klouf

Rootkit.0Access

14 posts in this topic

We have a computer infected with Rootkit.0Access (as well as Rootkit.ZeroAccess, not sure if that is the same) and Backdoor.Agent.Gen). Some quick reading and it seems that is a pretty nasty item. Would it just be easier to wipe the machine and start fresh or try to clean it up?

DDS.txt:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_27

Run by jdoyle at 10:13:10 on 2012-02-29

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.1846 [GMT -5:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

svchost.exe

C:\Program Files\Intel\AMT\atchksrv.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\IProsetMonitor.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Intel\AMT\UNS.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Intel\AMT\atchk.exe

C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TechSmith\Jing\Jing.exe

C:\Program Files\Citrix\GoToMeeting\723\g2mstart.exe

C:\Program Files\Citrix\GoToMeeting\723\g2mcomm.exe

C:\Program Files\Fonality\HUD3.0\HUD3.exe

C:\Program Files\Citrix\GoToMeeting\723\g2mlauncher.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\zshp2600.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

.

============== Pseudo HJT Report ===============

.

uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe" //mailurl:mailto:jdoe@maidpro.com

uWinlogon: Shell=c:\documents and settings\jdoyle\local settings\application data\c2f7014d\X

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Jing] c:\program files\techsmith\jing\Jing.exe

uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\723\g2mstart.exe" "/Trigger RunAtLogon"

uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [atchk] "c:\program files\intel\amt\atchk.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [<NO NAME>]

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin

mRun: [switchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hud30~1.lnk - c:\program files\fonality\hud3.0\HUD3.exe

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: mswsock.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1316728581546

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

TCP: DhcpNameServer = 192.168.25.15 192.168.25.10

TCP: Interfaces\{86B9AF4C-D92B-4707-AF62-D900EEA0BC78} : DhcpNameServer = 192.168.25.15 192.168.25.10

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\jdoyle\application data\mozilla\firefox\profiles\dgz3tfui.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\adobe\acrobat 10.0\acrobat\air\nppdf32.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll

FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-2-21 242240]

R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2012-2-17 132768]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-21 652360]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2011-9-23 2523136]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-21 20464]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-2-29 40776]

R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-22 136176]

S2 mbr;Omci;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

S2 ndasbus;Wanminiportservice;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

S2 TeamViewer;Safety Settings Service;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-22 136176]

S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-02-29 15:06:22 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-02-29 15:00:35 299008 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpcpp101.dll

2012-02-29 15:00:35 176128 ----a-w- c:\windows\system32\hpcpn101.dll

2012-02-29 15:00:35 167480 ----a-w- c:\windows\system32\hppccompio.dll

2012-02-29 14:59:54 755256 ----a-w- c:\windows\system32\hpxp1530.dll

2012-02-29 14:59:54 751160 ----a-w- c:\windows\system32\hpptsp06.dll

2012-02-29 14:59:54 187960 ----a-w- c:\windows\system32\hppscancoins32.dll

2012-02-29 14:59:52 238080 ----a-w- c:\windows\system32\hpbcoins32.dll

2012-02-29 14:59:46 -------- d-----w- c:\program files\HP

2012-02-29 14:59:22 -------- d-----w- C:\M1530_MFP_Series_Basic_Solution

2012-02-23 01:19:43 -------- d-----w- c:\documents and settings\jdoyle\application data\com.adobe.DC3Module.AdobeADC

2012-02-22 20:44:01 -------- d-----w- c:\program files\Adobe InDesign CS5.5

2012-02-22 20:42:24 -------- d-----w- c:\documents and settings\jdoyle\application data\com.adobe.downloadassistant.AdobeDownloadAssistant

2012-02-22 20:42:23 -------- d-----w- c:\program files\Adobe Download Assistant

2012-02-21 20:37:23 -------- d-----w- c:\documents and settings\all users\application data\ALM

2012-02-21 20:14:28 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2012-02-21 20:14:20 -------- d-----w- c:\program files\DAEMON Tools Lite

2012-02-21 20:13:56 -------- d-----w- c:\documents and settings\jdoyle\application data\DAEMON Tools Lite

2012-02-21 20:13:52 -------- d-----w- c:\documents and settings\all users\application data\DAEMON Tools Lite

2012-02-21 14:40:37 -------- d-----w- c:\documents and settings\jdoyle\application data\Malwarebytes

2012-02-21 14:40:34 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-02-21 14:40:33 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-02-21 14:40:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-02-17 16:52:54 132768 ----a-w- c:\windows\system32\IPROSetMonitor.exe

2012-02-17 16:52:23 28272 ----a-w- c:\windows\system32\NicCo2.dll

2012-02-15 01:26:44 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-02-15 01:26:44 3072 ------w- c:\windows\system32\iacenc.dll

.

==================== Find3M ====================

.

2012-02-28 14:13:23 0 --sha-w- c:\windows\system32\dds_log_trash.cmd

2012-01-17 18:59:16 72080 ----a-w- c:\documents and settings\jdoyle\g2mdlhlpx.exe

2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys

2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll

2011-12-17 19:46:36 43520 ------w- c:\windows\system32\licmgr10.dll

2011-12-17 19:46:36 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-12-16 12:22:58 385024 ------w- c:\windows\system32\html.iec

.

============= FINISH: 10:13:29.40 ===============

Attach.txt:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 9/22/2011 5:47:16 PM

System Uptime: 2/28/2012 9:13:01 AM (25 hours ago)

.

Motherboard: Dell Inc. | | 0DR845

Processor: Intel Pentium III Xeon processor | CPU | 2992/1333mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 149 GiB total, 127.244 GiB free.

D: is CDROM ()

E: is CDROM ()

P: is NetworkDisk (NTFS) - 2048 GiB total, 1733.656 GiB free.

