Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Virus suspected

        
Join Tech Support Forum Today

 
Page 1 of 2 1 2
 
Thread Tools Search this Thread


Old 06-19-2011, 03:30 PM   #1
Registered Member
 
Babra's Avatar
 
Join Date: Jul 2005
Location: California
Posts: 16
OS: WinXP Pro Service Pack 3


Question Virus suspected
A few days ago Adaware popped up a message saying it stopped a file (mmc187.exe) from running. Not knowing how Adaware would handle this suspicious file, I decided to manually remove it. I ran a search on my computer, found it and deleted it. Things seemed fine for a while. Some time later a box popped up called MS Removal Tool. It claimed I was infected with all sorts of viruses, trojans, and worms.

Knowing I had no such program on my computer, I did nothing. However, my computer began to have problems.

I tried to run a scan with Adaware and it stalled on the initialization portion. I simply could not get it to run. I decided to reinstall Adaware. I downloaded a new copy, uninstalled my old Adaware, but was unable to install it.

After selecting my language (English) for the install, a box popped up called Windows Installer with the following contents:

Windows ® Installer. V 4.5.6001.22159

msiexec /Option <Required Parameter> [Optional Parameter]

Install Options
</package | /i> <Product.msi>
Installs or configures a product
/a <Product.msi>
Administrative install - Installs a product on the network
/j<u|m> <Product.msi> [/t <Transform List>] [/g <Language ID>]
Advertises a product - m to all users, u to current user
</uninstall | /x> <Product.msi | ProductCode>
Uninstalls the product
Display Options
/quiet
Quiet mode, no user interaction
/passive
Unattended mode - progress bar only
/q[n|b|r|f]
Sets user interface level
n - No UI
b - Basic UI
r - Reduced UI
f - Full UI (default)
/help
Help information
Restart Options
/norestart
Do not restart after the installation is complete
/promptrestart
Prompts the user for restart if necessary
/forcerestart
Always restart the computer after installation
Logging Options
/l[i|w|e|a|r|u|c|m|o|p|v|x|+|!|*] <LogFile>
i - Status messages
w - Nonfatal warnings
e - All error messages
a - Start up of actions
r - Action-specific records
u - User requests
c - Initial UI parameters
m - Out-of-memory or fatal exit information
o - Out-of-disk-space messages
p - Terminal properties
v - Verbose output
x - Extra debugging information
+ - Append to existing log file
! - Flush each line to the log
* - Log all information, except for v and x options
/log <LogFile>
Equivalent of /l* <LogFile>
Update Options
/update <Update1.msp>[;Update2.msp]
Applies update(s)
/uninstall <PatchCodeGuid>[;Update2.msp] /package <Product.msi | ProductCode>
Remove update(s) for a product
Repair Options
/f[p|e|c|m|s|o|d|a|u|v] <Product.msi | ProductCode>
Repairs a product
p - only if file is missing
o - if file is missing or an older version is installed (default)
e - if file is missing or an equal or older version is installed
d - if file is missing or a different version is installed
c - if file is missing or checksum does not match the calculated value
a - forces all files to be reinstalled
u - all required user-specific registry entries (default)
m - all required computer-specific registry entries (default)
s - all existing shortcuts (default)
v - runs from source and recaches local package
Setting Public Properties
[PROPERTY=PropertyValue]

Consult the Windows ® Installer SDK for additional documentation on the
command line syntax.

Copyright © Microsoft Corporation. All rights reserved.
Portions of this software are based in part on the work of the Independent JPEG Group.


When I click Ok, it stops the program from installing.

I had other problems but I'm afraid I just can't recall all the events or the exact sequence. At one point, I wanted to download Malwarebytes, but I could not get internet connection so I went into Safe Mode with Networking and selected the option to do a system restore, which allowed me to get back on the internet to download and run Malwarebytes. It found 13 infected files and I selected the option to fix the problems.

Since then, I notice there are still problems with my computer. It runs slow when it shouldn't. The computer fan which revs up with high use will run when I have no programs running. There is often a small sound that comes from the computer like a small notification alert sound, although it's very soft and quiet.

When I used Google, it seemed okay for a while, but then I noticed I was being redirected to other websites when I clicked on a result I knew should have worked. If I close Firefox, reopen it and try the same search and click the same results, it sends me to the proper site..

I know my computer is not working correctly and I hope you can help.

Below are the requested scans. I am unable to zip the files requested by using the Windows Zip Utility as I do not seem to have it or am unable to use it. I have searched the problem and tried some of the methods to restore this feature to no avail. I am attaching the files as .txt.



