Jump to content

Help Please


Recommended Posts

I have MB Pro and have scanned and cleaned but I still have re-directs and other warnings. I am getting a lot of outgoing malicious websites being blocked.

Thanks for helping, here are the dds and attach logs:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Administrator at 18:45:50 on 2012-03-03

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.480 [GMT -6:00]

.

AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Intel\AMT\atchksrv.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Intel\AMT\UNS.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\AMT\atchk.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\TRENDnet\TEW-649UB\WlanCU.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.dogpile.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111018140631.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [atchk] "c:\program files\intel\amt\atchk.exe"

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\trendnet\tew-649ub\WlanCU.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237586612703

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{281678F0-3FF4-427B-891A-6BFB7FD89A7D} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{3482D92F-2B8A-4733-A203-0658E54E932A} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{D35D11C8-9B88-4D54-A627-5BD8E9C9A241} : DhcpNameServer = 192.168.0.8 192.168.0.1

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 66.197.194.231 www.google-analytics.com.

Hosts: 66.197.194.231 ad-emea.doubleclick.net.

Hosts: 66.197.194.231 www.statcounter.com.

Hosts: 69.72.252.254 www.google-analytics.com.

Hosts: 69.72.252.254 ad-emea.doubleclick.net.

.

Note: multiple HOSTS entries found. Please refer to Attach.txt

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\4zhz37dx.default\

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-10-18 436728]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-10-18 88544]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-14 652360]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-1-12 120128]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-10-18 159320]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2011-1-12 209760]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-10-18 145936]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2011-5-19 2519040]

R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [2012-3-3 20480]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-14 20464]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-10-18 171296]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-10-18 58456]

R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [2012-3-3 588032]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 WLSVC;WLSVC;c:\program files\trendnet\tew-649ub\WLSVC.exe [2012-3-3 167936]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-10-18 85152]

S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-12-20 50704]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-03-04 00:23:06 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys

2012-03-04 00:23:01 -------- d-----w- c:\program files\TRENDnet

2012-03-03 20:57:16 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe

2012-03-03 20:57:07 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys

2012-03-03 20:57:05 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys

2012-02-09 13:43:40 -------- d-----w- c:\windows\system32\wbem\repository\FS

2012-02-09 13:43:39 -------- d-----w- c:\windows\system32\wbem\Repository

2012-02-08 14:29:40 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Identities

2012-02-08 14:29:27 -------- d-----w- c:\documents and settings\administrator\application data\Omiv

2012-02-08 14:29:27 -------- d-----w- c:\documents and settings\administrator\application data\Inegy

2012-02-05 14:23:00 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

.

==================== Find3M ====================

.

2011-12-20 14:40:23 50704 ----a-w- c:\windows\system32\drivers\npf.sys

2011-12-20 14:40:23 281104 ----a-w- c:\windows\system32\wpcap.dll

2011-12-20 14:40:23 100880 ----a-w- c:\windows\system32\Packet.dll

2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD800JD-75MSA3 rev.10.01E04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xBA2ABFC0]<<

_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A6C5AB8]

3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89DB6C78]

\Driver\00000796[0x89DB8880] -> IRP_MJ_CREATE -> 0xBA2ABFC0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x89D3A2C6

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 18:48:16.48 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 3/20/2009 2:48:17 PM

System Uptime: 3/3/2012 6:16:06 PM (0 hours ago)

.

Motherboard: Dell Inc. | | 0HX555

Processor: Intel® Core2 Duo CPU E6550 @ 2.33GHz | CPU | 2327/1333mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 75 GiB total, 57.849 GiB free.

D: is CDROM (CDFS)

Z: is NetworkDisk (NTFS) - 931 GiB total, 508.82 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}

Description: Intel® Active Management Technology - SOL

Device ID: PCI\VEN_8086&DEV_29B7&SUBSYS_02111028&REV_02\3&172E68DD&0&1B

Manufacturer: Intel

Name: Intel® Active Management Technology - SOL (COM3)

PNP Device ID: PCI\VEN_8086&DEV_29B7&SUBSYS_02111028&REV_02\3&172E68DD&0&1B

Service: Serial

.

Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}

Description: Communications Port

Device ID: ACPI\PNP0501\1

Manufacturer: (Standard port types)

Name: Communications Port (COM1)

PNP Device ID: ACPI\PNP0501\1

Service: Serial

.

==== System Restore Points ===================

.

RP77: 12/5/2011 8:06:38 AM - System Checkpoint

RP78: 12/6/2011 8:55:45 AM - System Checkpoint

RP79: 12/7/2011 9:34:23 AM - System Checkpoint

RP80: 12/8/2011 11:06:35 AM - System Checkpoint

RP81: 12/9/2011 11:16:49 AM - System Checkpoint

RP82: 12/12/2011 8:10:50 AM - System Checkpoint

RP83: 12/13/2011 8:52:52 AM - System Checkpoint

RP84: 12/14/2011 8:58:43 AM - System Checkpoint

RP85: 12/15/2011 9:42:36 AM - System Checkpoint

RP86: 12/15/2011 4:27:16 PM - Software Distribution Service 3.0

RP87: 12/16/2011 12:31:17 PM - Software Distribution Service 3.0

RP88: 12/16/2011 2:57:16 PM - Restore Operation

RP89: 12/16/2011 3:09:12 PM - Restore Operation

RP90: 12/17/2011 9:47:42 AM - Restore Operation

RP91: 12/17/2011 9:49:49 AM - Restore Operation

RP92: 12/17/2011 11:55:13 AM - Software Distribution Service 3.0

RP93: 12/19/2011 9:25:43 AM - System Checkpoint

RP94: 12/20/2011 11:27:56 AM - System Checkpoint

RP95: 12/21/2011 11:56:46 AM - System Checkpoint

RP96: 12/27/2011 11:23:08 AM - System Checkpoint

RP97: 12/28/2011 1:45:29 PM - System Checkpoint

RP98: 12/29/2011 2:45:12 PM - System Checkpoint

RP99: 1/3/2012 10:49:09 AM - System Checkpoint

RP100: 1/5/2012 9:33:21 AM - System Checkpoint

RP101: 1/6/2012 9:49:42 AM - System Checkpoint

RP102: 1/9/2012 8:35:48 AM - System Checkpoint

RP103: 1/10/2012 4:23:16 PM - Software Distribution Service 3.0

RP104: 1/11/2012 7:36:38 AM - Software Distribution Service 3.0

RP105: 1/11/2012 4:34:33 PM - Software Distribution Service 3.0

RP106: 1/13/2012 2:20:07 PM - System Checkpoint

RP107: 1/16/2012 9:01:17 AM - System Checkpoint

RP108: 1/17/2012 2:04:06 PM - System Checkpoint

RP109: 1/17/2012 4:24:59 PM - Software Distribution Service 3.0

RP110: 1/19/2012 9:12:36 AM - System Checkpoint

RP111: 1/23/2012 10:00:50 AM - System Checkpoint

RP112: 1/25/2012 11:10:59 AM - System Checkpoint

RP113: 1/26/2012 12:01:32 PM - System Checkpoint

RP114: 1/30/2012 7:33:50 AM - System Checkpoint

RP115: 1/31/2012 1:43:49 PM - System Checkpoint

RP116: 2/2/2012 7:35:27 AM - System Checkpoint

RP117: 2/4/2012 7:58:58 AM - System Checkpoint

RP118: 2/4/2012 8:06:23 AM - Restore Operation

RP119: 2/9/2012 7:41:07 AM - Restore Operation

RP120: 2/9/2012 7:42:35 AM - Restore Operation

RP121: 2/13/2012 8:04:28 AM - Restore Operation

RP122: 3/3/2012 2:35:46 PM - Restore Operation

RP123: 3/3/2012 2:46:10 PM - Restore Operation

RP124: 3/3/2012 2:57:05 PM - Installed TRENDnet TEW-649UB Wireless N speed USB Adapter

RP125: 3/3/2012 2:59:18 PM - Unsigned driver install

RP126: 3/3/2012 6:22:22 PM - Removed TRENDnet TEW-649UB Wireless N speed USB Adapter

RP127: 3/3/2012 6:23:00 PM - Installed TRENDnet TEW-649UB Wireless N speed USB Adapter

RP128: 3/3/2012 6:24:19 PM - Unsigned driver install

.