Z: is NetworkDisk (NTFS) - 2048 GiB total, 1733.656 GiB free.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP82: 12/1/2011 11:05:17 PM - System Checkpoint

RP83: 12/3/2011 12:05:18 AM - System Checkpoint

RP84: 12/4/2011 1:05:18 AM - System Checkpoint

RP85: 12/5/2011 2:05:18 AM - System Checkpoint

RP86: 12/6/2011 3:05:19 AM - System Checkpoint

RP87: 12/7/2011 4:05:20 AM - System Checkpoint

RP88: 12/8/2011 5:05:21 AM - System Checkpoint

RP89: 12/9/2011 6:19:52 AM - System Checkpoint

RP90: 12/10/2011 7:05:21 AM - System Checkpoint

RP91: 12/11/2011 8:05:21 AM - System Checkpoint

RP92: 12/12/2011 8:38:49 AM - System Checkpoint

RP93: 12/13/2011 9:06:27 AM - System Checkpoint

RP94: 12/14/2011 11:22:58 AM - System Checkpoint

RP95: 12/15/2011 12:38:47 PM - System Checkpoint

RP96: 12/16/2011 1:05:27 PM - System Checkpoint

RP97: 12/17/2011 2:05:27 PM - System Checkpoint

RP98: 12/18/2011 3:06:32 PM - System Checkpoint

RP99: 12/19/2011 10:17:02 AM - Software Distribution Service 3.0

RP100: 12/20/2011 10:33:21 AM - System Checkpoint

RP101: 12/21/2011 10:52:25 AM - System Checkpoint

RP102: 12/22/2011 11:02:42 AM - System Checkpoint

RP103: 12/23/2011 11:29:55 AM - System Checkpoint

RP104: 1/3/2012 12:16:37 PM - System Checkpoint

RP105: 1/4/2012 12:33:52 PM - System Checkpoint

RP106: 1/5/2012 1:26:30 PM - System Checkpoint

RP107: 1/6/2012 4:44:23 PM - System Checkpoint

RP108: 1/7/2012 5:26:32 PM - System Checkpoint

RP109: 1/8/2012 6:26:31 PM - System Checkpoint

RP110: 1/9/2012 7:26:32 PM - System Checkpoint

RP111: 1/10/2012 7:26:34 PM - System Checkpoint

RP112: 1/11/2012 1:00:12 PM - Software Distribution Service 3.0

RP113: 1/12/2012 1:37:28 PM - System Checkpoint

RP114: 1/13/2012 1:40:48 PM - System Checkpoint

RP115: 1/17/2012 9:44:42 AM - System Checkpoint

RP116: 1/18/2012 10:15:59 AM - System Checkpoint

RP117: 1/19/2012 11:47:03 AM - System Checkpoint

RP118: 1/20/2012 12:26:06 PM - System Checkpoint

RP119: 1/21/2012 12:26:08 PM - System Checkpoint

RP120: 1/22/2012 1:30:43 PM - System Checkpoint

RP121: 1/23/2012 1:46:35 PM - System Checkpoint

RP122: 1/24/2012 3:15:06 PM - System Checkpoint

RP123: 1/25/2012 3:32:31 PM - System Checkpoint

RP124: 1/26/2012 3:50:09 PM - System Checkpoint

RP125: 1/27/2012 4:26:10 PM - System Checkpoint

RP126: 1/28/2012 4:35:16 PM - System Checkpoint

RP127: 1/29/2012 5:26:10 PM - System Checkpoint

RP128: 1/30/2012 9:03:25 AM - Software Distribution Service 3.0

RP129: 1/31/2012 12:43:07 PM - System Checkpoint

RP130: 2/1/2012 12:46:49 PM - System Checkpoint

RP131: 2/2/2012 3:34:19 PM - System Checkpoint

RP132: 2/3/2012 3:46:17 PM - System Checkpoint

RP133: 2/4/2012 4:45:14 PM - System Checkpoint

RP134: 2/5/2012 5:45:13 PM - System Checkpoint

RP135: 2/6/2012 5:51:45 PM - System Checkpoint

RP136: 2/7/2012 6:45:14 PM - System Checkpoint

RP137: 2/8/2012 7:45:15 PM - System Checkpoint

RP138: 2/9/2012 7:50:59 PM - System Checkpoint

RP139: 2/10/2012 8:45:17 PM - System Checkpoint

RP140: 2/11/2012 9:46:22 PM - System Checkpoint

RP141: 2/12/2012 10:46:44 PM - System Checkpoint

RP142: 2/13/2012 11:45:18 PM - System Checkpoint

RP143: 2/15/2012 12:45:19 AM - System Checkpoint

RP144: 2/15/2012 1:00:12 PM - Software Distribution Service 3.0

RP145: 2/16/2012 1:27:16 PM - System Checkpoint

RP146: 2/17/2012 11:52:50 AM - Installed Intel® Network Connections.

RP147: 2/21/2012 10:19:31 AM - System Checkpoint

RP148: 2/22/2012 10:24:25 AM - System Checkpoint

RP149: 2/28/2012 9:32:22 AM - System Checkpoint

RP150: 2/29/2012 10:00:37 AM - Printer Driver HP LaserJet M1530 MFP Series PCL 6 Installed

.

==== Installed Programs ======================

.

32 Bit HP CIO Components Installer

Adobe Acrobat X Standard - English, Français, Deutsch

Adobe AIR

Adobe Community Help

Adobe Content Viewer

Adobe Creative Suite 5.5 Master Collection

Adobe Download Assistant

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe InDesign CS5.5

Adobe Reader X (10.1.2)

Apple Application Support

Apple Software Update

DAEMON Tools Lite

Fonality HUD 3.0

GIMP 2.6.11

Google Chrome

Google Update Helper

Google Updater

GoToMeeting 5.1.0.873

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB942288-v3)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

HP LaserJet Professional M1530 MFP Series

HP LJ M1530 MFP Series HP Scan

Intel® Graphics Media Accelerator Driver

Intel® Management Engine Interface

Intel® Network Connections 16.8.46.0

Intel® Active Management Technology

Java Auto Updater

Java 6 Update 27

Jing

M.A.C.S.

Malwarebytes Anti-Malware version 1.60.1.1000

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2656353)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Home and Business 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Single Image 2010

Microsoft Office Word MUI (English) 2010

Microsoft Software Update for Web Folders (English) 14

Microsoft SQL Server Management Objects Collection

Microsoft SQL Server Native Client

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft_VC80_ATL_x86

Microsoft_VC80_CRT_x86

Microsoft_VC80_MFC_x86

Microsoft_VC80_MFCLOC_x86

Microsoft_VC90_ATL_x86

Microsoft_VC90_CRT_x86

Microsoft_VC90_MFC_x86

Microsoft_VC90_MFCLOC_x86

Mozilla Firefox 10.0 (x86 en-US)

PDF Settings CS5

PrimoPDF -- brought to you by Nitro PDF Software

QuickTime

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2647516)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2124261)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2290570)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2544521)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2559049)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2660465)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953155)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB970483)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982665)

ServiceCEO API Web Service

ServiceCEO Client

SoundMAX

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft Windows (KB971513)

Update for Windows Internet Explorer 8 (KB2447568)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2492386)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2616676-v2)

Update for Windows XP (KB2641690)

Update for Windows XP (KB943729)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

WebFldrs XP

WebM Media Foundation Components

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Management Framework Core

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

WinRAR 4.11 (32-bit)

Wunderlist

.