.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Admin at 14:38:46 on 2011-06-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.965 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Efficient Reminder Free\EfficientReminderFree.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow title = DeLuXe 2oo9 v.1.0 - ßy M.Baran
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\admin\start menu\programs\startup\efficient reminder free.lnk - c:\program files\efficient reminder free\EfficientReminderFree.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office-2002\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_674125AABFE11C21.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{EAE6AAE8-28A8-4A58-8006-EB83CA763E82} : DhcpNameServer = 192.168.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\o564exhs.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\admin\my documents\sparkplay media\sparkplayer (beta)\npSparkPlayerNS.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
.
============= SERVICES / DRIVERS ===============
.
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-9-8 52872]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-9-8 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-9-8 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-9-8 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-9-8 243152]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-9-9 921952]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-9-9 308136]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-16 366640]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-7-14 27992]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-16 22712]
S3 FARMNTIO;FARMNTIO;c:\windows\system32\drivers\FarMntIo.sys [2009-12-11 13184]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 LLRING0;LLRING0;\??\c:\program files\fortressmu\fmu s4 v3\fortress 3d\muguard\llck1.sys --> c:\program files\fortressmu\fmu s4 v3\fortress 3d\muguard\llck1.sys [?]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [2009-12-9 40060]
.
=============== Created Last 30 ================
.
2011-06-16 22:04:10 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-16 16:36:43 -------- d-----w- c:\documents and settings\admin\application data\Malwarebytes
2011-06-16 16:36:10 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-16 16:36:09 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-16 16:36:04 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-16 16:36:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-16 16:01:14 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-16 16:01:14 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-16 15:57:23 -------- d-----w- c:\program files\World of Warcraft
2011-06-16 15:20:11 0 ----a-w- c:\windows\Jsewe.bin
2011-06-16 15:20:10 -------- d-----w- c:\documents and settings\admin\local settings\application data\{95D238F2-8F56-445F-98EF-8299181B8A68}
2011-06-16 15:18:28 -------- d-----w- c:\documents and settings\all users\application data\eN28258ClAaH28258
2011-06-16 06:19:01 551936 ------w- c:\windows\system32\dllcache\oleaut32.dll
2011-06-16 06:17:44 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-06-16 06:16:47 758784 ------w- c:\windows\system32\dllcache\vgx.dll
2011-06-14 21:37:35 -------- d-----w- c:\program files\World of Warcraft.temp
.
==================== Find3M ====================
.
2011-05-05 15:41:58 243152 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-05-02 15:30:48 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:47:42 457856 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:52:31 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: WDC_WD6400AAKS-75A7B0 rev.01.03B01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89BB64D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89bbc7d0]; MOV EAX, [0x89bbc84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x89BE3AB8]
3 CLASSPNP[0xF74C7FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x89B9EB98]
\Driver\atapi[0x89B95930] -> IRP_MJ_CREATE -> 0x89BB64D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89BB631B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 14:40:13.93 ===============
Attached Files
File Type: txt attach.txt (16.5 KB, 2 views)
File Type: txt ark.txt (4.3 KB, 3 views)

__________________
Babra is offline  
Old 06-19-2011, 07:25 PM   #2
Security Team
Analyst
 
RPMcMurphy's Avatar
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,010
OS: Windows Vista / Win 7


Re: Virus suspected
Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - ComboFix will not run until AVG is uninstalled. This is because AVG falsely detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. You may do this through Control Panel > Add/Remove Programs or you can use this tool for a more complete removal:

Download AppRemover from here saving it to your desktop.
  • Double click to run AppRemover
  • Follow the prompts to remove AVG
  • Reboot
Once you've removed AVG with this tool please continue with these instructions
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:
  • ComboFix log

__________________


ASAP & UNITE Member
RPMcMurphy is offline  
Old 06-19-2011, 11:37 PM   #3
Registered Member
 
Babra's Avatar
 
Join Date: Jul 2005
Location: California
Posts: 16
OS: WinXP Pro Service Pack 3


Re: Virus suspected
Please note, after ComboFix was finished and produced the text file, I closed the text file to see if my desktop returned. This caused my computer to crash with the message: "STOP: c000113c Unknown Hard Error." I had to turn off the computer and then back on to provide the combofix contents:


ComboFix 11-06-17.04 - Admin 06/19/2011 23:14:01.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1677 [GMT -7:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Admin\Application Data\Adobe\plugs
c:\documents and settings\Admin\Application Data\Adobe\shed
c:\documents and settings\Admin\Application Data\chrtmp
c:\documents and settings\Admin\Application Data\inst.exe
c:\documents and settings\Admin\Application Data\Setup.exe
c:\documents and settings\Admin\Local Settings\Application Data\{95D238F2-8F56-445F-98EF-8299181B8A68}
c:\documents and settings\Admin\Local Settings\Application Data\{95D238F2-8F56-445F-98EF-8299181B8A68}\chrome\content\_cfg.js
c:\documents and settings\Admin\Local Settings\Application Data\{95D238F2-8F56-445F-98EF-8299181B8A68}\chrome\content\overlay.xul
c:\documents and settings\Admin\Local Settings\Application Data\{95D238F2-8F56-445F-98EF-8299181B8A68}\install.rdf
c:\documents and settings\Admin\WINDOWS
c:\windows\system32\system
.
c:\windows\system32\midimap.dll . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-05-20 to 2011-06-20 )))))))))))))))))))))))))))))))
.
.
2011-06-19 21:14 . 2011-06-19 21:14 -------- d-----w- c:\program files\7-Zip
2011-06-18 12:03 . 2011-06-18 12:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2011-06-16 16:36 . 2011-06-16 16:36 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2011-06-16 16:36 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-16 16:36 . 2011-06-16 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-16 16:36 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-16 16:36 . 2011-06-16 16:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-16 16:01 . 2011-06-16 16:01 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-16 15:57 . 2011-06-20 02:30 -------- d-----w- c:\program files\World of Warcraft
2011-06-16 15:20 . 2011-06-16 15:20 0 ----a-w- c:\windows\Jsewe.bin
2011-06-16 15:18 . 2011-06-16 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\eN28258ClAaH28258
2011-06-16 06:19 . 2010-12-20 17:32 551936 ------w- c:\windows\system32\dllcache\oleaut32.dll
2011-06-16 06:17 . 2011-04-21 13:52 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-06-16 06:16 . 2011-04-30 03:01 758784 ------w- c:\windows\system32\dllcache\vgx.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-02 15:30 . 2009-12-09 14:28 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:47 . 2011-04-19 05:22 457856 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2009-04-15 02:06 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2009-04-15 02:02 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 16:11 . 2009-03-08 18:34 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 12:01 . 2009-03-08 18:35 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:52 . 2008-04-29 02:58 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
.
[-] 2009-04-14 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\SP3QFE\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\SP3GDR\tcpip.sys
.
[-] 2009-04-15 02:01 . 305A986FA2FF569D333CCA2AE3AE321D . 1444864 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
.
[-] 2009-04-15 . DB3B9755F265C37319DF9AFF4FDDF717 . 568832 . . [5.1.2600.5714] . . c:\windows\system32\winlogon.exe
.
[-] 2009-04-15 . 99C1ACB1B8F0F2CECC56515E502B5120 . 575488 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
.
[-] 2009-04-15 . 6DA7EDB6D1289B0B8A6DED512EBCB1AB . 1440768 . . [6.00.2900.5634] . . c:\windows\explorer.exe
.
[-] 2008-04-15 . DD973467A6C5CFE264F112CB3946E8BD . 263680 . . [5.1.2600.5512] . . c:\windows\regedit.exe
.
[-] 2009-04-15 . 2547D2CF090AC7636898F16957EBCEDC . 502272 . . [1.0626.6002.16497] . . c:\windows\system32\usp10.dll
.
.
[-] 2009-04-15 . CBF5945651C96E471B3A004BBDC36864 . 37376 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
.
[-] 2009-04-15 . 448937CF6D5D4A4009532DF67B205F92 . 32256 . . [5.1.2600.5512] . . c:\windows\system32\midimap.dll
.
c:\windows\System32\drivers\beep.sys ... is missing !!
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
"RunNarrator"="Narrator.exe" [2009-04-15 53248]
.
c:\documents and settings\Admin\Start Menu\Programs\Startup\
Efficient Reminder Free.lnk - c:\program files\Efficient Reminder Free\EfficientReminderFree.exe [2010-8-27 10257920]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^TimeLeft.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\TimeLeft.lnk
backup=c:\windows\pss\TimeLeft.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check.lnk
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MacroMaker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MacroMaker.lnk
backup=c:\windows\pss\MacroMaker.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 09:04 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2009-04-15 02:01 37376 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 -c--a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2010-07-25 23:30 3220912 ----a-w- c:\program files\Internet Download Manager\IDMan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2007-04-11 23:32 56080 -c--a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2007-04-11 23:32 56080 -c--a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2010-01-09 19:13 2935480 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
2008-09-17 15:12 737408 ----a-w- c:\program files\PowerStrip\PStrip.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 19:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 18:42 69632 -c--a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-08-15 15:47 1404928 -c--a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2010-03-09 02:52 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\mIRC\\mirc.exe"=
"c:\\mirc-babra\\mirc.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Old Computer Files\\mirc-diamonds\\mirc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Admin\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-x.x.x.x-4.0.0.12911-Downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56589:TCP"= 56589:TCP:Pando Media Booster
"56589:UDP"= 56589:UDP:Pando Media Booster
"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/8/2010 6:49 AM 64288]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/16/2011 9:36 AM 366640]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [7/14/2007 6:37 PM 27992]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/16/2011 9:36 AM 22712]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S3 FARMNTIO;FARMNTIO;c:\windows\system32\drivers\FarMntIo.sys [12/11/2009 12:05 AM 13184]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 LLRING0;LLRING0;\??\c:\program files\FortressMU\FMU S4 V3\fortress 3d\MuGuard\llck1.sys --> c:\program files\FortressMU\FMU S4 V3\fortress 3d\MuGuard\llck1.sys [?]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [12/9/2009 4:19 PM 40060]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-08-16 20:43 451872 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2009-03-08 18:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-20 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office-2002\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_674125AABFE11C21.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\o564exhs.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-tcactive - c:\program files\The Cleaner\tcap.exe
AddRemove-Ashampoo Burning Studio 10_is1 - c:\program files\Ashampoo\Ashampoo Burning Studio 10\unins000.exe
AddRemove-DVD Shrink_is1 - c:\dvd rip\DVD Shrink\unins000.exe
AddRemove-{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1 - c:\program files\VSO\ConvertX\4\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-06-19 23:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: WDC_WD6400AAKS-75A7B0 rev.01.03B01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89B5C31B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1935655697-1580818891-1644491937-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,2e,01,e1,86,3f,ee,46,82,50,9d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,2e,01,e1,86,3f,ee,46,82,50,9d,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,2e,01,e1,86,3f,ee,46,82,50,9d,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):7b,47,c9,1b,c9,cb,7e,02,ce,f6,b0,b7,b0,17,6d,de,79,38,af,ec,82,
91,67,1b,a0,51,b3,41,f2,41,19,cd,c4,a4,8c,de,48,b6,be,ab,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f8eeab2b-dc06-4946-916b-ec1b4f33bc90}]
@Denied: (Full) (Everyone)
"Model"=dword:00000155
"Therad"=dword:00000015
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(464)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll
.
- - - - - - - > 'lsass.exe'(524)
c:\windows\system32\WININET.dll
c:\windows\system32\setupapi.dll
.
Completion time: 2011-06-19 23:27:30
ComboFix-quarantined-files.txt 2011-06-20 06:27
.
Pre-Run: 241,772,118,016 bytes free
Post-Run: 242,107,703,296 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff
.
- - End Of File - - DC35A97A0815395980893FB06C5F15D0
__________________
Babra is offline  
Old 06-20-2011, 06:49 AM   #4
Security Team
Analyst
 
RPMcMurphy's Avatar
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,010
OS: Windows Vista / Win 7


Re: Virus suspected
Babra:

Are you by chance using nLite or something similar to modify your Windows installation? Please do this next:

Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Post that log, please.
Please include the following in your next post:
  • TDSSKiller log
__________________


ASAP & UNITE Member
RPMcMurphy is offline  
Old 06-20-2011, 07:37 AM   #5
Registered Member
 