==== Hosts File Hijack ======================

.

Hosts: 66.197.194.231 www.google-analytics.com.

Hosts: 66.197.194.231 ad-emea.doubleclick.net.

Hosts: 66.197.194.231 www.statcounter.com.

Hosts: 69.72.252.254 www.google-analytics.com.

Hosts: 69.72.252.254 ad-emea.doubleclick.net.

Hosts: 69.72.252.254 www.statcounter.com.

.

==== Installed Programs ======================

.

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader X (10.1.1)

Adobe Shockwave Player 11.5

AnalogX POW!

ATI - Software Uninstall Utility

ATI Catalyst Control Center

ATI Display Driver

Broadcom Gigabit Integrated Controller

CDBurnerXP

Cole2k Media - Codec Pack (Standard) 6.0.9

Critical Update for Windows Media Player 11 (KB959772)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Intel® Graphics Media Accelerator Driver

Intel® Management Engine Interface

Intel® PRO Network Connections Drivers

Intel® Active Management Technology

Java 6 Update 24

K-Lite Codec Pack 7.1.0 (Full)

Malwarebytes Anti-Malware version 1.60.1.1000

McAfee Agent

McAfee VirusScan Enterprise

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2572067)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Basic Edition 2003

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Mozilla Firefox 4.0.1 (x86 en-US)

OpenOffice.org 3.3

Picasa 3

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982665)

SoundMAX

TRENDnet TEW-649UB Wireless N speed USB Adapter

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Windows (KB971513)

Update for Windows Internet Explorer 8 (KB2447568)

Update for Windows Internet Explorer 8 (KB971180)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2492386)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2616676-v2)

Update for Windows XP (KB2641690)

Update for Windows XP (KB898461)

Update for Windows XP (KB943729)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VLC media player 1.1.9

WebFldrs XP

Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Management Framework Core

Windows Media Format 11 runtime

Windows Media Player 11

Windows PowerShell 1.0 MUI pack

WinRAR 4.00 (32-bit)

Yahoo! Detect

.

==== Event Viewer Messages From Past Week ========

.

3/3/2012 6:21:01 PM, error: Schedule [7901] - The At86.job command failed to start due to the following error: %%2147942402

3/3/2012 6:21:00 PM, error: Schedule [7901] - The At85.job command failed to start due to the following error: %%2147942402

3/3/2012 6:16:39 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

3/3/2012 5:21:00 PM, error: Schedule [7901] - The At84.job command failed to start due to the following error: %%2147942402

3/3/2012 5:21:00 PM, error: Schedule [7901] - The At83.job command failed to start due to the following error: %%2147942402

3/3/2012 4:21:00 PM, error: Schedule [7901] - The At82.job command failed to start due to the following error: %%2147942402

3/3/2012 4:21:00 PM, error: Schedule [7901] - The At81.job command failed to start due to the following error: %%2147942402

3/3/2012 3:21:00 PM, error: Schedule [7901] - The At80.job command failed to start due to the following error: %%2147942402

3/3/2012 3:21:00 PM, error: Schedule [7901] - The At79.job command failed to start due to the following error: %%2147942402

3/3/2012 2:52:46 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.

3/3/2012 2:37:00 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

3/3/2012 2:36:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}

3/3/2012 2:36:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.

3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.

3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

.

==== End Of File ===========================

Link to post
Share on other sites

OK, I ran RogueKiller in Safe Mode and it completed with the following report:

RogueKiller V7.3.1 [03/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Safe mode with network support

User: Administrator [Admin rights]

Mode: Scan -- Date: 03/10/2012 18:40:40

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 1 ¤¤¤

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[FAKED] afd.sys : c:\windows\system32\drivers\afd.sys --> CANNOT FIX

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR|ZeroAccess ¤¤¤

[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

::1 localhost

66.197.194.231 www.google-analytics.com.

66.197.194.231 ad-emea.doubleclick.net.

66.197.194.231 www.statcounter.com.

69.72.252.254 www.google-analytics.com.

69.72.252.254 ad-emea.doubleclick.net.

69.72.252.254 www.statcounter.com.

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++

--- User ---

[MBR] a456f312c0e435782971f94dba7cdfdf

[bSP] bec400d75a08f6cdd3306fcc22e6a067 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76293 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] c3cb072bf8e200fb802e1b0e690e1a00

[bSP] eee50617a5d37a043311c472ae6d4d37 : PiHar MBR Code!

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76293 Mo

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

Read this warning and let me know what you would like to do.

Removing this infection can also disable the ability to connect to the internet which may result in a repair install.

-----------------------

If you wish to continue.............

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

MrC

Link to post
Share on other sites

Again I had to run in Safe Mode (The "Internet Security" Fake Alert keeps popping up and no executables will run)

Here is the log report:

09:36:11.0578 1916 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43

09:36:11.0625 1916 ============================================================

09:36:11.0625 1916 Current date / time: 2012/03/11 09:36:11.0625

09:36:11.0625 1916 SystemInfo:

09:36:11.0625 1916

09:36:11.0625 1916 OS Version: 5.1.2600 ServicePack: 3.0

09:36:11.0625 1916 Product type: Workstation

09:36:11.0625 1916 ComputerName: VALUED-CUSTOMER

09:36:11.0625 1916 UserName: Administrator

09:36:11.0625 1916 Windows directory: C:\WINDOWS

09:36:11.0625 1916 System windows directory: C:\WINDOWS

09:36:11.0625 1916 Processor architecture: Intel x86

09:36:11.0625 1916 Number of processors: 2

09:36:11.0625 1916 Page size: 0x1000

09:36:11.0625 1916 Boot type: Safe boot with network

09:36:11.0625 1916 ============================================================

09:36:13.0234 1916 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

09:36:13.0234 1916 Drive \Device\Harddisk1\DR2 - Size: 0xF4FD1C00 (3.83 Gb), SectorSize: 0x200, Cylinders: 0x1F3, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'

09:36:13.0234 1916 \Device\Harddisk0\DR0:

09:36:13.0234 1916 MBR used

09:36:13.0234 1916 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950283F

09:36:13.0234 1916 \Device\Harddisk1\DR2:

09:36:13.0234 1916 MBR used

09:36:13.0234 1916 \Device\Harddisk1\DR2\Partition0: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0x7A7E4F

09:36:13.0281 1916 Initialize success

09:36:13.0281 1916 ============================================================

09:36:25.0234 1468 ============================================================

09:36:25.0234 1468 Scan started

09:36:25.0234 1468 Mode: Manual; SigCheck; TDLFS;

09:36:25.0234 1468 ============================================================

09:36:26.0312 1468 Abiosdsk - ok

09:36:26.0328 1468 abp480n5 - ok

09:36:26.0390 1468 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\drivers\ACPI.sys

09:36:26.0625 1468 ACPI - ok

09:36:26.0687 1468 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

09:36:26.0765 1468 ACPIEC - ok

09:36:26.0828 1468 ADIHdAudAddService (307f5e03b02a3022d664c36d1ea25f2c) C:\WINDOWS\system32\drivers\ADIHdAud.sys