==== Event Viewer Messages From Past Week ========

.

2/28/2012 9:15:00 AM, error: Service Control Manager [7023] - The World Wide Web Publishing service terminated with the following error: TCP/IP network protocol not installed.

2/28/2012 9:15:00 AM, error: Service Control Manager [7023] - The Sympxsvc service terminated with the following error: The specified module could not be found.

2/28/2012 9:15:00 AM, error: Service Control Manager [7023] - The Symantecantibotdriver service terminated with the following error: The specified module could not be found.

2/28/2012 9:15:00 AM, error: Service Control Manager [7023] - The SMCB000 service terminated with the following error: The specified module could not be found.

2/28/2012 9:15:00 AM, error: Service Control Manager [7023] - The Safety Settings Service service terminated with the following error: The specified module could not be found.

2/28/2012 9:15:00 AM, error: Service Control Manager [7023] - The Nmea service terminated with the following error: The specified module could not be found.

2/28/2012 9:15:00 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.

2/28/2012 9:15:00 AM, error: Service Control Manager [7023] - The Avcgbfl service terminated with the following error: The specified module could not be found.

2/28/2012 9:13:33 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

.

==== End Of File ===========================

Thanks in advance for any/all help!

Share this post


Link to post
Share on other sites

Hello and :welcome:

Unfortunately you have a nasty rootkit on your computer. Before starting the cleaning process, please read the following information.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Share this post


Link to post
Share on other sites

ComboFix 12-03-02.01 - Administrator 03/02/2012 20:00:54.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2946 [GMT -5:00]

Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\My Documents\Downloads\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\jdoyle\g2mdlhlpx.exe

