Jump to content


Photo
- - - - -

Rootkit.0Access


  • This topic is locked This topic is locked
13 replies to this topic

#1 klouf

klouf

    New Member

  • Members
  • Pip
  • 15 posts

Posted 29 February 2012 - 10:16 AM

We have a computer infected with Rootkit.0Access (as well as Rootkit.ZeroAccess, not sure if that is the same) and Backdoor.Agent.Gen). Some quick reading and it seems that is a pretty nasty item. Would it just be easier to wipe the machine and start fresh or try to clean it up?


DDS.txt:


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_27
Run by jdoyle at 10:13:10 on 2012-02-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.1846 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\IProsetMonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TechSmith\Jing\Jing.exe
C:\Program Files\Citrix\GoToMeeting\723\g2mstart.exe
C:\Program Files\Citrix\GoToMeeting\723\g2mcomm.exe
C:\Program Files\Fonality\HUD3.0\HUD3.exe
C:\Program Files\Citrix\GoToMeeting\723\g2mlauncher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\zshp2600.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe" //mailurl:mailto:jdoe@maidpro.com
uWinlogon: Shell=c:\documents and settings\jdoyle\local settings\application data\c2f7014d\X
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\723\g2mstart.exe" "/Trigger RunAtLogon"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hud30~1.lnk - c:\program files\fonality\hud3.0\HUD3.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1316728581546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: DhcpNameServer = 192.168.25.15 192.168.25.10
TCP: Interfaces\{86B9AF4C-D92B-4707-AF62-D900EEA0BC78} : DhcpNameServer = 192.168.25.15 192.168.25.10
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jdoyle\application data\mozilla\firefox\profiles\dgz3tfui.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\acrobat 10.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-2-21 242240]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2012-2-17 132768]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-21 652360]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2011-9-23 2523136]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-21 20464]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-2-29 40776]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-22 136176]
S2 mbr;Omci;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 ndasbus;Wanminiportservice;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 TeamViewer;Safety Settings Service;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-22 136176]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-02-29 15:06:22 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-29 15:00:35 299008 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpcpp101.dll
2012-02-29 15:00:35 176128 ----a-w- c:\windows\system32\hpcpn101.dll
2012-02-29 15:00:35 167480 ----a-w- c:\windows\system32\hppccompio.dll
2012-02-29 14:59:54 755256 ----a-w- c:\windows\system32\hpxp1530.dll
2012-02-29 14:59:54 751160 ----a-w- c:\windows\system32\hpptsp06.dll
2012-02-29 14:59:54 187960 ----a-w- c:\windows\system32\hppscancoins32.dll
2012-02-29 14:59:52 238080 ----a-w- c:\windows\system32\hpbcoins32.dll
2012-02-29 14:59:46 -------- d-----w- c:\program files\HP
2012-02-29 14:59:22 -------- d-----w- C:\M1530_MFP_Series_Basic_Solution
2012-02-23 01:19:43 -------- d-----w- c:\documents and settings\jdoyle\application data\com.adobe.DC3Module.AdobeADC
2012-02-22 20:44:01 -------- d-----w- c:\program files\Adobe InDesign CS5.5
2012-02-22 20:42:24 -------- d-----w- c:\documents and settings\jdoyle\application data\com.adobe.downloadassistant.AdobeDownloadAssistant
2012-02-22 20:42:23 -------- d-----w- c:\program files\Adobe Download Assistant
2012-02-21 20:37:23 -------- d-----w- c:\documents and settings\all users\application data\ALM
2012-02-21 20:14:28 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-21 20:14:20 -------- d-----w- c:\program files\DAEMON Tools Lite
2012-02-21 20:13:56 -------- d-----w- c:\documents and settings\jdoyle\application data\DAEMON Tools Lite
2012-02-21 20:13:52 -------- d-----w- c:\documents and settings\all users\application data\DAEMON Tools Lite
2012-02-21 14:40:37 -------- d-----w- c:\documents and settings\jdoyle\application data\Malwarebytes
2012-02-21 14:40:34 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-02-21 14:40:33 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-21 14:40:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-17 16:52:54 132768 ----a-w- c:\windows\system32\IPROSetMonitor.exe
2012-02-17 16:52:23 28272 ----a-w- c:\windows\system32\NicCo2.dll
2012-02-15 01:26:44 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 01:26:44 3072 ------w- c:\windows\system32\iacenc.dll
.
==================== Find3M ====================
.
2012-02-28 14:13:23 0 --sha-w- c:\windows\system32\dds_log_trash.cmd
2012-01-17 18:59:16 72080 ----a-w- c:\documents and settings\jdoyle\g2mdlhlpx.exe
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ------w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 10:13:29.40 ===============



Attach.txt:



