6e08c0a2436134c4733bee5ca36ca32012-03-04 09:01 . 2012-03-04 09:01 -------- d-----w- C:\433ac744c28f5b209cd11ad12012-03-04 00:23 . 2012-03-04 00:23 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys2012-03-04 00:23 . 2012-03-04 00:23 -------- d-----w- c:\program files\TRENDnet2012-03-03 21:03 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll2012-03-03 21:03 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll2012-03-03 20:57 . 2012-03-04 00:23 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe2012-03-03 20:57 . 2008-02-27 16:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys2012-03-03 20:57 . 2009-08-06 04:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2012-03-11 14:40 . 2008-04-14 05:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys2011-12-17 19:46 . 2008-04-14 10:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec2011-04-14 16:26 . 2011-05-19 15:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..((((((((((((((((((((((((((((( SnapShot@2012-03-11_17.05.19 ))))))))))))))))))))))))))))))))))))))))).+ 2012-03-11 22:40 . 2012-03-11 22:40 16384 c:\windows\Temp\Perflib_Perfdata_758.dat- 2009-03-20 22:32 . 2003-02-21 01:09 77824 c:\windows\system32\URTTemp\mscorsn.dll+ 2009-03-20 22:32 . 2003-02-21 00:09 77824 c:\windows\system32\URTTemp\mscorsn.dll+ 2009-03-20 22:32 . 2003-02-21 00:06 155648 c:\windows\system32\URTTemp\mscoree.dll- 2009-03-20 22:32 . 2003-02-21 01:06 155648 c:\windows\system32\URTTemp\mscoree.dll- 2009-03-20 22:32 . 2003-02-21 01:06 282624 c:\windows\system32\URTTemp\fusion.dll+ 2009-03-20 22:32 . 2003-02-21 00:06 282624 c:\windows\system32\URTTemp\fusion.dll+ 2009-03-20 22:32 . 2003-02-21 00:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll- 2009-03-20 22:32 . 2003-02-21 01:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872].[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264].c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-649UB\WlanCU.exe [2012-3-3 368640].[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management.R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/18/2011 2:06 PM 88544]R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2011 12:02 PM 652360]R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/18/2011 2:06 PM 145936]R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/19/2011 12:40 PM 2519040]R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/3/2012 3:57 PM 20480]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2011 12:02 PM 20464]R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [3/3/2012 3:57 PM 588032]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-649UB\WLSVC.exe [3/3/2012 7:23 PM 167936]S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/18/2011 2:06 PM 85152]S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504].--- Other Services/Drivers In Memory ---.*Deregistered* - mfeavfk01.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]WINRM REG_MULTI_SZ WINRM.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsATKFUSServiceScanUSBEMPIA.Contents of the 'Scheduled Tasks' folder.2012-03-11 c:\windows\Tasks\User_Feed_Synchronization-{EA4F660E-E6D3-46ED-8BBF-99549F8DE551}.job- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]..------- Supplementary Scan -------.uStart Page = hxxp://www.dogpile.com/IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4zhz37dx.default\..**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2012-03-11 17:49Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ....scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (LocalSystem)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\.[HKEY_USERS\S-1-5-21-1844237615-507921405-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (Administrator)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\.Completion time: 2012-03-11 17:50:27ComboFix-quarantined-files.txt 2012-03-11 22:50ComboFix2.txt 2012-03-11 18:15ComboFix3.txt 2012-03-11 17:19.Pre-Run: 62,297,968,640 bytes freePost-Run: 62,295,277,568 bytes free.- - End Of File - - 934F747B7AFD96936BF73BBE49EF0EAE Link to post Share on other sites More sharing options...
MrCharlie Posted March 12, 2012 ID:534126 Share Posted March 12, 2012 Update and run a quick scan with MB.Let me know how it is, MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 12, 2012 Author ID:534139 Share Posted March 12, 2012 I still don't have internet connectivity but my Malware Bytes was last updated 3/10/12 so I ran a full scan, removed all malware and rebooted. Here is the log:Malwarebytes Anti-Malware (PRO) 1.60.1.1000www.malwarebytes.orgDatabase version: v2012.03.10.05Windows XP Service Pack 3 x86 NTFSInternet Explorer 8.0.6001.18702Administrator :: VALUED-CUSTOMER [administrator]Protection: Disabled3/11/2012 8:09:01 PMmbam-log-2012-03-11 (20-09-01).txtScan type: Full scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 217953Time elapsed: 24 minute(s), 35 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 14C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\mapbin.exe.vir (Trojan.Agent.UAGen) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\Documents and Settings\All Users\imigdevice.exe.vir (Trojan.Agent.UAGen) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP117\A0029789.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP118\A0031866.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP118\A0032890.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP123\A0041067.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP123\A0041068.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP123\A0041069.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054186.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054182.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054187.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054188.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054189.exe (Trojan.Agent.UAGen) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054191.exe (Trojan.Agent.UAGen) -> Quarantined and deleted successfully.(end) Link to post Share on other sites More sharing options...