c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U

c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U\00000001.@

c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U\000000c0.@

c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U\000000cb.@

c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U\000000cf.@

c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U\80000000.@

c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U\800000c0.@

c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U\800000cb.@

c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\U\800000cf.@

c:\documents and settings\jdoyle\Local Settings\Application Data\c2f7014d\X

c:\windows\$NtUninstallKB15429$

c:\windows\$NtUninstallKB15429$\1111118913

c:\windows\$NtUninstallKB15429$\3270967629\@

c:\windows\$NtUninstallKB15429$\3270967629\L\vewmtziv

c:\windows\$NtUninstallKB15429$\3270967629\loader.tlb

c:\windows\$NtUninstallKB15429$\3270967629\U\@00000001

c:\windows\$NtUninstallKB15429$\3270967629\U\@000000c0

c:\windows\$NtUninstallKB15429$\3270967629\U\@000000cb

c:\windows\$NtUninstallKB15429$\3270967629\U\@000000cf

c:\windows\$NtUninstallKB15429$\3270967629\U\@80000000

c:\windows\$NtUninstallKB15429$\3270967629\U\@800000c0

c:\windows\$NtUninstallKB15429$\3270967629\U\@800000cb

c:\windows\$NtUninstallKB15429$\3270967629\U\@800000cf

c:\windows\system32\

c:\windows\system32\AdobeActiveFileMonitor6.0.dll

c:\windows\system32\Afc.dll

c:\windows\system32\AFGSp50.dll

c:\windows\system32\aic78xx.dll

c:\windows\system32\antivirscheduler.dll

c:\windows\system32\aolavupd.dll

c:\windows\system32\appmgmt.dll

c:\windows\system32\as32svc.dll

c:\windows\system32\asuskeyboardservice.dll

c:\windows\system32\aswtdi.dll

c:\windows\system32\avg7core.dll

c:\windows\system32\avg7rsw.dll

c:\windows\system32\awhost32.dll

c:\windows\system32\basic2.dll

c:\windows\system32\bb-run.dll

c:\windows\system32\bits.dll

c:\windows\system32\BRGSp50.dll

c:\windows\system32\c_16631.nls

c:\windows\system32\Cache

c:\windows\system32\cd20xrnt.dll

c:\windows\system32\cpqfws2e.dll

c:\windows\system32\CTMSHD.dll

c:\windows\system32\cvintdrv.dll

c:\windows\system32\DCFS2K.dll

c:\windows\system32\dds_log_trash.cmd

c:\windows\system32\Dell1100_FUService.dll

c:\windows\system32\dlaopiom.dll

c:\windows\system32\dllcache\dlimport.exe

c:\windows\system32\dot4usb.dll

c:\windows\system32\drvmcdb.dll

c:\windows\system32\epgspooler.dll

c:\windows\system32\epoxusdm.dll

c:\windows\system32\EPSON_EB_RPCV4_01.dll

c:\windows\system32\EU3_USB.dll

c:\windows\system32\evteng.dll

c:\windows\system32\Exportit.dll

c:\windows\system32\firelm01.dll

c:\windows\system32\gemserv.dll

c:\windows\system32\hidusb.dll

c:\windows\system32\hsf_msft.dll

c:\windows\system32\iaimfp4.dll

c:\windows\system32\iaimtv2.dll

c:\windows\system32\icm10blk.dll

c:\windows\system32\idrivert.dll

c:\windows\system32\imagesrv.dll

c:\windows\system32\inorpc.dll

c:\windows\system32\ipahelper.exe.dll

c:\windows\system32\ipsraidn.dll

c:\windows\system32\itchfltr.dll

c:\windows\system32\ivscheduler.dll

c:\windows\system32\jaguar.dll

c:\windows\system32\JGOGO.dll

c:\windows\system32\jobserver_report.dll

c:\windows\system32\kbfiltr.dll

c:\windows\system32\KMW_USB.dll

c:\windows\system32\lemsgt.dll

c:\windows\system32\LVPrcMon.dll

c:\windows\system32\lxby_device.dll

c:\windows\system32\lxcf_device.dll

c:\windows\system32\magictuneengine.dll

c:\windows\system32\mcods.dll

c:\windows\system32\mcshield.dll

c:\windows\system32\mozyFilter.dll

c:\windows\system32\mqdmbus.dll

c:\windows\system32\mqdmmdfl.dll

c:\windows\system32\MRESP50.dll

c:\windows\system32\MS1000.dll

c:\windows\system32\MSSQL$AUTODESKVAULT.dll

c:\windows\system32\mvdcodec.dll

c:\windows\system32\MxlW2k.dll

c:\windows\system32\mysql.dll

c:\windows\system32\Ndismeetro.dll

c:\windows\system32\neokdss.dll

c:\windows\system32\nhcDriverDevice.dll

c:\windows\system32\NVNET.dll

c:\windows\system32\omnidrv.dll

c:\windows\system32\omniusbl.dll

c:\windows\system32\oobe\msoobe.exe

c:\windows\system32\oobe\oobebaln.exe

c:\windows\system32\ooclevercacheagent.dll

c:\windows\system32\opcenum.dll

c:\windows\system32\openvpnservice.dll

c:\windows\system32\oraclewebassistant.dll

c:\windows\system32\passthru.dll

c:\windows\system32\pavdrv.dll

c:\windows\system32\pdscheduler.dll

c:\windows\system32\pelusblf.dll

c:\windows\system32\PNRPSvc.dll

c:\windows\system32\PSSdk23.dll

c:\windows\system32\ptserial.dll

c:\windows\system32\rpcapd.dll

c:\windows\system32\rt2500usb.dll

c:\windows\system32\RTSTOR.dll

c:\windows\system32\s217mdfl.dll

c:\windows\system32\s3ssavage.dll

c:\windows\system32\s716mdm.dll

c:\windows\system32\sandradatasrv.dll

c:\windows\system32\se45mdm.dll

c:\windows\system32\se59obex.dll

c:\windows\system32\sffdisk.dll

c:\windows\system32\sfusvc.dll

c:\windows\system32\shuttleengine.dll

c:\windows\system32\SiS300i.dll

c:\windows\system32\SMCB000.dll

c:\windows\system32\snoopfree.dll

c:\windows\system32\snoopfreesvc.dll

c:\windows\system32\snpstd.dll

c:\windows\system32\snpstd2.dll

c:\windows\system32\sp_clamsrv.dll

c:\windows\system32\sparrow.dll

c:\windows\system32\SPLITCAM.dll

c:\windows\system32\SQLAgent$LG_LP2.dll

c:\windows\system32\srescan.dll

c:\windows\system32\sscdmdfl.dll

c:\windows\system32\ssrtln.dll

c:\windows\system32\STEC3.dll

c:\windows\system32\StillCam.dll

c:\windows\system32\SWUMX51.dll

c:\windows\system32\symantecantibotshim.dll

c:\windows\system32\symappcore.dll

c:\windows\system32\sysmgmthp.dll

c:\windows\system32\Tb2RCAssist.dll

c:\windows\system32\tfsndrct.dll

c:\windows\system32\tnidriver.dll

c:\windows\system32\tosrfcom.dll

c:\windows\system32\tosrfhid.dll

c:\windows\system32\tpkd.dll

c:\windows\system32\TPM.dll

c:\windows\system32\transbaseservice.dll

c:\windows\system32\truecrypt.dll

c:\windows\system32\U2SP.dll

c:\windows\system32\UsbDiag.dll

c:\windows\system32\UVCFTR.dll

c:\windows\system32\VCIDRV.dll

c:\windows\system32\vet-filt.dll

c:\windows\system32\vetmonnt.dll

c:\windows\system32\w300mdfl.dll

c:\windows\system32\w810mgmt.dll

c:\windows\system32\wacomkey.dll

c:\windows\system32\wandrv.dll

c:\windows\system32\WinFl32.dll

c:\windows\system32\wlmel51b.dll

c:\windows\system32\z525obex.dll

c:\windows\system32\ZY202_XP.dll

.

Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected

Restored copy from - The cat found it :)

c:\program files\Intel\AMT\atchksrv.exe . . . is infected!!

c:\program files\Intel\AMT\atchksrv.exe . . . was deleted!! You should re-install the program it pertains to

.

Infected copy of c:\program files\Google\Update\GoogleUpdate.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP130\A0016442.exe

.

Infected copy of c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP88\A0010865.exe

.

Infected copy of c:\program files\Java\jre6\bin\jqs.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP148\A0021591.exe

.

Infected copy of c:\program files\Intel\AMT\LMS.exe was found and disinfected

Restored copy from - c:\program files\Intel\AMT\

.