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/22/2011 5:47:16 PM
System Uptime: 2/28/2012 9:13:01 AM (25 hours ago)
.
Motherboard: Dell Inc. | | 0DR845
Processor: Intel Pentium III Xeon processor | CPU | 2992/1333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 127.244 GiB free.
D: is CDROM ()
E: is CDROM ()
P: is NetworkDisk (NTFS) - 2048 GiB total, 1733.656 GiB free.
Z: is NetworkDisk (NTFS) - 2048 GiB total, 1733.656 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP82: 12/1/2011 11:05:17 PM - System Checkpoint
RP83: 12/3/2011 12:05:18 AM - System Checkpoint
RP84: 12/4/2011 1:05:18 AM - System Checkpoint
RP85: 12/5/2011 2:05:18 AM - System Checkpoint
RP86: 12/6/2011 3:05:19 AM - System Checkpoint
RP87: 12/7/2011 4:05:20 AM - System Checkpoint
RP88: 12/8/2011 5:05:21 AM - System Checkpoint
RP89: 12/9/2011 6:19:52 AM - System Checkpoint
RP90: 12/10/2011 7:05:21 AM - System Checkpoint
RP91: 12/11/2011 8:05:21 AM - System Checkpoint
RP92: 12/12/2011 8:38:49 AM - System Checkpoint
RP93: 12/13/2011 9:06:27 AM - System Checkpoint
RP94: 12/14/2011 11:22:58 AM - System Checkpoint
RP95: 12/15/2011 12:38:47 PM - System Checkpoint
RP96: 12/16/2011 1:05:27 PM - System Checkpoint
RP97: 12/17/2011 2:05:27 PM - System Checkpoint
RP98: 12/18/2011 3:06:32 PM - System Checkpoint
RP99: 12/19/2011 10:17:02 AM - Software Distribution Service 3.0
RP100: 12/20/2011 10:33:21 AM - System Checkpoint
RP101: 12/21/2011 10:52:25 AM - System Checkpoint
RP102: 12/22/2011 11:02:42 AM - System Checkpoint
RP103: 12/23/2011 11:29:55 AM - System Checkpoint
RP104: 1/3/2012 12:16:37 PM - System Checkpoint
RP105: 1/4/2012 12:33:52 PM - System Checkpoint
RP106: 1/5/2012 1:26:30 PM - System Checkpoint
RP107: 1/6/2012 4:44:23 PM - System Checkpoint
RP108: 1/7/2012 5:26:32 PM - System Checkpoint
RP109: 1/8/2012 6:26:31 PM - System Checkpoint
RP110: 1/9/2012 7:26:32 PM - System Checkpoint
RP111: 1/10/2012 7:26:34 PM - System Checkpoint
RP112: 1/11/2012 1:00:12 PM - Software Distribution Service 3.0
RP113: 1/12/2012 1:37:28 PM - System Checkpoint
RP114: 1/13/2012 1:40:48 PM - System Checkpoint
RP115: 1/17/2012 9:44:42 AM - System Checkpoint
RP116: 1/18/2012 10:15:59 AM - System Checkpoint
RP117: 1/19/2012 11:47:03 AM - System Checkpoint
RP118: 1/20/2012 12:26:06 PM - System Checkpoint
RP119: 1/21/2012 12:26:08 PM - System Checkpoint
RP120: 1/22/2012 1:30:43 PM - System Checkpoint
RP121: 1/23/2012 1:46:35 PM - System Checkpoint
RP122: 1/24/2012 3:15:06 PM - System Checkpoint
RP123: 1/25/2012 3:32:31 PM - System Checkpoint
RP124: 1/26/2012 3:50:09 PM - System Checkpoint
RP125: 1/27/2012 4:26:10 PM - System Checkpoint
RP126: 1/28/2012 4:35:16 PM - System Checkpoint
RP127: 1/29/2012 5:26:10 PM - System Checkpoint
RP128: 1/30/2012 9:03:25 AM - Software Distribution Service 3.0
RP129: 1/31/2012 12:43:07 PM - System Checkpoint
RP130: 2/1/2012 12:46:49 PM - System Checkpoint
RP131: 2/2/2012 3:34:19 PM - System Checkpoint
RP132: 2/3/2012 3:46:17 PM - System Checkpoint
RP133: 2/4/2012 4:45:14 PM - System Checkpoint
RP134: 2/5/2012 5:45:13 PM - System Checkpoint
RP135: 2/6/2012 5:51:45 PM - System Checkpoint
RP136: 2/7/2012 6:45:14 PM - System Checkpoint
RP137: 2/8/2012 7:45:15 PM - System Checkpoint
RP138: 2/9/2012 7:50:59 PM - System Checkpoint
RP139: 2/10/2012 8:45:17 PM - System Checkpoint
RP140: 2/11/2012 9:46:22 PM - System Checkpoint
RP141: 2/12/2012 10:46:44 PM - System Checkpoint
RP142: 2/13/2012 11:45:18 PM - System Checkpoint
RP143: 2/15/2012 12:45:19 AM - System Checkpoint
RP144: 2/15/2012 1:00:12 PM - Software Distribution Service 3.0
RP145: 2/16/2012 1:27:16 PM - System Checkpoint
RP146: 2/17/2012 11:52:50 AM - Installed Intel® Network Connections.
RP147: 2/21/2012 10:19:31 AM - System Checkpoint
RP148: 2/22/2012 10:24:25 AM - System Checkpoint
RP149: 2/28/2012 9:32:22 AM - System Checkpoint
RP150: 2/29/2012 10:00:37 AM - Printer Driver HP LaserJet M1530 MFP Series PCL 6 Installed
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Acrobat X Standard - English, Français, Deutsch
Adobe AIR
Adobe Community Help
Adobe Content Viewer
Adobe Creative Suite 5.5 Master Collection
Adobe Download Assistant
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe InDesign CS5.5
Adobe Reader X (10.1.2)
Apple Application Support
Apple Software Update
DAEMON Tools Lite
Fonality HUD 3.0
GIMP 2.6.11
Google Chrome
Google Update Helper
Google Updater
GoToMeeting 5.1.0.873
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP LaserJet Professional M1530 MFP Series
HP LJ M1530 MFP Series HP Scan
Intel® Graphics Media Accelerator Driver
Intel® Management Engine Interface
Intel® Network Connections 16.8.46.0
Intel® Active Management Technology
Java Auto Updater
Java™ 6 Update 27
Jing
M.A.C.S.
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Business 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Software Update for Web Folders (English) 14
Microsoft SQL Server Management Objects Collection
Microsoft SQL Server Native Client
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
Mozilla Firefox 10.0 (x86 en-US)
PDF Settings CS5
PrimoPDF -- brought to you by Nitro PDF Software
QuickTime
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2124261)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2290570)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2559049)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
ServiceCEO API Web Service
ServiceCEO Client
SoundMAX
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
WebM Media Foundation Components
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR 4.11 (32-bit)
Wunderlist
.
==== Event Viewer Messages From Past Week ========
.
2/28/2012 9:15:00 AM, error: Service Control Manager [7023] - The World Wide Web Publishing service terminated with the following error: TCP/IP network protocol not installed.
2/28/2012 9:15:00 AM, error: Service Control Manager [7023] - The Sympxsvc service terminated with the following error: The specified module could not be found.
2/28/2012 9:15:00 AM, error: Service Control Manager [7023] - The Symantecantibotdriver service terminated with the following error: The specified module could not be found.
2/28/2012 9:15:00 AM, error: Service Control Manager [7023] - The SMCB000 service terminated with the following error: The specified module could not be found.
2/28/2012 9:15:00 AM, error: Service Control Manager [7023] - The Safety Settings Service service terminated with the following error: The specified module could not be found.
2/28/2012 9:15:00 AM, error: Service Control Manager [7023] - The Nmea service terminated with the following error: The specified module could not be found.
2/28/2012 9:15:00 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
2/28/2012 9:15:00 AM, error: Service Control Manager [7023] - The Avcgbfl service terminated with the following error: The specified module could not be found.
2/28/2012 9:13:33 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
.
==== End Of File ===========================


Thanks in advance for any/all help!