09:36:26.0890 1468 ADIHdAudAddService - ok

09:36:26.0906 1468 adpu160m - ok

09:36:26.0968 1468 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

09:36:27.0046 1468 aec - ok

09:36:27.0078 1468 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys

09:36:27.0093 1468 AegisP ( UnsignedFile.Multi.Generic ) - warning

09:36:27.0093 1468 AegisP - detected UnsignedFile.Multi.Generic (1)

09:36:27.0140 1468 AFD (1d495ee1d3a836801d1fd816ff4a93f9) C:\WINDOWS\System32\drivers\afd.sys

09:36:27.0140 1468 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 1d495ee1d3a836801d1fd816ff4a93f9, Fake md5: 1e44bc1e83d8fd2305f8d452db109cf9

09:36:27.0140 1468 AFD ( Virus.Win32.ZAccess.c ) - infected

09:36:27.0140 1468 AFD - detected Virus.Win32.ZAccess.c (0)

09:36:27.0156 1468 Aha154x - ok

09:36:27.0171 1468 aic78u2 - ok

09:36:27.0187 1468 aic78xx - ok

09:36:27.0203 1468 AliIde - ok

09:36:27.0218 1468 amsint - ok

09:36:27.0250 1468 asc - ok

09:36:27.0265 1468 asc3350p - ok

09:36:27.0265 1468 asc3550 - ok

09:36:27.0359 1468 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

09:36:27.0437 1468 AsyncMac - ok

09:36:27.0515 1468 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys

09:36:27.0578 1468 atapi - ok

09:36:27.0593 1468 Atdisk - ok

09:36:27.0687 1468 ati2mtag (f5fc6ac1e7bc776871361d463fc86be2) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

09:36:27.0812 1468 ati2mtag - ok

09:36:27.0953 1468 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

09:36:28.0031 1468 Atmarpc - ok

09:36:28.0093 1468 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

09:36:28.0171 1468 audstub - ok

09:36:28.0218 1468 b57w2k (d0692f7b8217e3b82d2bfac535816117) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

09:36:28.0265 1468 b57w2k - ok

09:36:28.0312 1468 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

09:36:28.0375 1468 Beep - ok

09:36:28.0437 1468 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys

09:36:28.0484 1468 BrScnUsb - ok

09:36:28.0500 1468 BrSerIf (1a5fc78e41840edf79d65ec16eff2787) C:\WINDOWS\system32\Drivers\BrSerIf.sys

09:36:28.0562 1468 BrSerIf - ok

09:36:28.0578 1468 BrUsbSer (a24c7b39602218f8dbdb2b6704325fc7) C:\WINDOWS\system32\Drivers\BrUsbSer.sys

09:36:28.0578 1468 BrUsbSer - ok

09:36:28.0609 1468 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

09:36:28.0703 1468 cbidf2k - ok

09:36:28.0718 1468 cd20xrnt - ok

09:36:28.0765 1468 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

09:36:28.0843 1468 Cdaudio - ok

09:36:28.0859 1468 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

09:36:28.0953 1468 Cdfs - ok

09:36:29.0000 1468 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

09:36:29.0078 1468 Cdrom - ok

09:36:29.0093 1468 Changer - ok

09:36:29.0125 1468 CmdIde - ok

09:36:29.0156 1468 Cpqarray - ok

09:36:29.0187 1468 dac2w2k - ok

09:36:29.0203 1468 dac960nt - ok

09:36:29.0250 1468 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

09:36:29.0312 1468 Disk - ok

09:36:29.0359 1468 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

09:36:29.0468 1468 dmboot - ok

09:36:29.0500 1468 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

09:36:29.0578 1468 dmio - ok

09:36:29.0578 1468 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

09:36:29.0656 1468 dmload - ok

09:36:29.0734 1468 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

09:36:29.0812 1468 DMusic - ok

09:36:29.0828 1468 dpti2o - ok

09:36:29.0875 1468 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

09:36:29.0937 1468 drmkaud - ok

09:36:29.0984 1468 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

09:36:30.0187 1468 e1express - ok

09:36:30.0328 1468 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

09:36:30.0406 1468 Fastfat - ok

09:36:30.0453 1468 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

09:36:30.0531 1468 Fdc - ok

09:36:30.0578 1468 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

09:36:30.0656 1468 Fips - ok

09:36:30.0671 1468 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

09:36:30.0750 1468 Flpydisk - ok

09:36:30.0796 1468 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

09:36:30.0875 1468 FltMgr - ok

09:36:30.0906 1468 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

09:36:31.0000 1468 Fs_Rec - ok

09:36:31.0046 1468 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

09:36:31.0125 1468 Ftdisk - ok

09:36:31.0140 1468 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

09:36:31.0203 1468 Gpc - ok

09:36:31.0265 1468 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

09:36:31.0328 1468 HDAudBus - ok

09:36:31.0375 1468 HECI (0bf1d760b05caaaf231123d53c4789e2) C:\WINDOWS\system32\DRIVERS\HECI.sys

09:36:31.0421 1468 HECI - ok

09:36:31.0468 1468 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

09:36:31.0546 1468 hidusb - ok

09:36:31.0562 1468 hpn - ok

09:36:31.0625 1468 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

09:36:31.0687 1468 HTTP - ok

09:36:31.0703 1468 i2omgmt - ok

09:36:31.0718 1468 i2omp - ok

09:36:31.0781 1468 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys

09:36:31.0859 1468 i8042prt - ok

09:36:32.0062 1468 ialm (bd9462e346229f37fd5b95fbcb6d3d34) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

09:36:32.0406 1468 ialm - ok

09:36:32.0546 1468 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

09:36:32.0625 1468 Imapi - ok

09:36:32.0640 1468 ini910u - ok

09:36:32.0671 1468 IntelIde - ok

09:36:32.0718 1468 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\drivers\intelppm.sys

09:36:32.0796 1468 intelppm - ok

09:36:32.0828 1468 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

09:36:32.0890 1468 Ip6Fw - ok

09:36:32.0937 1468 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

09:36:33.0015 1468 IpFilterDriver - ok

09:36:33.0015 1468 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

09:36:33.0093 1468 IpInIp - ok

09:36:33.0109 1468 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

09:36:33.0187 1468 IpNat - ok

09:36:33.0250 1468 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

09:36:33.0312 1468 IPSec - ok

09:36:33.0359 1468 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

09:36:33.0406 1468 IRENUM - ok

09:36:33.0437 1468 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\drivers\isapnp.sys

09:36:33.0531 1468 isapnp - ok

09:36:33.0546 1468 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

09:36:33.0625 1468 Kbdclass - ok

09:36:33.0640 1468 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

09:36:33.0703 1468 kbdhid - ok

09:36:33.0765 1468 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

09:36:33.0843 1468 kmixer - ok

09:36:33.0875 1468 KMWDFILTER (566c5fd480fdbce3ba5cf9fbcffaea9a) C:\WINDOWS\system32\DRIVERS\KMWDFILTER.sys

09:36:33.0953 1468 KMWDFILTER - ok

09:36:33.0984 1468 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

09:36:34.0062 1468 KSecDD - ok

09:36:34.0078 1468 lbrtfdc - ok

09:36:34.0140 1468 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys

09:36:34.0156 1468 MBAMProtector - ok

09:36:34.0250 1468 mfeapfk (c0d975d64c1af8057f2d75b1297a6979) C:\WINDOWS\system32\drivers\mfeapfk.sys

09:36:34.0265 1468 mfeapfk - ok

09:36:34.0312 1468 mfeavfk (c169326049a8a03d5f905b34f5a65f8c) C:\WINDOWS\system32\drivers\mfeavfk.sys

09:36:34.0328 1468 mfeavfk - ok

09:36:34.0343 1468 mfebopk (50b0253b2484a306a20d8695c5ae5858) C:\WINDOWS\system32\drivers\mfebopk.sys

09:36:34.0359 1468 mfebopk - ok

09:36:34.0500 1468 mfehidk (188b40866db2ab8ef262febc65291687) C:\WINDOWS\system32\drivers\mfehidk.sys