Infected copy of c:\program files\Intel\AMT\UNS.exe was found and disinfected

Restored copy from - c:\program files\Intel\AMT\

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_aiclient

-------\Legacy_allegro

-------\Legacy_ALYac_PZSrv

-------\Legacy_ASMMAP

-------\Legacy_astcc

-------\Legacy_aswlsvc

-------\Legacy_AVerBDA

-------\Legacy_bc_prt_f

-------\Legacy_bglivesvc

-------\Legacy_bgs_sdservice

-------\Legacy_bgsvcgen

-------\Legacy_bhmonitorservice

-------\Legacy_BrPar

-------\Legacy_btnhnd

-------\Legacy_c34nb4c5

-------\Legacy_Cam5607

-------\Legacy_cicssfs.scmmc223

-------\Legacy_CTEDSPIO.DLL

-------\Legacy_ctxcpuusync

-------\Legacy_cwafadminmonitor

-------\Legacy_digisptiservice

-------\Legacy_djsnetcn

-------\Legacy_DLARTL_M

-------\Legacy_dlcg_device

-------\Legacy_dpc_srv_webcast

-------\Legacy_dsbrokerservice

-------\Legacy_fsdfwd

-------\Legacy_FTDIBUS

-------\Legacy_GMSIPCI

-------\Legacy_hpdj

-------\Legacy_hsfhwazl

-------\Legacy_hSONYPVh

-------\Legacy_hwdatacard

-------\Legacy_icollectservice

-------\Legacy_ifxtcs

-------\Legacy_ireike

-------\Legacy_lanusb

-------\Legacy_lvupdtio

-------\Legacy_ma_cmidi_installerservice

-------\Legacy_magictuneengine

-------\Legacy_MailService

-------\Legacy_MKEMUSB

-------\Legacy_mqdmbus

-------\Legacy_MREMP50

-------\Legacy_mscsptisrv

-------\Legacy_msmpsvc

-------\Legacy_mssql$sony_mediamgr

-------\Legacy_ndasbus

-------\Legacy_Ndisipo

-------\Legacy_nsctop

-------\Legacy_nvedavt

-------\Legacy_nvsmu

-------\Legacy_NWSIPX32

-------\Legacy_omniusbl

-------\Legacy_oraclesnmppeerencapsulator

-------\Legacy_papycpu2

-------\Legacy_passthru

-------\Legacy_pdlnatcm

-------\Legacy_pdlndint

-------\Legacy_pdlnslea

-------\Legacy_pdlnsx25

-------\Legacy_pmj151la

-------\Legacy_PPPoEWin

-------\Legacy_prohlp02

-------\Legacy_RIOUNIV

-------\Legacy_rnadiagnosticsservice

-------\Legacy_rsvchost

-------\Legacy_s716unic

-------\Legacy_SaiNtSub

-------\Legacy_SbcpHid

-------\Legacy_schscnt

-------\Legacy_SE2Dmdfl

-------\Legacy_SE2Dmdm

-------\Legacy_se44mgmt

-------\Legacy_SenFiltService

-------\Legacy_sfhlp01

-------\Legacy_sigfilt

-------\Legacy_Sk9920nt

-------\Legacy_Slntamr

-------\Legacy_SlWdmSup

-------\Legacy_smartwiservice

-------\Legacy_SMNDIS5

-------\Legacy_smrt

-------\Legacy_SndTDriverV32

-------\Legacy_SPLITCAM

-------\Legacy_sprtsvc_smartagent

-------\Legacy_ssm_mdm

-------\Legacy_ssscsisv

-------\Legacy_sthda

-------\Legacy_sweepsrv.sys

-------\Legacy_sympxsvc

-------\Legacy_tangoservice

-------\Legacy_tfsnpool

-------\Legacy_TMKEmu

-------\Legacy_toscosrv

-------\Legacy_trayman

-------\Legacy_tsircsrv

-------\Legacy_TuneUp.Defrag

-------\Legacy_unrealircd

-------\Legacy_upperdev

-------\Legacy_upsmonservice

-------\Legacy_USBCCID

-------\Legacy_usbsermpt

-------\Legacy_USR1806V

-------\Legacy_vcsw

-------\Legacy_w200bus

-------\Legacy_w200mdfl

-------\Legacy_w550bus

-------\Legacy_w550mgmt

-------\Legacy_W8335XP

-------\Legacy_wampapache

-------\Legacy_wlancfg

-------\Legacy_WmaCVideo32

-------\Legacy_wusb54gv2svc

-------\Legacy_XDva004

-------\Legacy_z800obex

-------\Service_aiclient

-------\Service_allegro

-------\Service_ALYac_PZSrv

-------\Service_ASMMAP

-------\Service_astcc

-------\Service_aswlsvc

-------\Service_AVerBDA

-------\Service_bc_prt_f

-------\Service_bglivesvc

-------\Service_bgs_sdservice

-------\Service_bgsvcgen

-------\Service_bhmonitorservice

-------\Service_BrPar

-------\Service_btnhnd

-------\Service_c34nb4c5

-------\Service_Cam5607

-------\Service_cicssfs.scmmc223

-------\Service_CTEDSPIO.DLL

-------\Service_ctxcpuusync

-------\Service_cwafadminmonitor

-------\Service_digisptiservice

-------\Service_djsnetcn

-------\Service_DLARTL_M

-------\Service_dlcg_device

-------\Service_dpc_srv_webcast

-------\Service_dsbrokerservice

-------\Service_fsdfwd

-------\Service_FTDIBUS

-------\Service_GMSIPCI

-------\Service_hpdj

-------\Service_hsfhwazl

-------\Service_hSONYPVh

-------\Service_hwdatacard

-------\Service_icollectservice

-------\Service_ifxtcs

-------\Service_ireike

-------\Service_lanusb

-------\Service_lvupdtio

-------\Service_ma_cmidi_installerservice

-------\Service_magictuneengine

-------\Service_MailService

-------\Service_MKEMUSB

-------\Service_mqdmbus

-------\Service_MREMP50

-------\Service_mscsptisrv

-------\Service_msmpsvc

-------\Service_mssql$sony_mediamgr

-------\Service_ndasbus

-------\Service_Ndisipo

-------\Service_nsctop

-------\Service_nvedavt

-------\Service_nvsmu

-------\Service_NWSIPX32

-------\Service_omniusbl

-------\Service_oraclesnmppeerencapsulator

-------\Service_papycpu2

-------\Service_passthru

-------\Service_pdlnatcm

-------\Service_pdlndint

-------\Service_pdlnslea

-------\Service_pdlnsx25

-------\Service_pmj151la

-------\Service_PPPoEWin

-------\Service_prohlp02

-------\Service_RIOUNIV

-------\Service_rnadiagnosticsservice

-------\Service_rsvchost

-------\Service_s716unic

-------\Service_SaiNtSub

-------\Service_SbcpHid

-------\Service_schscnt

-------\Service_SE2Dmdfl

-------\Service_SE2Dmdm

-------\Service_se44mgmt

-------\Service_SenFiltService

-------\Service_sfhlp01

-------\Service_sigfilt

-------\Service_Sk9920nt

-------\Service_Slntamr

-------\Service_SlWdmSup

-------\Service_smartwiservice

-------\Service_SMNDIS5

-------\Service_smrt

-------\Service_SndTDriverV32

-------\Service_SPLITCAM

-------\Service_sprtsvc_smartagent

-------\Service_ssm_mdm

-------\Service_ssscsisv

-------\Service_sthda

-------\Service_sweepsrv.sys

-------\Service_sympxsvc

-------\Service_tangoservice

-------\Service_tfsnpool

-------\Service_TMKEmu

-------\Service_toscosrv

-------\Service_trayman

-------\Service_tsircsrv

-------\Service_TuneUp.Defrag

-------\Service_unrealircd

-------\Service_upperdev

-------\Service_upsmonservice

-------\Service_USBCCID

-------\Service_usbsermpt

-------\Service_USR1806V

-------\Service_vcsw

-------\Service_w200bus

-------\Service_w200mdfl

-------\Service_w550bus

-------\Service_w550mgmt

-------\Service_W8335XP

-------\Service_wampapache

-------\Service_wlancfg

-------\Service_WmaCVideo32

-------\Service_wusb54gv2svc

-------\Service_XDva004

-------\Service_z800obex

.

.

((((((((((((((((((((((((( Files Created from 2012-02-03 to 2012-03-03 )))))))))))))))))))))))))))))))

.

.