#2 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 01 March 2012 - 03:02 AM

Hello and :welcome:

Unfortunately you have a nasty rootkit on your computer. Before starting the cleaning process, please read the following information.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#3 klouf

klouf

    New Member

  • Members
  • Pip
  • 15 posts

Posted 02 March 2012 - 08:09 PM

ComboFix 12-03-02.01 - Administrator 03/02/2012 20:00:54.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2946 [GMT -5:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\My Documents\Downloads\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\jdoyle\g2mdlhlpx.exe
c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U
c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U\00000001.@
c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U\000000c0.@
c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U\000000cb.@
c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U\000000cf.@
c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U\80000000.@
c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U\800000c0.@
c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U\800000cb.@
c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U\800000cf.@
c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\X
c:\windows\$NtUninstallKB15429$
c:\windows\$NtUninstallKB15429$\1111118913
c:\windows\$NtUninstallKB15429$\3270967629\@
c:\windows\$NtUninstallKB15429$\3270967629\L\vewmtziv
c:\windows\$NtUninstallKB15429$\3270967629\loader.tlb
c:\windows\$NtUninstallKB15429$\3270967629\U\@00000001
c:\windows\$NtUninstallKB15429$\3270967629\U\@000000c0
c:\windows\$NtUninstallKB15429$\3270967629\U\@000000cb
c:\windows\$NtUninstallKB15429$\3270967629\U\@000000cf
c:\windows\$NtUninstallKB15429$\3270967629\U\@80000000
c:\windows\$NtUninstallKB15429$\3270967629\U\@800000c0
c:\windows\$NtUninstallKB15429$\3270967629\U\@800000cb
c:\windows\$NtUninstallKB15429$\3270967629\U\@800000cf
c:\windows\system32\
c:\windows\system32\AdobeActiveFileMonitor6.0.dll
c:\windows\system32\Afc.dll
c:\windows\system32\AFGSp50.dll
c:\windows\system32\aic78xx.dll
c:\windows\system32\antivirscheduler.dll
c:\windows\system32\aolavupd.dll
c:\windows\system32\appmgmt.dll
c:\windows\system32\as32svc.dll
c:\windows\system32\asuskeyboardservice.dll
c:\windows\system32\aswtdi.dll
c:\windows\system32\avg7core.dll
c:\windows\system32\avg7rsw.dll
c:\windows\system32\awhost32.dll
c:\windows\system32\basic2.dll
c:\windows\system32\bb-run.dll
c:\windows\system32\bits.dll
c:\windows\system32\BRGSp50.dll
c:\windows\system32\c_16631.nls
c:\windows\system32\Cache
c:\windows\system32\cd20xrnt.dll
c:\windows\system32\cpqfws2e.dll
c:\windows\system32\CTMSHD.dll
c:\windows\system32\cvintdrv.dll
c:\windows\system32\DCFS2K.dll
c:\windows\system32\dds_log_trash.cmd
c:\windows\system32\Dell1100_FUService.dll
c:\windows\system32\dlaopiom.dll
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\dot4usb.dll
c:\windows\system32\drvmcdb.dll
c:\windows\system32\epgspooler.dll
c:\windows\system32\epoxusdm.dll
c:\windows\system32\EPSON_EB_RPCV4_01.dll
c:\windows\system32\EU3_USB.dll
c:\windows\system32\evteng.dll
c:\windows\system32\Exportit.dll
c:\windows\system32\firelm01.dll
c:\windows\system32\gemserv.dll
c:\windows\system32\hidusb.dll
c:\windows\system32\hsf_msft.dll
c:\windows\system32\iaimfp4.dll
c:\windows\system32\iaimtv2.dll
c:\windows\system32\icm10blk.dll
c:\windows\system32\idrivert.dll
c:\windows\system32\imagesrv.dll
c:\windows\system32\inorpc.dll
c:\windows\system32\ipahelper.exe.dll
c:\windows\system32\ipsraidn.dll
c:\windows\system32\itchfltr.dll
c:\windows\system32\ivscheduler.dll
c:\windows\system32\jaguar.dll
c:\windows\system32\JGOGO.dll
c:\windows\system32\jobserver_report.dll
c:\windows\system32\kbfiltr.dll
c:\windows\system32\KMW_USB.dll
c:\windows\system32\lemsgt.dll
c:\windows\system32\LVPrcMon.dll
c:\windows\system32\lxby_device.dll
c:\windows\system32\lxcf_device.dll
c:\windows\system32\magictuneengine.dll
c:\windows\system32\mcods.dll
c:\windows\system32\mcshield.dll
c:\windows\system32\mozyFilter.dll
c:\windows\system32\mqdmbus.dll
c:\windows\system32\mqdmmdfl.dll
c:\windows\system32\MRESP50.dll
c:\windows\system32\MS1000.dll
c:\windows\system32\MSSQL$AUTODESKVAULT.dll
c:\windows\system32\mvdcodec.dll
c:\windows\system32\MxlW2k.dll
c:\windows\system32\mysql.dll
c:\windows\system32\Ndismeetro.dll
c:\windows\system32\neokdss.dll
c:\windows\system32\nhcDriverDevice.dll
c:\windows\system32\NVNET.dll
c:\windows\system32\omnidrv.dll
c:\windows\system32\omniusbl.dll
c:\windows\system32\oobe\msoobe.exe
c:\windows\system32\oobe\oobebaln.exe
c:\windows\system32\ooclevercacheagent.dll
c:\windows\system32\opcenum.dll
c:\windows\system32\openvpnservice.dll
c:\windows\system32\oraclewebassistant.dll
c:\windows\system32\passthru.dll
c:\windows\system32\pavdrv.dll
c:\windows\system32\pdscheduler.dll
c:\windows\system32\pelusblf.dll
c:\windows\system32\PNRPSvc.dll
c:\windows\system32\PSSdk23.dll
c:\windows\system32\ptserial.dll
c:\windows\system32\rpcapd.dll
c:\windows\system32\rt2500usb.dll
c:\windows\system32\RTSTOR.dll
c:\windows\system32\s217mdfl.dll
c:\windows\system32\s3ssavage.dll
c:\windows\system32\s716mdm.dll
c:\windows\system32\sandradatasrv.dll
c:\windows\system32\se45mdm.dll
c:\windows\system32\se59obex.dll
c:\windows\system32\sffdisk.dll
c:\windows\system32\sfusvc.dll
c:\windows\system32\shuttleengine.dll
c:\windows\system32\SiS300i.dll
c:\windows\system32\SMCB000.dll