09:36:34.0531 1468 mfehidk - ok

09:36:34.0562 1468 mferkdet (c1b30af2e18e69bf8ceb39b33f32d3c1) C:\WINDOWS\system32\drivers\mferkdet.sys

09:36:34.0578 1468 mferkdet - ok

09:36:34.0625 1468 mfetdi2k (97ef4ca122ddda4781ff557e65dfb262) C:\WINDOWS\system32\drivers\mfetdi2k.sys

09:36:34.0640 1468 mfetdi2k - ok

09:36:34.0703 1468 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

09:36:34.0765 1468 mnmdd - ok

09:36:34.0812 1468 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

09:36:34.0906 1468 Modem - ok

09:36:34.0921 1468 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

09:36:35.0015 1468 Mouclass - ok

09:36:35.0062 1468 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

09:36:35.0140 1468 mouhid - ok

09:36:35.0156 1468 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

09:36:35.0218 1468 MountMgr - ok

09:36:35.0234 1468 mraid35x - ok

09:36:35.0265 1468 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

09:36:35.0328 1468 MRxDAV - ok

09:36:35.0390 1468 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

09:36:35.0468 1468 MRxSmb - ok

09:36:35.0531 1468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

09:36:35.0593 1468 Msfs - ok

09:36:35.0625 1468 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

09:36:35.0687 1468 MSKSSRV - ok

09:36:35.0703 1468 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

09:36:35.0765 1468 MSPCLOCK - ok

09:36:35.0781 1468 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

09:36:35.0875 1468 MSPQM - ok

09:36:35.0921 1468 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

09:36:36.0000 1468 mssmbios - ok

09:36:36.0031 1468 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

09:36:36.0062 1468 Mup - ok

09:36:36.0078 1468 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

09:36:36.0171 1468 NDIS - ok

09:36:36.0218 1468 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

09:36:36.0250 1468 NdisTapi - ok

09:36:36.0296 1468 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

09:36:36.0390 1468 Ndisuio - ok

09:36:36.0390 1468 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

09:36:36.0500 1468 NdisWan - ok

09:36:36.0609 1468 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

09:36:36.0687 1468 NDProxy - ok

09:36:36.0734 1468 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

09:36:36.0812 1468 NetBIOS - ok

09:36:36.0875 1468 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

09:36:36.0953 1468 NetBT - ok

09:36:37.0062 1468 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\NPF.sys

09:36:37.0078 1468 NPF - ok

09:36:37.0093 1468 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

09:36:37.0156 1468 Npfs - ok

09:36:37.0203 1468 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

09:36:37.0281 1468 Ntfs - ok

09:36:37.0343 1468 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

09:36:37.0406 1468 Null - ok

09:36:37.0468 1468 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

09:36:37.0546 1468 NwlnkFlt - ok

09:36:37.0562 1468 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

09:36:37.0656 1468 NwlnkFwd - ok

09:36:37.0687 1468 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

09:36:37.0765 1468 Parport - ok

09:36:37.0781 1468 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

09:36:37.0843 1468 PartMgr - ok

09:36:37.0906 1468 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

09:36:38.0000 1468 ParVdm - ok

09:36:38.0031 1468 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\drivers\pci.sys

09:36:38.0093 1468 PCI - ok

09:36:38.0109 1468 PCIDump - ok

09:36:38.0125 1468 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\pciide.sys

09:36:38.0187 1468 PCIIde - ok

09:36:38.0218 1468 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

09:36:38.0296 1468 Pcmcia - ok

09:36:38.0312 1468 PDCOMP - ok

09:36:38.0328 1468 PDFRAME - ok

09:36:38.0343 1468 PDRELI - ok

09:36:38.0359 1468 PDRFRAME - ok

09:36:38.0359 1468 perc2 - ok

09:36:38.0375 1468 perc2hib - ok

09:36:38.0453 1468 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

09:36:38.0531 1468 PptpMiniport - ok

09:36:38.0546 1468 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

09:36:38.0625 1468 PSched - ok

09:36:38.0671 1468 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

09:36:38.0750 1468 Ptilink - ok

09:36:38.0765 1468 ql1080 - ok

09:36:38.0781 1468 Ql10wnt - ok

09:36:38.0796 1468 ql12160 - ok

09:36:38.0796 1468 ql1240 - ok

09:36:38.0812 1468 ql1280 - ok

09:36:38.0828 1468 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

09:36:38.0906 1468 RasAcd - ok

09:36:38.0921 1468 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

09:36:39.0000 1468 Rasl2tp - ok

09:36:39.0015 1468 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

09:36:39.0093 1468 RasPppoe - ok

09:36:39.0203 1468 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

09:36:39.0265 1468 Raspti - ok

09:36:39.0296 1468 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

09:36:39.0375 1468 Rdbss - ok

09:36:39.0390 1468 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

09:36:39.0453 1468 RDPCDD - ok

09:36:39.0500 1468 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

09:36:39.0578 1468 rdpdr - ok

09:36:39.0625 1468 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

09:36:39.0703 1468 RDPWD - ok

09:36:39.0750 1468 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

09:36:39.0812 1468 redbook - ok

09:36:39.0890 1468 RTL8192su (7bfdf13721f0366212ab8e94361a05bd) C:\WINDOWS\system32\DRIVERS\RTL8192su.sys

09:36:39.0921 1468 RTL8192su ( UnsignedFile.Multi.Generic ) - warning

09:36:39.0921 1468 RTL8192su - detected UnsignedFile.Multi.Generic (1)

09:36:39.0984 1468 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

09:36:40.0015 1468 Secdrv - ok

09:36:40.0031 1468 senfilt - ok

09:36:40.0046 1468 SenFiltService - ok

09:36:40.0109 1468 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

09:36:40.0187 1468 serenum - ok

09:36:40.0203 1468 Serial - ok

09:36:40.0265 1468 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

09:36:40.0343 1468 Sfloppy - ok

09:36:40.0375 1468 Simbad - ok

09:36:40.0437 1468 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys

09:36:40.0515 1468 smwdm - ok

09:36:40.0515 1468 Sparrow - ok

09:36:40.0562 1468 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

09:36:40.0625 1468 splitter - ok

09:36:40.0687 1468 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

09:36:40.0734 1468 sr - ok

09:36:40.0796 1468 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

09:36:40.0875 1468 Srv - ok

09:36:41.0000 1468 StarOpen (e57b778208c783d8debab320c16a1b82) C:\WINDOWS\system32\drivers\StarOpen.sys

09:36:41.0000 1468 StarOpen ( UnsignedFile.Multi.Generic ) - warning

09:36:41.0000 1468 StarOpen - detected UnsignedFile.Multi.Generic (1)

09:36:41.0015 1468 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

09:36:41.0125 1468 swenum - ok

09:36:41.0140 1468 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

09:36:41.0218 1468 swmidi - ok

09:36:41.0234 1468 symc810 - ok

09:36:41.0250 1468 symc8xx - ok

09:36:41.0265 1468 sym_hi - ok

09:36:41.0281 1468 sym_u3 - ok

09:36:41.0296 1468 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

09:36:41.0359 1468 sysaudio - ok

09:36:41.0437 1468 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

09:36:41.0515 1468 Tcpip - ok

09:36:41.0562 1468 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

09:36:41.0671 1468 TDPIPE - ok

09:36:41.0687 1468 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

09:36:41.0765 1468 TDTCP - ok

09:36:41.0796 1468 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

09:36:41.0859 1468 TermDD - ok

09:36:41.0890 1468 TosIde - ok

09:36:41.0953 1468 TrueSight (0455d57c7fdb1252784202f2f7deb1d5) c:\windows\system32\drivers\TrueSight.sys