2012-03-03 00:25 . 2008-04-14 04:45 64512 ----a-w- c:\windows\system32\drivers\serial.sys

2012-02-29 15:01 . 2012-02-29 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\HP

2012-02-29 15:00 . 2012-02-29 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard

2012-02-29 15:00 . 2012-02-29 15:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Xerox

2012-02-29 15:00 . 2010-09-23 19:05 299008 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpcpp101.dll

2012-02-29 15:00 . 2010-09-23 19:05 176128 ----a-w- c:\windows\system32\hpcpn101.dll

2012-02-29 15:00 . 2010-09-19 20:51 167480 ----a-w- c:\windows\system32\hppccompio.dll

2012-02-29 14:59 . 2010-12-14 20:07 187960 ----a-w- c:\windows\system32\hppscancoins32.dll

2012-02-29 14:59 . 2010-12-14 20:07 751160 ----a-w- c:\windows\system32\hpptsp06.dll

2012-02-29 14:59 . 2010-12-14 20:06 755256 ----a-w- c:\windows\system32\hpxp1530.dll

2012-02-29 14:59 . 2010-12-14 20:07 238080 ----a-w- c:\windows\system32\hpbcoins32.dll

2012-02-29 14:59 . 2012-02-29 15:01 -------- d-----w- c:\program files\HP

2012-02-29 14:59 . 2012-02-29 14:59 -------- d-----w- C:\M1530_MFP_Series_Basic_Solution

2012-02-23 01:19 . 2012-02-23 01:19 -------- d-----w- c:\documents and settings\jdoyle\Application Data\com.adobe.DC3Module.AdobeADC

2012-02-22 20:44 . 2012-02-22 21:06 -------- d-----w- c:\program files\Adobe InDesign CS5.5

2012-02-22 20:42 . 2012-02-22 20:42 -------- d-----w- c:\documents and settings\jdoyle\Application Data\com.adobe.downloadassistant.AdobeDownloadAssistant

2012-02-22 20:42 . 2012-02-22 20:42 -------- d-----w- c:\program files\Adobe Download Assistant

2012-02-21 20:37 . 2012-02-21 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM

2012-02-21 20:35 . 2012-02-21 20:35 -------- d-----w- c:\program files\Common Files\Adobe AIR

2012-02-21 20:14 . 2012-02-21 20:14 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2012-02-21 20:14 . 2012-02-21 20:14 -------- d-----w- c:\program files\DAEMON Tools Lite

2012-02-21 20:13 . 2012-02-21 20:15 -------- d-----w- c:\documents and settings\jdoyle\Application Data\DAEMON Tools Lite

2012-02-21 20:13 . 2012-02-21 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2012-02-21 14:48 . 2012-02-21 14:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2012-02-21 14:40 . 2012-02-21 14:40 -------- d-----w- c:\documents and settings\jdoyle\Application Data\Malwarebytes

2012-02-21 14:40 . 2012-02-21 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-02-21 14:40 . 2012-02-21 14:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-02-21 14:40 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-02-17 16:52 . 2011-11-09 22:38 132768 ----a-w- c:\windows\system32\IPROSetMonitor.exe

2012-02-17 16:52 . 2007-08-07 05:28 28272 ----a-w- c:\windows\system32\NicCo2.dll

2012-02-16 14:43 . 2012-02-16 14:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2012-02-15 01:26 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-02-15 01:26 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-12 16:53 . 2004-08-04 05:00 1859968 ----a-w- c:\windows\system32\win32k.sys

2011-12-17 19:46 . 2006-03-03 22:33 916992 ----a-w- c:\windows\system32\wininet.dll

2011-12-17 19:46 . 2004-08-04 05:00 43520 ------w- c:\windows\system32\licmgr10.dll

2011-12-17 19:46 . 2004-08-04 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-12-16 12:22 . 2004-08-04 05:00 385024 ------w- c:\windows\system32\html.iec

2012-02-16 14:28 . 2011-09-23 13:49 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-09-22 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-18 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-18 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-18 141848]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-01-03 36760]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-01-03 815512]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]

"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HUD 3.0.lnk - c:\program files\Fonality\HUD3.0\HUD3.exe [2009-10-29 551424]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\TechSmith\\Jing\\Jing.exe"=

"c:\\Program Files\\Fonality\\HUD3.0\\HUD3.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=

"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=

"c:\\Program Files\\Adobe\\Acrobat 10.0\\Acrobat\\Acrobat.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\x2jobtGS.exe"=

"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=

"c:\\WINDOWS\\system32\\WgaTray.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE"=

"c:\\Program Files\\Adobe\\Acrobat 10.0\\Acrobat\\AcroRd32.exe"=

"c:\\Documents and Settings\\jdoyle\\Application Data\\Sun\\Java\\JRERunOnce.exe"=

"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Insight Direct\\ServiceCEO\\ServiceCEO.exe"=

"c:\\Documents and Settings\\jdoyle\\My Documents\\Downloads\\DTLite4453-0297.exe"=

"c:\\Program Files\\DAEMON Tools Lite\\DTLite.exe"=

"c:\\Program Files\\Common Files\\Adobe\\OOBE\\PDApp\\core\\PDapp.exe"=

"c:\\Program Files\\Adobe Download Assistant\\Adobe Download Assistant.exe"=

"c:\\Program Files\\Common Files\\Adobe AIR\\Versions\\1.0\\Resources\\Adobe AIR Updater.exe"=

"c:\\Program Files\\Adobe\\Adobe Device Central CS5.5\\DeviceCentral.exe"=

"c:\\Program Files\\Common Files\\Adobe\\OOBE\\PDApp\\UWA\\AAM Updates Notifier.exe"=

"c:\\Program Files\\Citrix\\GoToMeeting\\723\\g2mcomm.exe"=

"c:\\M1530_MFP_Series_Basic_Solution\\Installer\\hpbcsiServiceMarshaller.exe"=

.

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2/21/2012 3:14 PM 242240]

R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2/17/2012 11:52 AM 132768]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/21/2012 9:40 AM 652360]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [9/23/2011 10:00 AM 2519040]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/21/2012 9:40 AM 20464]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

S3 gupdatem;Google Update Service (gupdatem);"c:\program files\Google\Update\GoogleUpdate.exe" /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]