c:\windows\system32\snoopfree.dll
c:\windows\system32\snoopfreesvc.dll
c:\windows\system32\snpstd.dll
c:\windows\system32\snpstd2.dll
c:\windows\system32\sp_clamsrv.dll
c:\windows\system32\sparrow.dll
c:\windows\system32\SPLITCAM.dll
c:\windows\system32\SQLAgent$LG_LP2.dll
c:\windows\system32\srescan.dll
c:\windows\system32\sscdmdfl.dll
c:\windows\system32\ssrtln.dll
c:\windows\system32\STEC3.dll
c:\windows\system32\StillCam.dll
c:\windows\system32\SWUMX51.dll
c:\windows\system32\symantecantibotshim.dll
c:\windows\system32\symappcore.dll
c:\windows\system32\sysmgmthp.dll
c:\windows\system32\Tb2RCAssist.dll
c:\windows\system32\tfsndrct.dll
c:\windows\system32\tnidriver.dll
c:\windows\system32\tosrfcom.dll
c:\windows\system32\tosrfhid.dll
c:\windows\system32\tpkd.dll
c:\windows\system32\TPM.dll
c:\windows\system32\transbaseservice.dll
c:\windows\system32\truecrypt.dll
c:\windows\system32\U2SP.dll
c:\windows\system32\UsbDiag.dll
c:\windows\system32\UVCFTR.dll
c:\windows\system32\VCIDRV.dll
c:\windows\system32\vet-filt.dll
c:\windows\system32\vetmonnt.dll
c:\windows\system32\w300mdfl.dll
c:\windows\system32\w810mgmt.dll
c:\windows\system32\wacomkey.dll
c:\windows\system32\wandrv.dll
c:\windows\system32\WinFl32.dll
c:\windows\system32\wlmel51b.dll
c:\windows\system32\z525obex.dll
c:\windows\system32\ZY202_XP.dll
.
Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected
Restored copy from - The cat found it :)
c:\program files\Intel\AMT\atchksrv.exe . . . is infected!!
c:\program files\Intel\AMT\atchksrv.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\program files\Google\Update\GoogleUpdate.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP130\A0016442.exe
.
Infected copy of c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP88\A0010865.exe
.
Infected copy of c:\program files\Java\jre6\bin\jqs.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP148\A0021591.exe
.
Infected copy of c:\program files\Intel\AMT\LMS.exe was found and disinfected
Restored copy from - c:\program files\Intel\AMT\
.
Infected copy of c:\program files\Intel\AMT\UNS.exe was found and disinfected
Restored copy from - c:\program files\Intel\AMT\
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_aiclient
-------\Legacy_allegro
-------\Legacy_ALYac_PZSrv
-------\Legacy_ASMMAP
-------\Legacy_astcc
-------\Legacy_aswlsvc
-------\Legacy_AVerBDA
-------\Legacy_bc_prt_f
-------\Legacy_bglivesvc
-------\Legacy_bgs_sdservice
-------\Legacy_bgsvcgen
-------\Legacy_bhmonitorservice
-------\Legacy_BrPar
-------\Legacy_btnhnd
-------\Legacy_c34nb4c5
-------\Legacy_Cam5607
-------\Legacy_cicssfs.scmmc223
-------\Legacy_CTEDSPIO.DLL
-------\Legacy_ctxcpuusync
-------\Legacy_cwafadminmonitor
-------\Legacy_digisptiservice
-------\Legacy_djsnetcn
-------\Legacy_DLARTL_M
-------\Legacy_dlcg_device
-------\Legacy_dpc_srv_webcast
-------\Legacy_dsbrokerservice
-------\Legacy_fsdfwd
-------\Legacy_FTDIBUS
-------\Legacy_GMSIPCI
-------\Legacy_hpdj
-------\Legacy_hsfhwazl
-------\Legacy_hSONYPVh
-------\Legacy_hwdatacard
-------\Legacy_icollectservice
-------\Legacy_ifxtcs
-------\Legacy_ireike
-------\Legacy_lanusb
-------\Legacy_lvupdtio
-------\Legacy_ma_cmidi_installerservice
-------\Legacy_magictuneengine
-------\Legacy_MailService
-------\Legacy_MKEMUSB
-------\Legacy_mqdmbus
-------\Legacy_MREMP50
-------\Legacy_mscsptisrv
-------\Legacy_msmpsvc
-------\Legacy_mssql$sony_mediamgr
-------\Legacy_ndasbus
-------\Legacy_Ndisipo
-------\Legacy_nsctop
-------\Legacy_nvedavt
-------\Legacy_nvsmu
-------\Legacy_NWSIPX32
-------\Legacy_omniusbl
-------\Legacy_oraclesnmppeerencapsulator
-------\Legacy_papycpu2
-------\Legacy_passthru
-------\Legacy_pdlnatcm
-------\Legacy_pdlndint
-------\Legacy_pdlnslea
-------\Legacy_pdlnsx25
-------\Legacy_pmj151la
-------\Legacy_PPPoEWin
-------\Legacy_prohlp02
-------\Legacy_RIOUNIV
-------\Legacy_rnadiagnosticsservice
-------\Legacy_rsvchost
-------\Legacy_s716unic
-------\Legacy_SaiNtSub
-------\Legacy_SbcpHid
-------\Legacy_schscnt
-------\Legacy_SE2Dmdfl
-------\Legacy_SE2Dmdm
-------\Legacy_se44mgmt
-------\Legacy_SenFiltService
-------\Legacy_sfhlp01
-------\Legacy_sigfilt
-------\Legacy_Sk9920nt
-------\Legacy_Slntamr
-------\Legacy_SlWdmSup
-------\Legacy_smartwiservice
-------\Legacy_SMNDIS5
-------\Legacy_smrt
-------\Legacy_SndTDriverV32
-------\Legacy_SPLITCAM
-------\Legacy_sprtsvc_smartagent
-------\Legacy_ssm_mdm
-------\Legacy_ssscsisv
-------\Legacy_sthda
-------\Legacy_sweepsrv.sys
-------\Legacy_sympxsvc
-------\Legacy_tangoservice
-------\Legacy_tfsnpool
-------\Legacy_TMKEmu
-------\Legacy_toscosrv
-------\Legacy_trayman
-------\Legacy_tsircsrv
-------\Legacy_TuneUp.Defrag
-------\Legacy_unrealircd
-------\Legacy_upperdev
-------\Legacy_upsmonservice
-------\Legacy_USBCCID
-------\Legacy_usbsermpt
-------\Legacy_USR1806V
-------\Legacy_vcsw
-------\Legacy_w200bus
-------\Legacy_w200mdfl
-------\Legacy_w550bus
-------\Legacy_w550mgmt
-------\Legacy_W8335XP
-------\Legacy_wampapache
-------\Legacy_wlancfg
-------\Legacy_WmaCVideo32
-------\Legacy_wusb54gv2svc
-------\Legacy_XDva004
-------\Legacy_z800obex
-------\Service_aiclient
-------\Service_allegro
-------\Service_ALYac_PZSrv
-------\Service_ASMMAP
-------\Service_astcc
-------\Service_aswlsvc
-------\Service_AVerBDA
-------\Service_bc_prt_f
-------\Service_bglivesvc
-------\Service_bgs_sdservice
-------\Service_bgsvcgen
-------\Service_bhmonitorservice
-------\Service_BrPar
-------\Service_btnhnd