Babra's Avatar
 
Join Date: Jul 2005
Location: California
Posts: 16
OS: WinXP Pro Service Pack 3


Re: Virus suspected
I do not have an unzipping program. As earlier stated, I do not have the Windows zip utility. Before I posted this topic, I removed the program WinRar that I had in order to see if the Window zip utility would "take over." What do you suggest I get to unzip the file you asked me to download?
__________________
Babra is offline  
Old 06-20-2011, 08:30 AM   #6
Security Team
Analyst
 
RPMcMurphy's Avatar
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,010
OS: Windows Vista / Win 7


Re: Virus suspected
Try this app:

Download 7-Zip from SourceForge.net

Are you by chance using nLite or something similar to modify your Windows installation?
__________________


ASAP & UNITE Member
RPMcMurphy is offline  
Old 06-20-2011, 08:45 AM   #7
Registered Member
 
Babra's Avatar
 
Join Date: Jul 2005
Location: California
Posts: 16
OS: WinXP Pro Service Pack 3


Re: Virus suspected
I installed 7-zip and then installed and ran TDSSKiller. The log follows.

I do not know if I have nLite. My brother built and gave me this computer so I don't know all the particulars. Is this something I should attempt to find out and if so, how do I go about finding this information?



2011/06/20 08:37:35.0093 1568 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15
2011/06/20 08:37:35.0625 1568 ================================================================================
2011/06/20 08:37:35.0625 1568 SystemInfo:
2011/06/20 08:37:35.0625 1568
2011/06/20 08:37:35.0625 1568 OS Version: 5.1.2600 ServicePack: 3.0
2011/06/20 08:37:35.0625 1568 Product type: Workstation
2011/06/20 08:37:35.0625 1568 ComputerName: DELUXE
2011/06/20 08:37:35.0625 1568 UserName: Admin
2011/06/20 08:37:35.0625 1568 Windows directory: C:\WINDOWS
2011/06/20 08:37:35.0625 1568 System windows directory: C:\WINDOWS
2011/06/20 08:37:35.0625 1568 Processor architecture: Intel x86
2011/06/20 08:37:35.0625 1568 Number of processors: 2
2011/06/20 08:37:35.0625 1568 Page size: 0x1000
2011/06/20 08:37:35.0625 1568 Boot type: Normal boot
2011/06/20 08:37:35.0625 1568 ================================================================================
2011/06/20 08:37:37.0046 1568 Initialize success
2011/06/20 08:37:46.0156 3672 ================================================================================
2011/06/20 08:37:46.0156 3672 Scan started
2011/06/20 08:37:46.0156 3672 Mode: Manual;
2011/06/20 08:37:46.0156 3672 ================================================================================
2011/06/20 08:37:46.0968 3672 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/20 08:37:47.0000 3672 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/06/20 08:37:47.0046 3672 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/06/20 08:37:47.0093 3672 AFD (8d499b1276012eb907e7a9e0f4d8fda4) C:\WINDOWS\System32\drivers\afd.sys
2011/06/20 08:37:47.0125 3672 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
2011/06/20 08:37:47.0328 3672 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/20 08:37:47.0359 3672 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/06/20 08:37:47.0500 3672 ati2mtag (15b2fe76e2eceb98c49ed52311a6f26f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/06/20 08:37:47.0609 3672 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/20 08:37:47.0625 3672 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/20 08:37:47.0765 3672 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/20 08:37:47.0812 3672 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/20 08:37:47.0843 3672 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/20 08:37:47.0875 3672 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/20 08:37:48.0031 3672 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/20 08:37:48.0078 3672 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/20 08:37:48.0140 3672 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/06/20 08:37:48.0171 3672 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/20 08:37:48.0203 3672 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/20 08:37:48.0250 3672 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/20 08:37:48.0281 3672 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/06/20 08:37:48.0359 3672 exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys
2011/06/20 08:37:48.0406 3672 FARMNTIO (b40e7eb16b0fb13f708e3395dee4e98f) c:\windows\system32\drivers\farmntio.sys
2011/06/20 08:37:48.0437 3672 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/20 08:37:48.0468 3672 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/06/20 08:37:48.0484 3672 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/20 08:37:48.0500 3672 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/06/20 08:37:48.0562 3672 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/06/20 08:37:48.0609 3672 Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/20 08:37:48.0671 3672 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/20 08:37:48.0703 3672 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/20 08:37:48.0734 3672 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/06/20 08:37:48.0781 3672 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/06/20 08:37:48.0843 3672 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/20 08:37:48.0921 3672 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/06/20 08:37:48.0953 3672 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/20 08:37:49.0015 3672 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/06/20 08:37:49.0031 3672 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/06/20 08:37:49.0062 3672 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/06/20 08:37:49.0078 3672 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/06/20 08:37:49.0109 3672 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/20 08:37:49.0125 3672 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/20 08:37:49.0187 3672 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/06/20 08:37:49.0218 3672 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/20 08:37:49.0265 3672 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/20 08:37:49.0281 3672 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/20 08:37:49.0312 3672 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/06/20 08:37:49.0343 3672 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/20 08:37:49.0390 3672 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/20 08:37:49.0437 3672 L8042Kbd (d88846f9f4f27ae9be584a6e5b6b8753) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
2011/06/20 08:37:49.0500 3672 L8042mou (bea61fda2103f6f51b14eb0872e8a050) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
2011/06/20 08:37:49.0578 3672 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/06/20 08:37:49.0625 3672 LHidFilt (3fa98339e8d9e007726be62f231e2015) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2011/06/20 08:37:49.0671 3672 LMouFilt (f259f758e04d8fb8d48c6cdbe45223e8) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2011/06/20 08:37:49.0703 3672 LMouKE (cab504e38fced9a56d87d838e9ba13e9) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
2011/06/20 08:37:49.0734 3672 LUsbFilt (ca26e46ec8891058c9e10363df4e4650) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
2011/06/20 08:37:49.0781 3672 MBAMProtector (3d2c13377763eeac0ca6fb46f57217ed) C:\WINDOWS\system32\drivers\mbam.sys