09:36:41.0968 1468 TrueSight ( UnsignedFile.Multi.Generic ) - warning

09:36:41.0968 1468 TrueSight - detected UnsignedFile.Multi.Generic (1)

09:36:42.0015 1468 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

09:36:42.0109 1468 Udfs - ok

09:36:42.0125 1468 ultra - ok

09:36:42.0187 1468 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

09:36:42.0265 1468 Update - ok

09:36:42.0312 1468 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

09:36:42.0390 1468 usbccgp - ok

09:36:42.0437 1468 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

09:36:42.0500 1468 usbehci - ok

09:36:42.0515 1468 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

09:36:42.0593 1468 usbhub - ok

09:36:42.0640 1468 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

09:36:42.0718 1468 usbprint - ok

09:36:42.0781 1468 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

09:36:42.0843 1468 USBSTOR - ok

09:36:42.0890 1468 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

09:36:42.0968 1468 usbuhci - ok

09:36:43.0015 1468 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

09:36:43.0093 1468 VgaSave - ok

09:36:43.0187 1468 ViaIde - ok

09:36:43.0250 1468 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

09:36:43.0328 1468 VolSnap - ok

09:36:43.0375 1468 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

09:36:43.0437 1468 Wanarp - ok

09:36:43.0453 1468 WDICA - ok

09:36:43.0500 1468 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

09:36:43.0578 1468 wdmaud - ok

09:36:43.0671 1468 WLNdis50 (bb2c5a7a555b387b85481b8bde5370d7) C:\WINDOWS\system32\DRIVERS\wlndis50.sys

09:36:43.0671 1468 WLNdis50 ( UnsignedFile.Multi.Generic ) - warning

09:36:43.0671 1468 WLNdis50 - detected UnsignedFile.Multi.Generic (1)

09:36:43.0796 1468 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

09:36:43.0890 1468 WudfPf - ok

09:36:43.0921 1468 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

09:36:43.0937 1468 WudfRd - ok

09:36:43.0984 1468 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0

09:36:44.0015 1468 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected

09:36:44.0015 1468 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)

09:36:44.0031 1468 \Device\Harddisk0\DR0 ( TDSS File System ) - warning

09:36:44.0031 1468 \Device\Harddisk0\DR0 - detected TDSS File System (1)

09:36:44.0062 1468 Boot (0x1200) (694888c52288f863f3f9db47415c92fa) \Device\Harddisk0\DR0\Partition0

09:36:44.0062 1468 \Device\Harddisk0\DR0\Partition0 - ok

09:36:44.0078 1468 ============================================================

09:36:44.0078 1468 Scan finished

09:36:44.0078 1468 ============================================================

09:36:44.0203 1344 Detected object count: 8

09:36:44.0203 1344 Actual detected object count: 8

09:39:36.0234 1344 AegisP ( UnsignedFile.Multi.Generic ) - skipped by user

09:39:36.0234 1344 AegisP ( UnsignedFile.Multi.Generic ) - User select action: Skip

09:39:36.0375 1344 C:\WINDOWS\System32\drivers\afd.sys - copied to quarantine

09:39:36.0500 1344 Backup copy found, using it..

09:39:36.0515 1344 C:\WINDOWS\System32\drivers\afd.sys - will be cured on reboot

09:39:38.0562 1344 AFD ( Virus.Win32.ZAccess.c ) - User select action: Cure

09:39:38.0562 1344 RTL8192su ( UnsignedFile.Multi.Generic ) - skipped by user

09:39:38.0562 1344 RTL8192su ( UnsignedFile.Multi.Generic ) - User select action: Skip

09:39:38.0562 1344 StarOpen ( UnsignedFile.Multi.Generic ) - skipped by user

09:39:38.0562 1344 StarOpen ( UnsignedFile.Multi.Generic ) - User select action: Skip

09:39:38.0578 1344 TrueSight ( UnsignedFile.Multi.Generic ) - skipped by user

09:39:38.0578 1344 TrueSight ( UnsignedFile.Multi.Generic ) - User select action: Skip

09:39:38.0578 1344 WLNdis50 ( UnsignedFile.Multi.Generic ) - skipped by user

09:39:38.0578 1344 WLNdis50 ( UnsignedFile.Multi.Generic ) - User select action: Skip

09:39:39.0046 1344 \Device\Harddisk0\DR0\# - copied to quarantine

09:39:39.0046 1344 \Device\Harddisk0\DR0 - copied to quarantine

09:39:39.0062 1344 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine

09:39:39.0109 1344 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine

09:39:39.0109 1344 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine

09:39:39.0109 1344 \Device\Harddisk0\DR0\TDLFS\xh.dll - copied to quarantine

09:39:39.0109 1344 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine

09:39:39.0125 1344 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine

09:39:39.0125 1344 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine

09:39:39.0125 1344 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine

09:39:39.0187 1344 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine

09:39:39.0187 1344 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine

09:39:39.0187 1344 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine

09:39:39.0234 1344 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot

09:39:39.0234 1344 \Device\Harddisk0\DR0 - ok

09:39:39.0234 1344 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure

09:39:39.0234 1344 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

09:39:39.0234 1344 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

09:39:47.0343 1848 Deinitialize success

Link to post
Share on other sites

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

Link to post
Share on other sites

When I powered off and rebooted, ComboFix continued and I will paste the results below. I got numerous errors about can't find 'NIRKMD' but it continued when I closed the alert. I could not disable McAfee in Safe Mode and had no internet access in Safe Mode.

Thanks MrC

ComboFix 12-03-10.02 - Administrator 03/11/2012 11:39:13.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1515 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Resident AV is active

.

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\Application Data\mapbin.exe

c:\documents and settings\All Users\Application Data\isecurity.exe

c:\documents and settings\All Users\imigdevice.exe

c:\windows\$NtUninstallKB21571$\1802059562\@

c:\windows\$NtUninstallKB21571$\1802059562\cfg.ini

c:\windows\$NtUninstallKB21571$\1802059562\Desktop.ini

c:\windows\$NtUninstallKB21571$\1802059562\L\nqegsstu

c:\windows\$NtUninstallKB21571$\3947074288

c:\windows\system32\dds_trash_log.cmd

c:\windows\system32\drivers\npf.sys

c:\windows\system32\Packet.dll

c:\windows\system32\wpcap.dll

.

Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected

Restored copy from - The cat found it :)

c:\windows\system32\drivers\Serial.sys was missing

Restored copy from - c:\system volume information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP91\A0012325.sys

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_NPF

-------\Service_NPF

.

.

((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))

.

.

2012-03-11 17:01 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\Serial.sys

2012-03-11 16:18 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2012-03-11 16:05 . 2012-03-11 16:05 -------- d-----w- C:\Malwarebytes

2012-03-11 14:39 . 2012-03-11 14:39 -------- d-----w- C:\TDSSKiller_Quarantine

2012-03-10 15:53 . 2012-03-10 15:53 -------- d-----w- C:\db7192cfa1af5015e0615d00

2012-03-10 15:48 . 2012-03-11 00:38 16256 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2012-03-10 15:33 . 2012-03-10 15:33 -------- d-----w- C:\6e08c0a2436134c4733bee5ca36ca3

2012-03-04 09:01 . 2012-03-04 09:01 -------- d-----w- C:\433ac744c28f5b209cd11ad1

2012-03-04 00:23 . 2012-03-04 00:23 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys

2012-03-04 00:23 . 2012-03-04 00:23 -------- d-----w- c:\program files\TRENDnet

2012-03-03 21:03 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-03-03 21:03 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll

2012-03-03 20:57 . 2012-03-04 00:23 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe

2012-03-03 20:57 . 2008-02-27 16:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys

2012-03-03 20:57 . 2009-08-06 04:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-11 14:40 . 2008-04-14 05:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys

2011-12-17 19:46 . 2008-04-14 10:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll

2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec

2011-04-14 16:26 . 2011-05-19 15:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]

"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-649UB\WlanCU.exe [2012-3-3 368640]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/18/2011 2:06 PM 88544]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2011 12:02 PM 652360]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/18/2011 2:06 PM 145936]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/19/2011 12:40 PM 2519040]

R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/3/2012 3:57 PM 20480]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2011 12:02 PM 20464]

R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [3/3/2012 3:57 PM 588032]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-649UB\WLSVC.exe [3/3/2012 7:23 PM 167936]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/18/2011 2:06 PM 85152]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ATKFUSService

ScanUSBEMPIA

.