-------\Service_c34nb4c5
-------\Service_Cam5607
-------\Service_cicssfs.scmmc223
-------\Service_CTEDSPIO.DLL
-------\Service_ctxcpuusync
-------\Service_cwafadminmonitor
-------\Service_digisptiservice
-------\Service_djsnetcn
-------\Service_DLARTL_M
-------\Service_dlcg_device
-------\Service_dpc_srv_webcast
-------\Service_dsbrokerservice
-------\Service_fsdfwd
-------\Service_FTDIBUS
-------\Service_GMSIPCI
-------\Service_hpdj
-------\Service_hsfhwazl
-------\Service_hSONYPVh
-------\Service_hwdatacard
-------\Service_icollectservice
-------\Service_ifxtcs
-------\Service_ireike
-------\Service_lanusb
-------\Service_lvupdtio
-------\Service_ma_cmidi_installerservice
-------\Service_magictuneengine
-------\Service_MailService
-------\Service_MKEMUSB
-------\Service_mqdmbus
-------\Service_MREMP50
-------\Service_mscsptisrv
-------\Service_msmpsvc
-------\Service_mssql$sony_mediamgr
-------\Service_ndasbus
-------\Service_Ndisipo
-------\Service_nsctop
-------\Service_nvedavt
-------\Service_nvsmu
-------\Service_NWSIPX32
-------\Service_omniusbl
-------\Service_oraclesnmppeerencapsulator
-------\Service_papycpu2
-------\Service_passthru
-------\Service_pdlnatcm
-------\Service_pdlndint
-------\Service_pdlnslea
-------\Service_pdlnsx25
-------\Service_pmj151la
-------\Service_PPPoEWin
-------\Service_prohlp02
-------\Service_RIOUNIV
-------\Service_rnadiagnosticsservice
-------\Service_rsvchost
-------\Service_s716unic
-------\Service_SaiNtSub
-------\Service_SbcpHid
-------\Service_schscnt
-------\Service_SE2Dmdfl
-------\Service_SE2Dmdm
-------\Service_se44mgmt
-------\Service_SenFiltService
-------\Service_sfhlp01
-------\Service_sigfilt
-------\Service_Sk9920nt
-------\Service_Slntamr
-------\Service_SlWdmSup
-------\Service_smartwiservice
-------\Service_SMNDIS5
-------\Service_smrt
-------\Service_SndTDriverV32
-------\Service_SPLITCAM
-------\Service_sprtsvc_smartagent
-------\Service_ssm_mdm
-------\Service_ssscsisv
-------\Service_sthda
-------\Service_sweepsrv.sys
-------\Service_sympxsvc
-------\Service_tangoservice
-------\Service_tfsnpool
-------\Service_TMKEmu
-------\Service_toscosrv
-------\Service_trayman
-------\Service_tsircsrv
-------\Service_TuneUp.Defrag
-------\Service_unrealircd
-------\Service_upperdev
-------\Service_upsmonservice
-------\Service_USBCCID
-------\Service_usbsermpt
-------\Service_USR1806V
-------\Service_vcsw
-------\Service_w200bus
-------\Service_w200mdfl
-------\Service_w550bus
-------\Service_w550mgmt
-------\Service_W8335XP
-------\Service_wampapache
-------\Service_wlancfg
-------\Service_WmaCVideo32
-------\Service_wusb54gv2svc
-------\Service_XDva004
-------\Service_z800obex
.
.
((((((((((((((((((((((((( Files Created from 2012-02-03 to 2012-03-03 )))))))))))))))))))))))))))))))
.
.
2012-03-03 00:25 . 2008-04-14 04:45 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-02-29 15:01 . 2012-02-29 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2012-02-29 15:00 . 2012-02-29 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2012-02-29 15:00 . 2012-02-29 15:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Xerox
2012-02-29 15:00 . 2010-09-23 19:05 299008 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpcpp101.dll
2012-02-29 15:00 . 2010-09-23 19:05 176128 ----a-w- c:\windows\system32\hpcpn101.dll
2012-02-29 15:00 . 2010-09-19 20:51 167480 ----a-w- c:\windows\system32\hppccompio.dll
2012-02-29 14:59 . 2010-12-14 20:07 187960 ----a-w- c:\windows\system32\hppscancoins32.dll
2012-02-29 14:59 . 2010-12-14 20:07 751160 ----a-w- c:\windows\system32\hpptsp06.dll
2012-02-29 14:59 . 2010-12-14 20:06 755256 ----a-w- c:\windows\system32\hpxp1530.dll
2012-02-29 14:59 . 2010-12-14 20:07 238080 ----a-w- c:\windows\system32\hpbcoins32.dll
2012-02-29 14:59 . 2012-02-29 15:01 -------- d-----w- c:\program files\HP
2012-02-29 14:59 . 2012-02-29 14:59 -------- d-----w- C:\M1530_MFP_Series_Basic_Solution
2012-02-23 01:19 . 2012-02-23 01:19 -------- d-----w- c:\documents and settings\jdoyle\Application Data\com.adobe.DC3Module.AdobeADC
2012-02-22 20:44 . 2012-02-22 21:06 -------- d-----w- c:\program files\Adobe InDesign CS5.5
2012-02-22 20:42 . 2012-02-22 20:42 -------- d-----w- c:\documents and settings\jdoyle\Application Data\com.adobe.downloadassistant.AdobeDownloadAssistant
2012-02-22 20:42 . 2012-02-22 20:42 -------- d-----w- c:\program files\Adobe Download Assistant
2012-02-21 20:37 . 2012-02-21 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2012-02-21 20:35 . 2012-02-21 20:35 -------- d-----w- c:\program files\Common Files\Adobe AIR
2012-02-21 20:14 . 2012-02-21 20:14 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-21 20:14 . 2012-02-21 20:14 -------- d-----w- c:\program files\DAEMON Tools Lite
2012-02-21 20:13 . 2012-02-21 20:15 -------- d-----w- c:\documents and settings\jdoyle\Application Data\DAEMON Tools Lite
2012-02-21 20:13 . 2012-02-21 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2012-02-21 14:48 . 2012-02-21 14:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-02-21 14:40 . 2012-02-21 14:40 -------- d-----w- c:\documents and settings\jdoyle\Application Data\Malwarebytes
2012-02-21 14:40 . 2012-02-21 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-21 14:40 . 2012-02-21 14:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-21 14:40 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-17 16:52 . 2011-11-09 22:38 132768 ----a-w- c:\windows\system32\IPROSetMonitor.exe
2012-02-17 16:52 . 2007-08-07 05:28 28272 ----a-w- c:\windows\system32\NicCo2.dll