S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

NETSVCS REQUIRES REPAIRS - current entries shown

6to4

AppMgmt

AudioSrv

Browser

CryptSvc

DMServer

DHCP

ERSvc

EventSystem

FastUserSwitchingCompatibility

HidServ

Ias

Iprip

Irmon

LanmanServer

LanmanWorkstation

Messenger

Netman

Nla

Ntmssvc

NWCWorkstation

Nwsapagent

Rasauto

TeamViewer

svcwrsssdk

L8042Kbd

SPLITCAM

l8042pr2

giveio

sfhlp01

dsbrokerservice

pdlndint

aiclient

hwdatacard

w200bus

alcxwdm

ASMMAP

w200mdfl

TuneUp.Defrag

mscsptisrv

bgs_sdservice

wampapache

ALYac_PZSrv

vcomm

nvedavt

Ndisipo

hSONYPVh

CTEDSPIO.DLL

SlWdmSup

w550bus

SMNDIS5

SaiNtSub

mssql$sony_mediamgr

wusb54gv2svc

RIOUNIV

rsvchost

alim1541

wps

passthru

vcsw

MKEMUSB

MailService

oraclesnmppeerencapsulator

usbsermpt

vxd

ma_cmidi_installerservice

tmcomm

BrPar

sigfilt

NWSIPX32

smartwiservice

pdlnatcm

PPPoEWin

c34nb4c5

sympxsvc

lvupdtio

symlcbrd

procexp90

upsmonservice

allegro

cicssfs.scmmc223

ssscsisv

DLARTL_M

unrealircd

bc_prt_f

cwafadminmonitor

wlancfg

mcmispupdmgr

ssm_mdm

omniusbl

magictuneengine

bgsvcgen

dlcg_device

s716unic

ndasbus

nwlnknb

pdlnslea

aswtdi

SbcpHid

toscosrv

ireike

SenFiltService

GMSIPCI

mbr

sprtsvc_smartagent

tangoservice

vcommmgr

schscnt

hsfhwazl

nvsmu

adobeversioncue

W8335XP

aspi32

fsdfwd

Cam5607

XDva004

papycpu2

lanusb

sthda

ctxcpuusync

nsctop

upperdev

SE2Dmdm

pmj151la

sweepsrv.sys

msmpsvc

bthidenum

smrt

prohlp02

dpc_srv_webcast

FTDIBUS

USBCCID

tsircsrv

djsnetcn

hpdj

icollectservice

astcc

USR1806V

Sk9920nt

TMKEmu

se44mgmt

rnadiagnosticsservice

tfsnpool

ifxtcs

btnhnd

MREMP50

SndTDriverV32

Slntamr

bhmonitorservice

z800obex

pdlnsx25

compbatt

AVerBDA

mqdmbus

pcnet

trayman

adpu320

bglivesvc

CdaD10BA

SE2Dmdfl

digisptiservice

w550mgmt

aswlsvc

WmaCVideo32

smapint

FreeTdi

oraclewebassistant

Rasman

Remoteaccess

Schedule

Seclogon

SENS

Sharedaccess

SRService

Tapisrv

Themes

TrkWks

W32Time

WZCSVC

Wmi

WmdmPmSp

winmgmt

wscsvc

xmlprov

BITS

wuauserv

ShellHWDetection

helpsvc

WmdmPmSN

napagent

hkmsvc

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-03-02 c:\windows\Tasks\AdobeAAMUpdater-1.0-MAIDPRO-jdoyle.job

- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-02-22 13:46]

.

2012-03-02 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-09-22 00:21]

.

.

------- Supplementary Scan -------

.

TCP: DhcpNameServer = 192.168.25.15 192.168.25.10

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yha6yzvi.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-03-02 20:06

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1894398563-4205631423-612160202-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,54,a7,96,4f,09,4f,9d,41,92,4d,6f,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,54,a7,96,4f,09,4f,9d,41,92,4d,6f,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3732)

c:\windows\system32\WININET.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\inetsrv\inetinfo.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Intel\AMT\LMS.exe

c:\windows\system32\igfxsrvc.exe

.

**************************************************************************

.

Completion time: 2012-03-02 20:08:52 - machine was rebooted

ComboFix-quarantined-files.txt 2012-03-03 01:08

.

Pre-Run: 136,180,600,832 bytes free

Post-Run: 136,869,265,408 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - D416CBDF114987D2A0F86A907288412F

Share this post


Link to post
Share on other sites

That took out quite some bad stuff, how are things running now?

It looks like there is a problem with the NetSvcs value. Can you tell me approximately how long ago XP was installed on this computer?

Share this post


Link to post
Share on other sites

Well, it seems that there are no more malicious outgoing web requests. A quick scan with MWB came up with nothing, but a full scan came up with 200+ infected items (see below). XP has been on this computer for 3-4 years, and I believe I actually reinstalled it within the past year.

Malwarebytes Anti-Malware (Trial) 1.60.1.1000

www.malwarebytes.org

Database version: v2012.03.02.05

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Administrator :: MP-MARKETING01 [administrator]

Protection: Enabled

3/3/2012 11:13:33 AM

mbam-log-2012-03-03 (11-13-33).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 282200

Time elapsed: 28 minute(s), 10 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 292