Contents of the 'Scheduled Tasks' folder

.

2012-03-11 c:\windows\Tasks\User_Feed_Synchronization-{EA4F660E-E6D3-46ED-8BBF-99549F8DE551}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.dogpile.com/

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4zhz37dx.default\

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-Internet Security - c:\documents and settings\All Users\Application Data\isecurity.exe

HKCU-Run-imigdevice - c:\documents and settings\All Users\imigdevice.exe

HKCU-Run-mapbin - c:\documents and settings\Administrator\Application Data\mapbin.exe

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

HKLM-Run-imigdevice - c:\documents and settings\All Users\imigdevice.exe

HKLM-Run-mapbin - c:\documents and settings\Administrator\Application Data\mapbin.exe

HKLM-Run-dplaysvr - c:\documents and settings\Administrator\Application Data\dplaysvr.exe

HKU-Default-Run-imigdevice - c:\documents and settings\All Users\imigdevice.exe

HKU-Default-Run-mapbin - c:\documents and settings\Administrator\Application Data\mapbin.exe

HKU-Default-Run-dplaysvr - c:\documents and settings\Administrator\Application Data\dplaysvr.exe

SafeBoot-86601328.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-03-11 12:05

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\windows\$NtUninstallKB21571$:SummaryInformation 0 bytes hidden from API

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\

.

[HKEY_USERS\S-1-5-21-1844237615-507921405-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2824)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll

c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll

c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\AMT\atchksrv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Intel\AMT\LMS.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\McAfee\VirusScan Enterprise\mfeann.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\program files\Common Files\McAfee\SystemCore\mcshield.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\McAfee\Common Framework\McTray.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\msiexec.exe

c:\windows\system32\taskmgr.exe

.

**************************************************************************

.

Completion time: 2012-03-11 12:19:54 - machine was rebooted

ComboFix-quarantined-files.txt 2012-03-11 17:19

.

Pre-Run: 60,895,137,792 bytes free

Post-Run: 62,333,325,312 bytes free

.

- - End Of File - - 96C79734B862A48748B31C6DAB906FAF

Link to post
Share on other sites

ComboFix ran successfully and rebooted. I still have no Internect Access so the Windows Recovery Console could not be loaded. Here is the Log. Thanks again:

ComboFix 12-03-10.02 - Administrator 03/11/2012 13:01:36.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1441 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\$NtUninstallKB21571$\2983939250

c:\windows\$NtUninstallKB21571$ . . . . Failed to delete

.

.

((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))

.

.

2012-03-11 17:01 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\Serial.sys

2012-03-11 16:18 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2012-03-11 16:05 . 2012-03-11 16:05 -------- d-----w- C:\Malwarebytes

2012-03-11 14:39 . 2012-03-11 14:39 -------- d-----w- C:\TDSSKiller_Quarantine

2012-03-10 15:53 . 2012-03-10 15:53 -------- d-----w- C:\db7192cfa1af5015e0615d00

2012-03-10 15:48 . 2012-03-11 00:38 16256 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2012-03-10 15:33 . 2012-03-10 15:33 -------- d-----w- C:\6e08c0a2436134c4733bee5ca36ca3

2012-03-04 09:01 . 2012-03-04 09:01 -------- d-----w- C:\433ac744c28f5b209cd11ad1

2012-03-04 00:23 . 2012-03-04 00:23 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys

2012-03-04 00:23 . 2012-03-04 00:23 -------- d-----w- c:\program files\TRENDnet

2012-03-03 21:03 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-03-03 21:03 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll

2012-03-03 20:57 . 2012-03-04 00:23 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe

2012-03-03 20:57 . 2008-02-27 16:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys

2012-03-03 20:57 . 2009-08-06 04:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-11 14:40 . 2008-04-14 05:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys

2011-12-17 19:46 . 2008-04-14 10:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll

2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec

2011-04-14 16:26 . 2011-05-19 15:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2012-03-11_17.05.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-03-11 18:10 . 2012-03-11 18:10 16384 c:\windows\Temp\Perflib_Perfdata_760.dat

- 2009-03-20 22:32 . 2003-02-21 01:09 77824 c:\windows\system32\URTTemp\mscorsn.dll

+ 2009-03-20 22:32 . 2003-02-21 00:09 77824 c:\windows\system32\URTTemp\mscorsn.dll

+ 2009-03-20 22:32 . 2003-02-21 00:06 155648 c:\windows\system32\URTTemp\mscoree.dll

- 2009-03-20 22:32 . 2003-02-21 01:06 155648 c:\windows\system32\URTTemp\mscoree.dll

- 2009-03-20 22:32 . 2003-02-21 01:06 282624 c:\windows\system32\URTTemp\fusion.dll

+ 2009-03-20 22:32 . 2003-02-21 00:06 282624 c:\windows\system32\URTTemp\fusion.dll

+ 2009-03-20 22:32 . 2003-02-21 00:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll

- 2009-03-20 22:32 . 2003-02-21 01:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]

"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-649UB\WlanCU.exe [2012-3-3 368640]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/18/2011 2:06 PM 88544]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2011 12:02 PM 652360]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/18/2011 2:06 PM 145936]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/19/2011 12:40 PM 2519040]

R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/3/2012 3:57 PM 20480]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2011 12:02 PM 20464]

R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [3/3/2012 3:57 PM 588032]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-649UB\WLSVC.exe [3/3/2012 7:23 PM 167936]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/18/2011 2:06 PM 85152]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ATKFUSService

ScanUSBEMPIA

.

Contents of the 'Scheduled Tasks' folder

.

2012-03-11 c:\windows\Tasks\User_Feed_Synchronization-{EA4F660E-E6D3-46ED-8BBF-99549F8DE551}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.dogpile.com/

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4zhz37dx.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-03-11 13:11

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\

.

[HKEY_USERS\S-1-5-21-1844237615-507921405-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3568)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll

c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll

c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\AMT\atchksrv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Intel\AMT\LMS.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\McAfee\VirusScan Enterprise\mfeann.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\Common Files\McAfee\SystemCore\mcshield.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\McAfee\Common Framework\McTray.exe

c:\windows\system32\msiexec.exe

.

**************************************************************************

.

Completion time: 2012-03-11 13:15:49 - machine was rebooted

ComboFix-quarantined-files.txt 2012-03-11 18:15

ComboFix2.txt 2012-03-11 17:19

.

Pre-Run: 62,330,703,872 bytes free

Post-Run: 62,323,326,976 bytes free

.

- - End Of File - - 94B90A52137D4E8E13E79D261E6B2F07

Link to post
Share on other sites

I installed the Windows Recovery Console from my XP Pro CD, Dleted ComboFix.exe and replaced it with a fresh copy. ComboFix again detected the RootKit and restarted then completed with no further alerts or errors. Here is the log:

ComboFix 12-03-10.02 - Administrator 03/11/2012 13:01:36.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1441 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\$NtUninstallKB21571$\2983939250

c:\windows\$NtUninstallKB21571$ . . . . Failed to delete

.

.

((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))

.

.