2012-02-16 14:43 . 2012-02-16 14:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-02-15 01:26 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 01:26 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:53 . 2004-08-04 05:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2006-03-03 22:33 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2004-08-04 05:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2004-08-04 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-04 05:00 385024 ------w- c:\windows\system32\html.iec
2012-02-16 14:28 . 2011-09-23 13:49 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-09-22 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-18 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-18 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-18 141848]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-01-03 36760]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-01-03 815512]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HUD 3.0.lnk - c:\program files\Fonality\HUD3.0\HUD3.exe [2009-10-29 551424]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TechSmith\\Jing\\Jing.exe"=
"c:\\Program Files\\Fonality\\HUD3.0\\HUD3.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Adobe\\Acrobat 10.0\\Acrobat\\Acrobat.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\x2jobtGS.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE"=
"c:\\Program Files\\Adobe\\Acrobat 10.0\\Acrobat\\AcroRd32.exe"=
"c:\\Documents and Settings\\jdoyle\\Application Data\\Sun\\Java\\JRERunOnce.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Insight Direct\\ServiceCEO\\ServiceCEO.exe"=
"c:\\Documents and Settings\\jdoyle\\My Documents\\Downloads\\DTLite4453-0297.exe"=
"c:\\Program Files\\DAEMON Tools Lite\\DTLite.exe"=
"c:\\Program Files\\Common Files\\Adobe\\OOBE\\PDApp\\core\\PDapp.exe"=
"c:\\Program Files\\Adobe Download Assistant\\Adobe Download Assistant.exe"=
"c:\\Program Files\\Common Files\\Adobe AIR\\Versions\\1.0\\Resources\\Adobe AIR Updater.exe"=
"c:\\Program Files\\Adobe\\Adobe Device Central CS5.5\\DeviceCentral.exe"=
"c:\\Program Files\\Common Files\\Adobe\\OOBE\\PDApp\\UWA\\AAM Updates Notifier.exe"=
"c:\\Program Files\\Citrix\\GoToMeeting\\723\\g2mcomm.exe"=
"c:\\M1530_MFP_Series_Basic_Solution\\Installer\\hpbcsiServiceMarshaller.exe"=
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2/21/2012 3:14 PM 242240]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2/17/2012 11:52 AM 132768]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/21/2012 9:40 AM 652360]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [9/23/2011 10:00 AM 2519040]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/21/2012 9:40 AM 20464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 gupdatem;Google Update Service (gupdatem);"c:\program files\Google\Update\GoogleUpdate.exe" /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
TeamViewer
svcwrsssdk
L8042Kbd
SPLITCAM
l8042pr2
giveio
sfhlp01
dsbrokerservice
pdlndint
aiclient
hwdatacard
w200bus
alcxwdm
ASMMAP
w200mdfl
TuneUp.Defrag
mscsptisrv
bgs_sdservice
wampapache
ALYac_PZSrv
vcomm
nvedavt
Ndisipo
hSONYPVh
CTEDSPIO.DLL
SlWdmSup
w550bus
SMNDIS5
SaiNtSub
mssql$sony_mediamgr
wusb54gv2svc
RIOUNIV
rsvchost
alim1541
wps
passthru
vcsw
MKEMUSB
MailService
oraclesnmppeerencapsulator
usbsermpt
vxd
ma_cmidi_installerservice
tmcomm
BrPar
sigfilt
NWSIPX32
smartwiservice
pdlnatcm
PPPoEWin
c34nb4c5
sympxsvc
lvupdtio
symlcbrd
procexp90
upsmonservice
allegro
cicssfs.scmmc223
ssscsisv
DLARTL_M
unrealircd
bc_prt_f
cwafadminmonitor
wlancfg
mcmispupdmgr
ssm_mdm
omniusbl
magictuneengine
bgsvcgen
dlcg_device
s716unic
ndasbus
nwlnknb
pdlnslea
aswtdi
SbcpHid
toscosrv
ireike
SenFiltService
GMSIPCI
mbr
sprtsvc_smartagent
tangoservice
vcommmgr
schscnt
hsfhwazl
nvsmu
adobeversioncue
W8335XP
aspi32
fsdfwd
Cam5607
XDva004
papycpu2
lanusb
sthda
ctxcpuusync
nsctop
upperdev
SE2Dmdm
pmj151la
sweepsrv.sys
msmpsvc
bthidenum
smrt
prohlp02
dpc_srv_webcast
FTDIBUS
USBCCID
tsircsrv
djsnetcn
hpdj
icollectservice
astcc
USR1806V
Sk9920nt
TMKEmu
se44mgmt
rnadiagnosticsservice
tfsnpool
ifxtcs
btnhnd
MREMP50
SndTDriverV32
Slntamr
bhmonitorservice
z800obex
pdlnsx25
compbatt
AVerBDA
mqdmbus
pcnet
trayman
adpu320
bglivesvc
CdaD10BA
SE2Dmdfl
digisptiservice
w550mgmt
aswlsvc
WmaCVideo32
smapint
FreeTdi
oraclewebassistant
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc
WmdmPmSN
napagent
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-02 c:\windows\Tasks\AdobeAAMUpdater-1.0-MAIDPRO-jdoyle.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-02-22 13:46]
.
2012-03-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-09-22 00:21]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.25.15 192.168.25.10
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yha6yzvi.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-02 20:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1894398563-4205631423-612160202-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,54,a7,96,4f,09,4f,9d,41,92,4d,6f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,54,a7,96,4f,09,4f,9d,41,92,4d,6f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3732)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2012-03-02 20:08:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-03 01:08
.
Pre-Run: 136,180,600,832 bytes free
Post-Run: 136,869,265,408 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - D416CBDF114987D2A0F86A907288412F