2011/06/20 08:37:49.0812 3672 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/20 08:37:49.0843 3672 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/20 08:37:49.0890 3672 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/20 08:37:49.0921 3672 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/06/20 08:37:49.0968 3672 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/20 08:37:50.0015 3672 MRxDAV (65e818c473e220b6ab762e1966296fd1) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/20 08:37:50.0109 3672 MRxSmb (8dd801e28eb76fda2a38907882a0036f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/20 08:37:50.0140 3672 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/20 08:37:50.0171 3672 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/20 08:37:50.0187 3672 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/20 08:37:50.0203 3672 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/20 08:37:50.0250 3672 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/20 08:37:50.0296 3672 Mup (f7b1ad991491f02af6da70b00b8bf114) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/20 08:37:50.0359 3672 NDIS (b5b1080d35974c0e718d64280761bcd5) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/20 08:37:50.0390 3672 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/20 08:37:50.0406 3672 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/20 08:37:50.0437 3672 NdisWan (b053a8411045fd0664b389a090cb2bbc) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/20 08:37:50.0484 3672 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/20 08:37:50.0515 3672 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/20 08:37:50.0562 3672 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/20 08:37:50.0625 3672 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/20 08:37:50.0671 3672 Ntfs (4c51d5275ae8a16999edfe7e647d00de) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/20 08:37:50.0718 3672 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/06/20 08:37:50.0750 3672 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/20 08:37:50.0796 3672 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/20 08:37:50.0812 3672 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/20 08:37:50.0875 3672 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/06/20 08:37:50.0890 3672 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/20 08:37:50.0921 3672 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/20 08:37:50.0968 3672 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/20 08:37:51.0015 3672 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/06/20 08:37:51.0031 3672 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/06/20 08:37:51.0078 3672 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2011/06/20 08:37:51.0234 3672 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/20 08:37:51.0281 3672 PStrip (bcf8d075fad718fea8ef6e281331a56e) C:\WINDOWS\system32\drivers\pstrip.sys
2011/06/20 08:37:51.0312 3672 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/20 08:37:51.0343 3672 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/06/20 08:37:51.0453 3672 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/20 08:37:51.0484 3672 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/20 08:37:51.0500 3672 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/20 08:37:51.0531 3672 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/20 08:37:51.0578 3672 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/20 08:37:51.0640 3672 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/20 08:37:51.0671 3672 rdpdr (c694a927eb7c354f7ae97955043a9641) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/06/20 08:37:51.0718 3672 RDPWD (e8e3107243b16a549b88d145ec051b06) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/20 08:37:51.0765 3672 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/20 08:37:51.0843 3672 rspndr (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys
2011/06/20 08:37:52.0031 3672 RTHDMIAzAudService (017cc2e361a47461472bc4c08bd12440) C:\WINDOWS\system32\drivers\RtHDMI.sys
2011/06/20 08:37:52.0140 3672 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/20 08:37:52.0203 3672 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/06/20 08:37:52.0250 3672 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/06/20 08:37:52.0281 3672 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/06/20 08:37:52.0328 3672 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/06/20 08:37:52.0406 3672 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2011/06/20 08:37:52.0453 3672 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/20 08:37:52.0515 3672 Sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/20 08:37:52.0562 3672 Srv (9b390283569ea58d43d2586032b892f5) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/20 08:37:52.0609 3672 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/20 08:37:52.0625 3672 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/20 08:37:52.0718 3672 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/20 08:37:52.0828 3672 Tcpip (25a740d70e8007814a48d3fa1b34fa34) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/20 08:37:52.0875 3672 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/20 08:37:52.0890 3672 TDTCP (c0578456f29e5f26285f81b7b71fe57d) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/20 08:37:52.0921 3672 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/20 08:37:52.0984 3672 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/20 08:37:53.0062 3672 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/20 08:37:53.0109 3672 usbccgp (c18d6c74953621346df6b0a11f80c1cc) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/06/20 08:37:53.0140 3672 usbehci (152ee0baa614388273a0b9ae9c9fd5a0) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/20 08:37:53.0171 3672 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/20 08:37:53.0234 3672 Usblink (87da0c8162dd39f96aea602f45cc0f7e) C:\WINDOWS\system32\Drivers\ulink.sys
2011/06/20 08:37:53.0250 3672 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/06/20 08:37:53.0296 3672 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/06/20 08:37:53.0312 3672 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/06/20 08:37:53.0328 3672 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/06/20 08:37:53.0343 3672 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/06/20 08:37:53.0421 3672 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/20 08:37:53.0453 3672 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/20 08:37:53.0515 3672 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/06/20 08:37:53.0546 3672 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/20 08:37:53.0656 3672 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/06/20 08:37:53.0671 3672 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/06/20 08:37:53.0703 3672 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/06/20 08:37:53.0703 3672 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/06/20 08:37:53.0718 3672 ================================================================================
2011/06/20 08:37:53.0718 3672 Scan finished
2011/06/20 08:37:53.0718 3672 ================================================================================
2011/06/20 08:37:53.0734 3824 Detected object count: 1
2011/06/20 08:37:53.0734 3824 Actual detected object count: 1
2011/06/20 08:38:23.0140 3824 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/06/20 08:38:23.0140 3824 \Device\Harddisk0\DR0 - ok
2011/06/20 08:38:23.0140 3824 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/06/20 08:38:32.0578 1832 Deinitialize success
__________________
Babra is offline  
Old 06-20-2011, 07:01 PM   #8
Security Team
Analyst
 
RPMcMurphy's Avatar
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,010
OS: Windows Vista / Win 7


Re: Virus suspected
Babra:

The reason I asked about nLite is that you are missing some system files. Sometimes folks purposely remove parts of Windows with programs like nLite - other times it's related to the malware. Please do this now:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
midimap.dl*
winlogon.ex*
user32.dl*
explorer.ex*
regedit.ex*
usp10.dl*
ctfmon.ex*
midimap.dl*
beep.sys
wscntfy.ex*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Please let me know if you have access to a Windows XP SP3 installation disk.