2012-03-11 17:01 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\Serial.sys

2012-03-11 16:18 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2012-03-11 16:05 . 2012-03-11 16:05 -------- d-----w- C:\Malwarebytes

2012-03-11 14:39 . 2012-03-11 14:39 -------- d-----w- C:\TDSSKiller_Quarantine

2012-03-10 15:53 . 2012-03-10 15:53 -------- d-----w- C:\db7192cfa1af5015e0615d00

2012-03-10 15:48 . 2012-03-11 00:38 16256 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2012-03-10 15:33 . 2012-03-10 15:33 -------- d-----w- C:\6e08c0a2436134c4733bee5ca36ca3

2012-03-04 09:01 . 2012-03-04 09:01 -------- d-----w- C:\433ac744c28f5b209cd11ad1

2012-03-04 00:23 . 2012-03-04 00:23 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys

2012-03-04 00:23 . 2012-03-04 00:23 -------- d-----w- c:\program files\TRENDnet

2012-03-03 21:03 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-03-03 21:03 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll

2012-03-03 20:57 . 2012-03-04 00:23 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe

2012-03-03 20:57 . 2008-02-27 16:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys

2012-03-03 20:57 . 2009-08-06 04:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-11 14:40 . 2008-04-14 05:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys

2011-12-17 19:46 . 2008-04-14 10:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll

2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec

2011-04-14 16:26 . 2011-05-19 15:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2012-03-11_17.05.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-03-11 18:10 . 2012-03-11 18:10 16384 c:\windows\Temp\Perflib_Perfdata_760.dat

- 2009-03-20 22:32 . 2003-02-21 01:09 77824 c:\windows\system32\URTTemp\mscorsn.dll

+ 2009-03-20 22:32 . 2003-02-21 00:09 77824 c:\windows\system32\URTTemp\mscorsn.dll

+ 2009-03-20 22:32 . 2003-02-21 00:06 155648 c:\windows\system32\URTTemp\mscoree.dll

- 2009-03-20 22:32 . 2003-02-21 01:06 155648 c:\windows\system32\URTTemp\mscoree.dll

- 2009-03-20 22:32 . 2003-02-21 01:06 282624 c:\windows\system32\URTTemp\fusion.dll

+ 2009-03-20 22:32 . 2003-02-21 00:06 282624 c:\windows\system32\URTTemp\fusion.dll

+ 2009-03-20 22:32 . 2003-02-21 00:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll

- 2009-03-20 22:32 . 2003-02-21 01:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]

"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-649UB\WlanCU.exe [2012-3-3 368640]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/18/2011 2:06 PM 88544]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2011 12:02 PM 652360]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/18/2011 2:06 PM 145936]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/19/2011 12:40 PM 2519040]

R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/3/2012 3:57 PM 20480]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2011 12:02 PM 20464]

R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [3/3/2012 3:57 PM 588032]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-649UB\WLSVC.exe [3/3/2012 7:23 PM 167936]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/18/2011 2:06 PM 85152]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ATKFUSService

ScanUSBEMPIA

.

Contents of the 'Scheduled Tasks' folder

.

2012-03-11 c:\windows\Tasks\User_Feed_Synchronization-{EA4F660E-E6D3-46ED-8BBF-99549F8DE551}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.dogpile.com/

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4zhz37dx.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-03-11 13:11

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\

.

[HKEY_USERS\S-1-5-21-1844237615-507921405-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3568)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll

c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll

c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\AMT\atchksrv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Intel\AMT\LMS.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\McAfee\VirusScan Enterprise\mfeann.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\Common Files\McAfee\SystemCore\mcshield.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\McAfee\Common Framework\McTray.exe

c:\windows\system32\msiexec.exe

.

**************************************************************************

.

Completion time: 2012-03-11 13:15:49 - machine was rebooted

ComboFix-quarantined-files.txt 2012-03-11 18:15

ComboFix2.txt 2012-03-11 17:19

.

Pre-Run: 62,330,703,872 bytes free

Post-Run: 62,323,326,976 bytes free

.

- - End Of File - - 94B90A52137D4E8E13E79D261E6B2F07

Link to post
Share on other sites

Disregard previous post that was the wrong file (2nd one run today. I am reposting the correct most recent log file. Sorry, MrC

ComboFix 12-03-10.02 - Administrator 03/11/2012 17:41:07.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1461 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

.

((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))

.

.

2012-03-11 17:01 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\Serial.sys

2012-03-11 16:18 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2012-03-11 16:05 . 2012-03-11 16:05 -------- d-----w- C:\Malwarebytes

2012-03-11 14:39 . 2012-03-11 14:39 -------- d-----w- C:\TDSSKiller_Quarantine

2012-03-10 15:53 . 2012-03-10 15:53 -------- d-----w- C:\db7192cfa1af5015e0615d00

2012-03-10 15:48 . 2012-03-11 00:38 16256 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2012-03-10 15:33 . 2012-03-10 15:33 -------- d-----w- C:\6e08c0a2436134c4733bee5ca36ca3

2012-03-04 09:01 . 2012-03-04 09:01 -------- d-----w- C:\433ac744c28f5b209cd11ad1

2012-03-04 00:23 . 2012-03-04 00:23 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys

2012-03-04 00:23 . 2012-03-04 00:23 -------- d-----w- c:\program files\TRENDnet

2012-03-03 21:03 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-03-03 21:03 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll

2012-03-03 20:57 . 2012-03-04 00:23 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe

2012-03-03 20:57 . 2008-02-27 16:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys

2012-03-03 20:57 . 2009-08-06 04:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-11 14:40 . 2008-04-14 05:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys

2011-12-17 19:46 . 2008-04-14 10:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll

2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec

2011-04-14 16:26 . 2011-05-19 15:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2012-03-11_17.05.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-03-11 22:40 . 2012-03-11 22:40 16384 c:\windows\Temp\Perflib_Perfdata_758.dat

- 2009-03-20 22:32 . 2003-02-21 01:09 77824 c:\windows\system32\URTTemp\mscorsn.dll

+ 2009-03-20 22:32 . 2003-02-21 00:09 77824 c:\windows\system32\URTTemp\mscorsn.dll

+ 2009-03-20 22:32 . 2003-02-21 00:06 155648 c:\windows\system32\URTTemp\mscoree.dll

- 2009-03-20 22:32 . 2003-02-21 01:06 155648 c:\windows\system32\URTTemp\mscoree.dll

- 2009-03-20 22:32 . 2003-02-21 01:06 282624 c:\windows\system32\URTTemp\fusion.dll

+ 2009-03-20 22:32 . 2003-02-21 00:06 282624 c:\windows\system32\URTTemp\fusion.dll

+ 2009-03-20 22:32 . 2003-02-21 00:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll

- 2009-03-20 22:32 . 2003-02-21 01:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]

"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-649UB\WlanCU.exe [2012-3-3 368640]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/18/2011 2:06 PM 88544]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2011 12:02 PM 652360]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/18/2011 2:06 PM 145936]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/19/2011 12:40 PM 2519040]

R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/3/2012 3:57 PM 20480]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2011 12:02 PM 20464]

R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [3/3/2012 3:57 PM 588032]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-649UB\WLSVC.exe [3/3/2012 7:23 PM 167936]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/18/2011 2:06 PM 85152]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ATKFUSService

ScanUSBEMPIA

.

Contents of the 'Scheduled Tasks' folder

.

2012-03-11 c:\windows\Tasks\User_Feed_Synchronization-{EA4F660E-E6D3-46ED-8BBF-99549F8DE551}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.dogpile.com/

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4zhz37dx.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-03-11 17:49

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\

.

[HKEY_USERS\S-1-5-21-1844237615-507921405-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\

.

Completion time: 2012-03-11 17:50:27

ComboFix-quarantined-files.txt 2012-03-11 22:50

ComboFix2.txt 2012-03-11 18:15

ComboFix3.txt 2012-03-11 17:19

.