#4 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 03 March 2012 - 03:24 AM

That took out quite some bad stuff, how are things running now?

It looks like there is a problem with the NetSvcs value. Can you tell me approximately how long ago XP was installed on this computer?
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#5 klouf

klouf

    New Member

  • Members
  • Pip
  • 15 posts

Posted 03 March 2012 - 12:05 PM

Well, it seems that there are no more malicious outgoing web requests. A quick scan with MWB came up with nothing, but a full scan came up with 200+ infected items (see below). XP has been on this computer for 3-4 years, and I believe I actually reinstalled it within the past year.



Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.02.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: MP-MARKETING01 [administrator]

Protection: Enabled

3/3/2012 11:13:33 AM
mbam-log-2012-03-03 (11-13-33).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 282200
Time elapsed: 28 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 292
C:\Documents and Settings\jdoyle\Application Data\Sun\Java\Deployment\cache\6.0\44\62d4346c-37229a0b (Trojan.Agent.PE3) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\U\00000001.@.vir (Backdoor.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\U\000000c0.@.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\U\000000cb.@.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\U\000000cf.@.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\U\800000c0.@.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\AdobeActiveFileMonitor6.0.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\Afc.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\AFGSp50.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\aic78xx.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\antivirscheduler.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\aolavupd.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\appmgmt.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\as32svc.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\asuskeyboardservice.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\aswtdi.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\avg7core.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\avg7rsw.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\awhost32.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\basic2.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bb-run.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bits.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\BRGSp50.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cd20xrnt.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cpqfws2e.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\CTMSHD.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cvintdrv.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\DCFS2K.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\Dell1100_FUService.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dlaopiom.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dot4usb.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drvmcdb.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\epoxusdm.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\EPSON_EB_RPCV4_01.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\EU3_USB.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\evteng.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\Exportit.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\firelm01.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gemserv.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hidusb.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\iaimfp4.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\iaimtv2.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\icm10blk.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\idrivert.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\imagesrv.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\inorpc.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ipahelper.exe.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ipsraidn.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ivscheduler.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jaguar.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\JGOGO.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jobserver_report.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbfiltr.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\KMW_USB.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lemsgt.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\LVPrcMon.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\epgspooler.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hsf_msft.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\itchfltr.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lxby_device.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\MS1000.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\omnidrv.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pelusblf.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\s716mdm.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\snoopfree.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sscdmdfl.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tfsndrct.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UsbDiag.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lxcf_device.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\magictuneengine.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mcods.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mcshield.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mozyFilter.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mqdmbus.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mqdmmdfl.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\MRESP50.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\MSSQL$AUTODESKVAULT.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mvdcodec.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\MxlW2k.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mysql.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\Ndismeetro.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\neokdss.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nhcDriverDevice.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\NVNET.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\omniusbl.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ooclevercacheagent.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\opcenum.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\openvpnservice.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\oraclewebassistant.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\passthru.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pavdrv.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pdscheduler.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\PNRPSvc.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\PSSdk23.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ptserial.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rpcapd.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rt2500usb.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\RTSTOR.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\s217mdfl.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\s3ssavage.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sandradatasrv.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\se45mdm.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\se59obex.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sffdisk.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sfusvc.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\shuttleengine.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\SiS300i.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\SMCB000.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\snoopfreesvc.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\snpstd.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\snpstd2.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sparrow.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\SPLITCAM.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sp_clamsrv.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\SQLAgent$LG_LP2.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\srescan.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ssrtln.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\STEC3.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\StillCam.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\SWUMX51.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\symantecantibotshim.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\symappcore.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sysmgmthp.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\Tb2RCAssist.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tnidriver.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tosrfcom.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tosrfhid.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tpkd.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TPM.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\transbaseservice.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\truecrypt.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\U2SP.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UVCFTR.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\VCIDRV.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vet-filt.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vetmonnt.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\w300mdfl.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\w810mgmt.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wacomkey.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wandrv.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\WinFl32.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wlmel51b.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\z525obex.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ZY202_XP.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP113\A0013915.ini (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP128\A0016393.ini (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP129\A0016435.ini (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP140\A0016654.ini (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP144\A0017017.ini (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP144\A0019077.ini (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP146\A0019243.ini (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022111.ini (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022433.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022434.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022435.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022436.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022437.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022438.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022439.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022440.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022441.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022442.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022443.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022444.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022445.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022447.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022448.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022449.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022450.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022451.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022452.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022453.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022454.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022455.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022456.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022457.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022458.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022459.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022460.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022461.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022462.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022463.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022465.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022466.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022467.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022468.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022469.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022470.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022471.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022472.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022473.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022474.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022475.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022476.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022477.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022478.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022479.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022480.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022481.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022483.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022484.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022485.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022486.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022487.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022488.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022489.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022490.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022491.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022492.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022493.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022494.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022495.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022496.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022497.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022498.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022499.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022501.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022502.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022503.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022504.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022505.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022506.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022507.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022508.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022509.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022510.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022511.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022512.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022513.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022514.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022515.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022516.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022517.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022519.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022520.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022521.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022522.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022523.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022524.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022525.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022526.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022527.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022528.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022529.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022530.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022531.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022532.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022533.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022534.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022535.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022537.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022538.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022539.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022540.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022541.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022542.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022543.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022544.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022545.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022546.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022547.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022548.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022549.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022550.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022551.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022552.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022553.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022555.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022556.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022557.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022558.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022559.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022560.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022561.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022562.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022563.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022564.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022565.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022566.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022567.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022568.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022569.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022570.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022446.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022464.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022482.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022500.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022518.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022536.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022554.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP99\A0011102.ini (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