Please include the following in your next post:
  • SystemLook log
__________________


ASAP & UNITE Member
RPMcMurphy is offline  
Old 06-20-2011, 10:17 PM   #9
Registered Member
 
Babra's Avatar
 
Join Date: Jul 2005
Location: California
Posts: 16
OS: WinXP Pro Service Pack 3


Re: Virus suspected
I know for one that the Security Center is missing from the Control Panel. I think it may have been missing since I got the computer from my brother. I do have the Windows disk my brother used for this computer.


SystemLook 04.09.10 by jpshortstuff
Log created at 22:08 on 20/06/2011 by Admin
Administrator - Elevation successful

========== filefind ==========

Searching for "midimap.dl*"
C:\WINDOWS\system32\midimap.dll --a---- 32256 bytes [02:02 15/04/2009] [02:02 15/04/2009] 448937CF6D5D4A4009532DF67B205F92

Searching for "winlogon.ex*"
C:\WINDOWS\system32\winlogon.exe --a---- 568832 bytes [02:06 15/04/2009] [02:06 15/04/2009] DB3B9755F265C37319DF9AFF4FDDF717

Searching for "user32.dl*"
C:\WINDOWS\system32\user32.dll --a---- 575488 bytes [02:05 15/04/2009] [02:05 15/04/2009] 99C1ACB1B8F0F2CECC56515E502B5120

Searching for "explorer.ex*"
C:\Old Computer Files\WINDOWS\explorer.exe --a---- 1033216 bytes [07:54 13/12/2009] [10:23 13/06/2007] 97BD6515465659FF8F3B7BE375B2EA87
C:\WINDOWS\explorer.exe --a---- 1440768 bytes [02:02 15/04/2009] [02:02 15/04/2009] 6DA7EDB6D1289B0B8A6DED512EBCB1AB

Searching for "regedit.ex*"
C:\Old Computer Files\WINDOWS\regedit.exe --a---- 146432 bytes [07:54 13/12/2009] [07:56 04/08/2004] 783AFC80383C176B22DBF8333343992D
C:\WINDOWS\regedit.exe -----c- 263680 bytes [03:00 15/04/2008] [03:00 15/04/2008] DD973467A6C5CFE264F112CB3946E8BD

Searching for "usp10.dl*"
C:\Old Computer Files\Program Files\Common Files\Microsoft Shared\Office10\USP10.DLL --a---- 325120 bytes [07:54 13/12/2009] [16:32 15/01/2001] 6D682A9D1BA5218798882A30F44E7194
C:\Program Files\Common Files\Microsoft Shared\Office10\USP10.DLL --a--c- 406016 bytes [23:01 09/08/2010] [23:01 09/08/2010] F8894BCC961D461674002B4BAE7AECC1
C:\Program Files\Microsoft Office\Office12\USP10.DLL --a---- 502784 bytes [17:39 20/07/2010] [17:39 20/07/2010] C92D20A6E35E232004D83DC10A78878A
C:\WINDOWS\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\USP10.DLL_0002 -ra--c- 503296 bytes [02:51 14/10/2006] [02:51 14/10/2006] CD75EF76BEE2A96599E51F1D4DEFEB09
C:\WINDOWS\system32\usp10.dll --a---- 502272 bytes [02:14 15/04/2009] [02:14 15/04/2009] 2547D2CF090AC7636898F16957EBCEDC

Searching for "ctfmon.ex*"
C:\WINDOWS\system32\ctfmon.exe --a---- 37376 bytes [02:01 15/04/2009] [02:01 15/04/2009] CBF5945651C96E471B3A004BBDC36864

Searching for "midimap.dl*"
C:\WINDOWS\system32\midimap.dll --a---- 32256 bytes [02:02 15/04/2009] [02:02 15/04/2009] 448937CF6D5D4A4009532DF67B205F92

Searching for "beep.sys"
No files found.

Searching for "wscntfy.ex*"
No files found.

-= EOF =-
__________________
Babra is offline  
Old 06-23-2011, 07:20 PM   #10
Security Team
Analyst
 
RPMcMurphy's Avatar
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,010
OS: Windows Vista / Win 7


Re: Virus suspected
Babra:

My apologies again for the delay. Please do this next (you will need your Windows installation CD):

Insert the Windows XP installation disk.

1. Click Start > Run or press the Windows Key + R Then type cmd in the run box and press "OK" to open the command prompt window

2. Enter the following commands, one at a time, at the prompt and press "Enter" after each one. Refer to the quote box under the commands for the location of the spaces which are very important. After pressing "Enter" you should see a message that says, "one file(s) expanded successfully"

Note: x = the drive letter designation for your CD/DVD drive - replace x with the appropriate letter for your PC.

expand x:\i386\midimap.dl_ c:\

expand x:\i386\comres.dl_ c:\

expand x:\i386\user32.dl_ c:\

expand x:\i386\usp10.dl_ c:\

expand x:\i386\explorer.ex_ c:\

expand x:\i386\winlogon.ex c:\

expand x:\i386\regedit.ex_ c:\

expand x:\i386\ctfmon.ex_ c:\

expand x:\i386\wscntfy.ex_ c:\

Quote:
expand<space>x:\i386\midimap.dl_<space>c:\

expand<space>x:\i386\comres.dl_<space>c:\

expand<space>x:\i386\user32.dl_<space>c:\

expand<space>x:\i386\usp10.dl_<space>c:\

expand<space>x:\i386\explorer.ex_<space>c:\

expand<space>x:\i386\regedit.ex_<space>c:\

expand<space>x:\i386\winlogon.ex_<space>c:\

expand<space>x:\i386\ctfmon.ex_<space>c:\

expand<space>x:\i386\wscntfy.ex_<space>c:\
3. Now type Exit and press Enter to reboot into the normal mode

Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

Code:
File::
c:\windows\Jsewe.bin
Folder::
c:\documents and settings\All Users\Application Data\eN28258ClAaH28258
FCopy::
c:\midimap.dll | c:\windows\system32\midimap.dll
c:\comres.dll | c:\windows\system32\comres.dll
c:\winlogon.exe | c:\windows\system32\winlogon.exe
c:\user32.dll | c:\windows\system32\user32.dll
c:\explorer.exe | c:\windows\explorer.exe
c:\regedit.exe | c:\windows\regedit.exe
c:\usp10.dll | c:\windows\system32\usp10.dll
c:\ctfmon.exe | c:\windows\system32\ctfmon.exe
c:\wscntfy.exe | c:\windows\System32\wscntfy.exe
Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:
  • ComboFix log
__________________


ASAP & UNITE Member
RPMcMurphy is offline  
Old 06-23-2011, 08:23 PM   #11
Registered Member
 
Babra's Avatar
 
Join Date: Jul 2005
Location: California
Posts: 16
OS: WinXP Pro Service Pack 3


Re: Virus suspected
When I ran the commands in cmd, the following two files received the message, "Can't open input file":
e:\i386\regedit.ex_
e:\i386\wscntfy.ex_

Here is the log from running ComboFix:


ComboFix 11-06-23.01 - Admin 06/23/2011 20:07:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1418 [GMT -7:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
.
FILE ::
"c:\windows\Jsewe.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\eN28258ClAaH28258
c:\documents and settings\All Users\Application Data\eN28258ClAaH28258\eN28258ClAaH28258
c:\windows\Jsewe.bin
.
c:\windows\system32\midimap.dll . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 )))))))))))))))))))))))))))))))
.
.
2011-06-24 02:52 . 2008-04-14 12:42 37376 ----a-w- C:\ctfmon.ex_
2011-06-24 02:49 . 2008-11-22 02:50 568832 ----a-w- C:\winlogon.ex_
2011-06-24 02:47 . 2008-07-03 21:38 1440768 ----a-w- C:\explorer.ex_
2011-06-24 02:46 . 2009-04-15 06:14 502272 ----a-w- C:\usp10.dl_
2011-06-24 02:46 . 2008-04-14 12:42 575488 ----a-w- C:\user32.dl_
2011-06-24 02:45 . 2008-04-14 12:41 1444864 ----a-w- C:\comres.dl_
2011-06-24 02:43 . 2008-04-14 12:41 32256 ----a-w- C:\midimap.dl_
2011-06-19 21:14 . 2011-06-19 21:14 -------- d-----w- c:\program files\7-Zip
2011-06-18 12:03 . 2011-06-18 12:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2011-06-16 16:36 . 2011-06-16 16:36 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2011-06-16 16:36 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-16 16:36 . 2011-06-16 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-16 16:36 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-16 16:36 . 2011-06-16 16:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-16 16:01 . 2011-06-16 16:01 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-16 15:57 . 2011-06-23 20:03 -------- d-----w- c:\program files\World of Warcraft
2011-06-16 06:19 . 2010-12-20 17:32 551936 ------w- c:\windows\system32\dllcache\oleaut32.dll
2011-06-16 06:17 . 2011-04-21 13:52 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-06-16 06:16 . 2011-04-30 03:01 758784 ------w- c:\windows\system32\dllcache\vgx.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-02 15:30 . 2009-12-09 14:28 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:47 . 2011-04-19 05:22 457856 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2009-04-15 02:06 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2009-04-15 02:02 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 16:11 . 2009-03-08 18:34 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 12:01 . 2009-03-08 18:35 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:52 . 2008-04-29 02:58 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
.
[-] 2009-04-14 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\SP3QFE\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\SP3GDR\tcpip.sys
.
[-] 2009-04-15 02:01 . 305A986FA2FF569D333CCA2AE3AE321D . 1444864 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
.
[-] 2009-04-15 . DB3B9755F265C37319DF9AFF4FDDF717 . 568832 . . [5.1.2600.5714] . . c:\windows\system32\winlogon.exe
.
[-] 2009-04-15 . 99C1ACB1B8F0F2CECC56515E502B5120 . 575488 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
.
[-] 2009-04-15 . 6DA7EDB6D1289B0B8A6DED512EBCB1AB . 1440768 . . [6.00.2900.5634] . . c:\windows\explorer.exe
.
[-] 2008-04-15 . DD973467A6C5CFE264F112CB3946E8BD . 263680 . . [5.1.2600.5512] . . c:\windows\regedit.exe
.
[-] 2009-04-15 . 2547D2CF090AC7636898F16957EBCEDC . 502272 . . [1.0626.6002.16497] . . c:\windows\system32\usp10.dll
.
.
[-] 2009-04-15 . CBF5945651C96E471B3A004BBDC36864 . 37376 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
.
[-] 2009-04-15 . 448937CF6D5D4A4009532DF67B205F92 . 32256 . . [5.1.2600.5512] . . c:\windows\system32\midimap.dll
.
c:\windows\System32\drivers\beep.sys ... is missing !!
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
"RunNarrator"="Narrator.exe" [2009-04-15 53248]
.
c:\documents and settings\Admin\Start Menu\Programs\Startup\
Efficient Reminder Free.lnk - c:\program files\Efficient Reminder Free\EfficientReminderFree.exe [2010-8-27 10257920]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^TimeLeft.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\TimeLeft.lnk
backup=c:\windows\pss\TimeLeft.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check.lnk
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MacroMaker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MacroMaker.lnk
backup=c:\windows\pss\MacroMaker.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 09:04 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2009-04-15 02:01 37376 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 -c--a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2010-07-25 23:30 3220912 ----a-w- c:\program files\Internet Download Manager\IDMan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2007-04-11 23:32 56080 -c--a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2007-04-11 23:32 56080 -c--a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2010-01-09 19:13 2935480 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
2008-09-17 15:12 737408 ----a-w- c:\program files\PowerStrip\PStrip.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 19:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 18:42 69632 -c--a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-08-15 15:47 1404928 -c--a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2010-03-09 02:52 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\mIRC\\mirc.exe"=
"c:\\mirc-babra\\mirc.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Old Computer Files\\mirc-diamonds\\mirc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Admin\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-x.x.x.x-4.0.0.12911-Downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56589:TCP"= 56589:TCP:Pando Media Booster
"56589:UDP"= 56589:UDP:Pando Media Booster
"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/8/2010 6:49 AM 64288]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/16/2011 9:36 AM 366640]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [7/14/2007 6:37 PM 27992]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/16/2011 9:36 AM 22712]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S3 FARMNTIO;FARMNTIO;c:\windows\system32\drivers\FarMntIo.sys [12/11/2009 12:05 AM 13184]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 LLRING0;LLRING0;\??\c:\program files\FortressMU\FMU S4 V3\fortress 3d\MuGuard\llck1.sys --> c:\program files\FortressMU\FMU S4 V3\fortress 3d\MuGuard\llck1.sys [?]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [12/9/2009 4:19 PM 40060]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-08-16 20:43 451872 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2009-03-08 18:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-20 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office-2002\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_674125AABFE11C21.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\o564exhs.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-06-23 20:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1935655697-1580818891-1644491937-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,2e,01,e1,86,3f,ee,46,82,50,9d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,2e,01,e1,86,3f,ee,46,82,50,9d,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,2e,01,e1,86,3f,ee,46,82,50,9d,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):7b,47,c9,1b,c9,cb,7e,02,ce,f6,b0,b7,b0,17,6d,de,79,38,af,ec,82,
91,67,1b,a0,51,b3,41,f2,41,19,cd,c4,a4,8c,de,48,b6,be,ab,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f8eeab2b-dc06-4946-916b-ec1b4f33bc90}]
@Denied: (Full) (Everyone)
"Model"=dword:00000155
"Therad"=dword:00000015
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(464)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll
.
- - - - - - - > 'lsass.exe'(520)
c:\windows\system32\setupapi.dll
.
Completion time: 2011-06-23 20:14:02
ComboFix-quarantined-files.txt 2011-06-24 03:14
.
Pre-Run: 241,011,671,040 bytes free
Post-Run: 241,005,666,304 bytes free
.
- - End Of File - - 95A50D4EFF38FBE7097238456A791317
__________________
Babra is offline  
Old 06-24-2011, 02:04 PM   #12
Security Team
Analyst
 