RickWeaver Posted March 12, 2012 Author ID:534146 Share Posted March 12, 2012 MrC - Thanks for all of your help today. I'm gonna call it a day. I have to get up at 4:30AM Central and won't be back at the infected computer until I get home from work tomorrow afternoon. I just didn't want you waiting for a response.Thanks,Rick Link to post Share on other sites More sharing options...
MrCharlie Posted March 12, 2012 ID:534218 Share Posted March 12, 2012 OK, RogueKiller again and post the log. (don't run any other options....just scan)Let me know what problems remain, MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 12, 2012 Author ID:534339 Share Posted March 12, 2012 I ran Rogue Killer and here is the report and a sreen shot of what it found. I still have no Internet Connectivity...RogueKiller V7.3.1 [03/10/2012] by Tigzymail: tigzyRK<at>gmail<dot>comFeedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/Blog: http://tigzyrk.blogspot.comOperating System: Windows XP (5.1.2600 Service Pack 3) 32 bits versionStarted in : Normal modeUser: Administrator [Admin rights]Mode: Remove -- Date: 03/12/2012 17:13:18¤¤¤ Bad processes: 0 ¤¤¤¤¤¤ Registry Entries: 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver: [LOADED] ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤127.0.0.1 localhost¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: WDC WD800JD-75MSA3 +++++--- User ---[MBR] a456f312c0e435782971f94dba7cdfdf[bSP] bec400d75a08f6cdd3306fcc22e6a067 : Windows XP MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76293 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[7].txt >>RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;RKreport[6].txt ; RKreport[7].txt Link to post Share on other sites More sharing options...
MrCharlie Posted March 12, 2012 ID:534349 Share Posted March 12, 2012 The RogueKiller log looks OKmfehidk.sysThis driver belongs to McAfeeMake sure this file is present:c:\windows\system32\drivers\afd.sys--------------------------------See if you can repair the connection:http://www.bleepingc...ombofix#restore-----------------------------------Last.......Download and run a fresh copy of ComboFix and run it.Let me know, MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 12, 2012 Author ID:534360 Share Posted March 12, 2012 MrC,c:\windows\system32\drivers\afd.sys is present.I still can't repair my wireless connection. It always says it can not renew the IP address. After running ComboFix.exe (Fresh File) I tried again to repair and got the same message. I tried to use ipconfig to renew and this is what I get (My Wireless Connection is Wireless Network Connection 2)I am pasting the ComboFix log below the IPConfig text:Microsoft Windows XP [Version 5.1.2600]© Copyright 1985-2001 Microsoft Corp.C:\Documents and Settings\Administrator>Microsoft Windows XP [Version 5.1.2600]© Copyright 1985-2001 Microsoft Corp.C:\Documents and Settings\Administrator>ipconfig /allWindows IP Configuration Host Name . . . . . . . . . . . . : valued-customer Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : NoEthernet adapter Local Area Connection 3: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . . . . . . : Intel® 82566DM-2 Gigabit Network Connection Physical Address. . . . . . . . . : 00-1E-4F-48-E8-83Ethernet adapter Wireless Network Connection 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TRENDnet Wireless N speed USB Adapter Physical Address. . . . . . . . . : 00-14-D1-6F-84-7B Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Autoconfiguration IP Address. . . : 169.254.131.235 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . :C:\Documents and Settings\Administrator>ipconfig /renewWindows IP ConfigurationNo operation can be performed on Local Area Connection 3 while it has its mediadisconnected.An error occurred while renewing interface Wireless Network Connection 2 : An operation was attempted on something that is not a socket.C:\Documents and Settings\Administrator>- - - - - - - - - - - - - - - - - - - - - - - - End Of IPConfig - - - - - - - - - - - - - - - - - - - - - - - -ComboFix 12-03-10.02 - Administrator 03/12/2012 18:31:37.4.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1459 [GMT -5:00]Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exeAV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}..((((((((((((((((((((((((( Files Created from 2012-02-12 to 2012-03-12 )))))))))))))))))))))))))))))))..2012-03-11 17:01 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\Serial.sys2012-03-11 16:18 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys2012-03-11 16:05 . 2012-03-11 16:05 -------- d-----w- C:\Malwarebytes2012-03-11 14:39 . 2012-03-11 14:39 -------- d-----w- C:\TDSSKiller_Quarantine2012-03-10 15:53 . 2012-03-10 15:53 -------- d-----w- C:\db7192cfa1af5015e0615d002012-03-10 15:33 . 2012-03-10 15:33 -------- d-----w- C:\6e08c0a2436134c4733bee5ca36ca32012-03-04 09:01 . 2012-03-04 09:01 -------- d-----w- C:\433ac744c28f5b209cd11ad12012-03-04 00:23 . 2012-03-04 00:23 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys2012-03-04 00:23 . 