#6 klouf

klouf

    New Member

  • Members
  • Pip
  • 15 posts

Posted 03 March 2012 - 12:42 PM

FYI, after letting MWB clean up, another full scan found nothing

#7 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 03 March 2012 - 12:59 PM

Those were already quarantined items so nothing to worry about. :)

How are things running at this point?
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#8 klouf

klouf

    New Member

  • Members
  • Pip
  • 15 posts

Posted 03 March 2012 - 01:42 PM

Everything seems good - is there anything else I need to do to clean anything up? That seemed a lot easier than it sounded it might be :)

#9 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 03 March 2012 - 02:02 PM

Hi, I'm glad to hear things are running okay now. :)

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7u3.
  • Look for "JDK 7u3 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#10 klouf

klouf

    New Member

  • Members
  • Pip
  • 15 posts

Posted 03 March 2012 - 03:38 PM

<p> </p>
<div>C:\Documents and Settings\jdoyle\Application Data\Sun\Java\Deployment\cache\6.0\39\1bffe6a7-33d4a4ac<span class="Apple-tab-span" style="white-space:pre"> </span>Java/TrojanDownloader.OpenStream.NCO trojan<span class="Apple-tab-span" style="white-space:pre"> </span>deleted - quarantined</div>
<div>C:\Documents and Settings\jdoyle\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00004c<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/OpenCandy application<span class="Apple-tab-span" style="white-space:pre"> </span>deleted - quarantined</div>
<div>C:\Documents and Settings\jdoyle\My Documents\Downloads\DTLite4453-0297.exe<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/OpenCandy application<span class="Apple-tab-span" style="white-space:pre"> </span>deleted - quarantined</div>
<div>C:\Documents and Settings\jdoyle\My Documents\Downloads\InternationalPrimoPDF.exe<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/OpenCandy application<span class="Apple-tab-span" style="white-space:pre"> </span>deleted - quarantined</div>
<div>C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\X.vir<span class="Apple-tab-span" style="white-space:pre"> </span>a variant of Win32/Sirefef.DD trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned by deleting - quarantined</div>
<div>C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\U\80000000.@.vir<span class="Apple-tab-span" style="white-space:pre"> </span>probably a variant of Win32/Sirefef.DV trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned by deleting - quarantined</div>
<div>C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\U\800000cb.@.vir<span class="Apple-tab-span" style="white-space:pre"> </span>a variant of Win32/Agent.TEO trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned by deleting - quarantined</div>
<div>C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\U\800000cf.@.vir<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Sirefef.DV trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned by deleting - quarantined</div>
<div>C:\Qoobox\Quarantine\C\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe.vir<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Patched.HN trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned - quarantined</div>
<div>C:\Qoobox\Quarantine\C\Program Files\Intel\AMT\atchksrv.exe.vir<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Patched.HN trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned - quarantined</div>
<div>C:\Qoobox\Quarantine\C\Program Files\Intel\AMT\LMS.exe.vir<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Patched.HN trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned - quarantined</div>
<div>C:\Qoobox\Quarantine\C\Program Files\Intel\AMT\UNS.exe.vir<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Patched.HN trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned - quarantined</div>
<div>C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Patched.HN trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned - quarantined</div>
<div>C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\serial.sys.vir<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Sirefef.DM trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned by deleting - quarantined</div>
<div> </div>


#11 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 03 March 2012 - 03:56 PM

Most of that was already in quarantine, which means you're good to go. :)

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
  • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#12 klouf

klouf

    New Member

  • Members
  • Pip
  • 15 posts

Posted 03 March 2012 - 10:56 PM

Awesome - thank you for all of your help!

#13 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 04 March 2012 - 02:47 AM

You are most welcome! :)

I will request this topic to be closed.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#14 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 04 March 2012 - 07:25 AM

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users