Pre-Run: 62,297,968,640 bytes free

Post-Run: 62,295,277,568 bytes free

.

- - End Of File - - 934F747B7AFD96936BF73BBE49EF0EAE

Link to post
Share on other sites

I still don't have internet connectivity but my Malware Bytes was last updated 3/10/12 so I ran a full scan, removed all malware and rebooted. Here is the log:

Malwarebytes Anti-Malware (PRO) 1.60.1.1000

www.malwarebytes.org

Database version: v2012.03.10.05

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Administrator :: VALUED-CUSTOMER [administrator]

Protection: Disabled

3/11/2012 8:09:01 PM

mbam-log-2012-03-11 (20-09-01).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 217953

Time elapsed: 24 minute(s), 35 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 14

C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\mapbin.exe.vir (Trojan.Agent.UAGen) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\imigdevice.exe.vir (Trojan.Agent.UAGen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP117\A0029789.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP118\A0031866.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP118\A0032890.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP123\A0041067.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP123\A0041068.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP123\A0041069.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054186.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054182.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054187.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054188.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054189.exe (Trojan.Agent.UAGen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054191.exe (Trojan.Agent.UAGen) -> Quarantined and deleted successfully.

(end)

Link to post
Share on other sites

I ran Rogue Killer and here is the report and a sreen shot of what it found. I still have no Internet Connectivity...

RogueKiller_ScreenCap.jpg

RogueKiller V7.3.1 [03/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Administrator [Admin rights]

Mode: Remove -- Date: 03/12/2012 17:13:18

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800JD-75MSA3 +++++

--- User ---

[MBR] a456f312c0e435782971f94dba7cdfdf

[bSP] bec400d75a08f6cdd3306fcc22e6a067 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76293 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[7].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;

RKreport[6].txt ; RKreport[7].txt

Link to post
Share on other sites

The RogueKiller log looks OK

mfehidk.sys

This driver belongs to McAfee

Make sure this file is present:

c:\windows\system32\drivers\afd.sys

--------------------------------

See if you can repair the connection:

http://www.bleepingc...ombofix#restore

-----------------------------------

Last.......

Download and run a fresh copy of ComboFix and run it.

Let me know, MrC

Link to post
Share on other sites

MrC,

c:\windows\system32\drivers\afd.sys is present.

I still can't repair my wireless connection. It always says it can not renew the IP address. After running ComboFix.exe (Fresh File) I tried again to repair and got the same message. I tried to use ipconfig to renew and this is what I get (My Wireless Connection is Wireless Network Connection 2)

I am pasting the ComboFix log below the IPConfig text:

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : valued-customer

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 3:

Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel® 82566DM-2 Gigabit Network C

onnection

Physical Address. . . . . . . . . : 00-1E-4F-48-E8-83

Ethernet adapter Wireless Network Connection 2:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : TRENDnet Wireless N speed USB Adapte

r

Physical Address. . . . . . . . . : 00-14-D1-6F-84-7B

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Autoconfiguration IP Address. . . : 169.254.131.235

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . :

C:\Documents and Settings\Administrator>ipconfig /renew

Windows IP Configuration

No operation can be performed on Local Area Connection 3 while it has its media

disconnected.

An error occurred while renewing interface Wireless Network Connection 2 : An op

eration was attempted on something that is not a socket.

C:\Documents and Settings\Administrator>

- - - - - - - - - - - - - - - - - - - - - - - - End Of IPConfig - - - - - - - - - - - - - - - - - - - - - - - -

ComboFix 12-03-10.02 - Administrator 03/12/2012 18:31:37.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1459 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

.

((((((((((((((((((((((((( Files Created from 2012-02-12 to 2012-03-12 )))))))))))))))))))))))))))))))

.

.

2012-03-11 17:01 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\Serial.sys

2012-03-11 16:18 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2012-03-11 16:05 . 2012-03-11 16:05 -------- d-----w- C:\Malwarebytes

2012-03-11 14:39 . 2012-03-11 14:39 -------- d-----w- C:\TDSSKiller_Quarantine

2012-03-10 15:53 . 2012-03-10 15:53 -------- d-----w- C:\db7192cfa1af5015e0615d00

2012-03-10 15:33 . 2012-03-10 15:33 -------- d-----w- C:\6e08c0a2436134c4733bee5ca36ca3

2012-03-04 09:01 . 2012-03-04 09:01 -------- d-----w- C:\433ac744c28f5b209cd11ad1

2012-03-04 00:23 . 2012-03-04 00:23 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys

2012-03-04 00:23 . 2012-03-04 00:23 -------- d-----w- c:\program files\TRENDnet

2012-03-03 21:03 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-03-03 21:03 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll

2012-03-03 20:57 . 2012-03-04 00:23 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe

2012-03-03 20:57 . 2008-02-27 16:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys

2012-03-03 20:57 . 2009-08-06 04:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-11 14:40 . 2008-04-14 05:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys

2011-12-17 19:46 . 2008-04-14 10:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll

2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec

2011-04-14 16:26 . 2011-05-19 15:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2012-03-11_17.05.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-03-12 23:30 . 2012-03-12 23:30 16384 c:\windows\Temp\Perflib_Perfdata_764.dat

- 2009-03-20 22:32 . 2003-02-21 01:09 77824 c:\windows\system32\URTTemp\mscorsn.dll

+ 2009-03-20 22:32 . 2003-02-21 00:09 77824 c:\windows\system32\URTTemp\mscorsn.dll

+ 2009-03-20 22:32 . 2003-02-21 00:06 155648 c:\windows\system32\URTTemp\mscoree.dll

- 2009-03-20 22:32 . 2003-02-21 01:06 155648 c:\windows\system32\URTTemp\mscoree.dll

- 2009-03-20 22:32 . 2003-02-21 01:06 282624 c:\windows\system32\URTTemp\fusion.dll

+ 2009-03-20 22:32 . 2003-02-21 00:06 282624 c:\windows\system32\URTTemp\fusion.dll

+ 2009-03-20 22:32 . 2003-02-21 00:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll

- 2009-03-20 22:32 . 2003-02-21 01:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]

"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-649UB\WlanCU.exe [2012-3-3 368640]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/18/2011 2:06 PM 88544]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2011 12:02 PM 652360]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/18/2011 2:06 PM 145936]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/19/2011 12:40 PM 2519040]

R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/3/2012 3:57 PM 20480]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2011 12:02 PM 20464]

R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [3/3/2012 3:57 PM 588032]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-649UB\WLSVC.exe [3/3/2012 7:23 PM 167936]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/18/2011 2:06 PM 85152]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ATKFUSService

ScanUSBEMPIA

.

Contents of the 'Scheduled Tasks' folder

.

2012-03-12 c:\windows\Tasks\User_Feed_Synchronization-{EA4F660E-E6D3-46ED-8BBF-99549F8DE551}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.dogpile.com/

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4zhz37dx.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-03-12 18:39

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\

.

[HKEY_USERS\S-1-5-21-1844237615-507921405-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\

.

Completion time: 2012-03-12 18:40:45

ComboFix-quarantined-files.txt 2012-03-12 23:40

ComboFix2.txt 2012-03-11 22:50

ComboFix3.txt 2012-03-11 18:15

ComboFix4.txt 2012-03-11 17:19

.

Pre-Run: 62,289,039,360 bytes free

Post-Run: 62,288,338,944 bytes free

.

- - End Of File - - 94AE6A45684D4385B44CDE78CE5232BC

Link to post
Share on other sites

Can you connect the computer directly to the internet to test the connection? (by pass the wireless connection)

---------------------------------

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    afd.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

-----------------------------

Last.......

Please remove any usb or external drives from the computer before you run these scan!

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.