C:\Documents and Settings\jdoyle\Application Data\Sun\Java\Deployment\cache\6.0\44\62d4346c-37229a0b (Trojan.Agent.PE3) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\U\00000001.@.vir (Backdoor.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\U\000000c0.@.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\U\000000cb.@.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\U\000000cf.@.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\U\800000c0.@.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\AdobeActiveFileMonitor6.0.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\Afc.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\AFGSp50.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\aic78xx.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\antivirscheduler.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\aolavupd.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\appmgmt.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\as32svc.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\asuskeyboardservice.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\aswtdi.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\avg7core.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\avg7rsw.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\awhost32.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\basic2.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\bb-run.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\bits.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\BRGSp50.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\cd20xrnt.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\cpqfws2e.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\CTMSHD.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\cvintdrv.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\DCFS2K.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\Dell1100_FUService.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\dlaopiom.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\dot4usb.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\drvmcdb.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\epoxusdm.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\EPSON_EB_RPCV4_01.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\EU3_USB.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\evteng.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\Exportit.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\firelm01.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\gemserv.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\hidusb.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\iaimfp4.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\iaimtv2.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\icm10blk.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\idrivert.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\imagesrv.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\inorpc.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ipahelper.exe.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ipsraidn.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ivscheduler.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\jaguar.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\JGOGO.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\jobserver_report.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\kbfiltr.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\KMW_USB.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\lemsgt.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\LVPrcMon.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\epgspooler.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\hsf_msft.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\itchfltr.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\lxby_device.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\MS1000.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\omnidrv.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\pelusblf.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\s716mdm.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\snoopfree.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\sscdmdfl.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\tfsndrct.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UsbDiag.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\lxcf_device.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\magictuneengine.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\mcods.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\mcshield.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\mozyFilter.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\mqdmbus.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\mqdmmdfl.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\MRESP50.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\MSSQL$AUTODESKVAULT.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\mvdcodec.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\MxlW2k.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\mysql.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\Ndismeetro.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\neokdss.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\nhcDriverDevice.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\NVNET.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\omniusbl.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ooclevercacheagent.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\opcenum.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\openvpnservice.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\oraclewebassistant.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\passthru.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\pavdrv.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\pdscheduler.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\PNRPSvc.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\PSSdk23.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ptserial.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\rpcapd.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\rt2500usb.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\RTSTOR.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\s217mdfl.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\s3ssavage.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\sandradatasrv.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\se45mdm.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\se59obex.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\sffdisk.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\sfusvc.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\shuttleengine.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\SiS300i.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\SMCB000.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\snoopfreesvc.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\snpstd.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\snpstd2.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\sparrow.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\SPLITCAM.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\sp_clamsrv.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\SQLAgent$LG_LP2.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\srescan.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ssrtln.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\STEC3.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\StillCam.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\SWUMX51.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\symantecantibotshim.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\symappcore.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\sysmgmthp.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\Tb2RCAssist.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\tnidriver.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\tosrfcom.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\tosrfhid.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\tpkd.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\TPM.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\transbaseservice.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\truecrypt.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\U2SP.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UVCFTR.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\VCIDRV.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\vet-filt.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\vetmonnt.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\w300mdfl.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\w810mgmt.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\wacomkey.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\wandrv.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\WinFl32.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\wlmel51b.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\z525obex.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ZY202_XP.dll.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP113\A0013915.ini (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP128\A0016393.ini (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP129\A0016435.ini (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP140\A0016654.ini (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP144\A0017017.ini (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP144\A0019077.ini (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP146\A0019243.ini (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022111.ini (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022433.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022434.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022435.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022436.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022437.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022438.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022439.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022440.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022441.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022442.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022443.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022444.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022445.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022447.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022448.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022449.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022450.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022451.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022452.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022453.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022454.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022455.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022456.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022457.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022458.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022459.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022460.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022461.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022462.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022463.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022465.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022466.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022467.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022468.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022469.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022470.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022471.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022472.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022473.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022474.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022475.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022476.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022477.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022478.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022479.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022480.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022481.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022483.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022484.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022485.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022486.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022487.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022488.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022489.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022490.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022491.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022492.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022493.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022494.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022495.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022496.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022497.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022498.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022499.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022501.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022502.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022503.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022504.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022505.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022506.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022507.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022508.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022509.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022510.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022511.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022512.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022513.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022514.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022515.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022516.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022517.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022519.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022520.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022521.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022522.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022523.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022524.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022525.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022526.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022527.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022528.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022529.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022530.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022531.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022532.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022533.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022534.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022535.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022537.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022538.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022539.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022540.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022541.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022542.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022543.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022544.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022545.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022546.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022547.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022548.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022549.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022550.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022551.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022552.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022553.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022555.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022556.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022557.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022558.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022559.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022560.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022561.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022562.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022563.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022564.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022565.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022566.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022567.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022568.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022569.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022570.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022446.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022464.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022482.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022500.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022518.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022536.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP152\A0022554.dll (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E2FE2299-7A8D-48A7-9DB7-B9B9289E2725}\RP99\A0011102.ini (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

Share this post


Link to post
Share on other sites

FYI, after letting MWB clean up, another full scan found nothing

Share this post


Link to post
Share on other sites

Those were already quarantined items so nothing to worry about. :)

How are things running at this point?

Share this post


Link to post
Share on other sites

Everything seems good - is there anything else I need to do to clean anything up? That seemed a lot easier than it sounded it might be :)

Share this post


Link to post
Share on other sites

Hi, I'm glad to hear things are running okay now. :)

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 7u3.
  • Look for "JDK 7u3 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Share this post


Link to post
Share on other sites

<p> </p>

<div>C:\Documents and Settings\jdoyle\Application Data\Sun\Java\Deployment\cache\6.0\39\1bffe6a7-33d4a4ac<span class="Apple-tab-span" style="white-space:pre"> </span>Java/TrojanDownloader.OpenStream.NCO trojan<span class="Apple-tab-span" style="white-space:pre"> </span>deleted - quarantined</div>

<div>C:\Documents and Settings\jdoyle\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00004c<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/OpenCandy application<span class="Apple-tab-span" style="white-space:pre"> </span>deleted - quarantined</div>

<div>C:\Documents and Settings\jdoyle\My Documents\Downloads\DTLite4453-0297.exe<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/OpenCandy application<span class="Apple-tab-span" style="white-space:pre"> </span>deleted - quarantined</div>

<div>C:\Documents and Settings\jdoyle\My Documents\Downloads\InternationalPrimoPDF.exe<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/OpenCandy application<span class="Apple-tab-span" style="white-space:pre"> </span>deleted - quarantined</div>

<div>C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\X.vir<span class="Apple-tab-span" style="white-space:pre"> </span>a variant of Win32/Sirefef.DD trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned by deleting - quarantined</div>

<div>C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\U\80000000.@.vir<span class="Apple-tab-span" style="white-space:pre"> </span>probably a variant of Win32/Sirefef.DV trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned by deleting - quarantined</div>

<div>C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\U\800000cb.@.vir<span class="Apple-tab-span" style="white-space:pre"> </span>a variant of Win32/Agent.TEO trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned by deleting - quarantined</div>

<div>C:\Qoobox\Quarantine\C\Documents and Settings\jdoyle\Local Settings\Application Data\c2f7014d\U\800000cf.@.vir<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Sirefef.DV trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned by deleting - quarantined</div>

<div>C:\Qoobox\Quarantine\C\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe.vir<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Patched.HN trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned - quarantined</div>

<div>C:\Qoobox\Quarantine\C\Program Files\Intel\AMT\atchksrv.exe.vir<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Patched.HN trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned - quarantined</div>

<div>C:\Qoobox\Quarantine\C\Program Files\Intel\AMT\LMS.exe.vir<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Patched.HN trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned - quarantined</div>

<div>C:\Qoobox\Quarantine\C\Program Files\Intel\AMT\UNS.exe.vir<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Patched.HN trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned - quarantined</div>

<div>C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Patched.HN trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned - quarantined</div>

<div>C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\serial.sys.vir<span class="Apple-tab-span" style="white-space:pre"> </span>Win32/Sirefef.DM trojan<span class="Apple-tab-span" style="white-space:pre"> </span>cleaned by deleting - quarantined</div>

<div> </div>

Share this post


Link to post
Share on other sites

Most of that was already in quarantine, which means you're good to go. :)

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Share this post


Link to post
Share on other sites

You are most welcome! :)

I will request this topic to be closed.

Share this post


Link to post
Share on other sites

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.