2012-03-04 00:23 -------- d-----w- c:\program files\TRENDnet2012-03-03 21:03 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll2012-03-03 21:03 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll2012-03-03 20:57 . 2012-03-04 00:23 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe2012-03-03 20:57 . 2008-02-27 16:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys2012-03-03 20:57 . 2009-08-06 04:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2012-03-11 14:40 . 2008-04-14 05:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys2011-12-17 19:46 . 2008-04-14 10:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec2011-04-14 16:26 . 2011-05-19 15:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..((((((((((((((((((((((((((((( SnapShot@2012-03-11_17.05.19 ))))))))))))))))))))))))))))))))))))))))).+ 2012-03-12 23:30 . 2012-03-12 23:30 16384 c:\windows\Temp\Perflib_Perfdata_764.dat- 2009-03-20 22:32 . 2003-02-21 01:09 77824 c:\windows\system32\URTTemp\mscorsn.dll+ 2009-03-20 22:32 . 2003-02-21 00:09 77824 c:\windows\system32\URTTemp\mscorsn.dll+ 2009-03-20 22:32 . 2003-02-21 00:06 155648 c:\windows\system32\URTTemp\mscoree.dll- 2009-03-20 22:32 . 2003-02-21 01:06 155648 c:\windows\system32\URTTemp\mscoree.dll- 2009-03-20 22:32 . 2003-02-21 01:06 282624 c:\windows\system32\URTTemp\fusion.dll+ 2009-03-20 22:32 . 2003-02-21 00:06 282624 c:\windows\system32\URTTemp\fusion.dll+ 2009-03-20 22:32 . 2003-02-21 00:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll- 2009-03-20 22:32 . 2003-02-21 01:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872].[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264].c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-649UB\WlanCU.exe [2012-3-3 368640].[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management.R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/18/2011 2:06 PM 88544]R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2011 12:02 PM 652360]R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/18/2011 2:06 PM 145936]R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/19/2011 12:40 PM 2519040]R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/3/2012 3:57 PM 20480]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2011 12:02 PM 20464]R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [3/3/2012 3:57 PM 588032]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-649UB\WLSVC.exe [3/3/2012 7:23 PM 167936]S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/18/2011 2:06 PM 85152]S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504].--- Other Services/Drivers In Memory ---.*Deregistered* - mfeavfk01.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]WINRM REG_MULTI_SZ WINRM.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsATKFUSServiceScanUSBEMPIA.Contents of the 'Scheduled Tasks' folder.2012-03-12 c:\windows\Tasks\User_Feed_Synchronization-{EA4F660E-E6D3-46ED-8BBF-99549F8DE551}.job- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]..------- Supplementary Scan -------.uStart Page = hxxp://www.dogpile.com/IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4zhz37dx.default\..**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2012-03-12 18:39Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ....scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (LocalSystem)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\.[HKEY_USERS\S-1-5-21-1844237615-507921405-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (Administrator)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\.Completion time: 2012-03-12 18:40:45ComboFix-quarantined-files.txt 2012-03-12 23:40ComboFix2.txt 2012-03-11 22:50ComboFix3.txt 2012-03-11 18:15ComboFix4.txt 2012-03-11 17:19.Pre-Run: 62,289,039,360 bytes freePost-Run: 62,288,338,944 bytes free.- - End Of File - - 94AE6A45684D4385B44CDE78CE5232BC Link to post Share on other sites More sharing options...
MrCharlie Posted March 13, 2012 ID:534365 Share Posted March 13, 2012 Can you connect the computer directly to the internet to test the connection? (by pass the wireless connection)---------------------------------Please download SystemLook from one of the links below and save it to your Desktop.Download Mirror #1Download Mirror #2Double-click SystemLook.exe to run it.Copy the content of the following codebox into the main textfield::filefindafd.sysClick the Look button to start the scan.When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.Note: The log can also be found on your Desktop entitled SystemLook.txt-----------------------------Last.......Please remove any usb or external drives from the computer before you run these scan!Please download Farbar Service Scanner and run it on the computer with the issue.Make sure the following options are checked:Internet ServicesWindows FirewallSystem RestoreSecurity CenterWindows Update[*]Press "Scan".[*]It will create a log (FSS.txt) in the same directory the tool is run.[*]Please copy and paste the log to your reply.MrC Link to post Share on other sites More sharing options...
Recommended Posts