RPMcMurphy's Avatar
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,010
OS: Windows Vista / Win 7


Re: Virus suspected
Babra:

That error was my fault. Please do this next (you will need your Windows installation CD again):

Open notepad and copy/paste the text in the quotebox below into it:

Code:
@echo off
del "C:\ctfmon.ex_"
del "C:\winlogon.ex_"
del "C:\explorer.ex_"
del "C:\usp10.dl_"
del "C:\user32.dl_"
del "C:\comres.dl_"
del "C:\midimap.dl_"
expand e:\i386\midimap.dl_ c:\midimap.dll
expand e:\i386\comres.dl_ c:\comres.dll
expand e:\i386\user32.dl_ c:\user32.dll
expand e:\i386\usp10.dl_ c:\usp10.dll
expand e:\i386\explorer.ex_ c:\explorer.exe
expand e:\i386\winlogon.ex c:\winlogon.exe
expand e:\i386\regedit.ex_ c:\regedit.exe
expand e:\i386\ctfmon.ex_ c:\ctfmon.exe
expand e:\i386\wscntfy.ex_ c:\wscntfy.exe
del /Q %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Insert your install disk into the CD drive then double click on fix.bat & allow it to run. When that finishes, run this:

Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::

Code:
FCopy::
c:\midimap.dll | c:\windows\system32\midimap.dll
c:\comres.dll | c:\windows\system32\comres.dll
c:\winlogon.exe | c:\windows\system32\winlogon.exe
c:\user32.dll | c:\windows\system32\user32.dll
c:\explorer.exe | c:\windows\explorer.exe
c:\regedit.exe | c:\windows\regedit.exe
c:\usp10.dll | c:\windows\system32\usp10.dll
c:\ctfmon.exe | c:\windows\system32\ctfmon.exe
c:\wscntfy.exe | c:\windows\System32\wscntfy.exe
Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:
  • ComboFix log
__________________


ASAP & UNITE Member
RPMcMurphy is offline  
Old 06-24-2011, 02:51 PM   #13
Registered Member
 
Babra's Avatar
 
Join Date: Jul 2005
Location: California
Posts: 16
OS: WinXP Pro Service Pack 3


Re: Virus suspected
ComboFix 11-06-24.02 - Admin 06/24/2011 14:42:29.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1521 [GMT -7:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\explorer.exe
C:\usp10.dll
.
c:\windows\system32\midimap.dll . . . is infected!!
.
.
--------------- FCopy ---------------
.
c:\midimap.dll --> c:\windows\system32\midimap.dll
c:\comres.dll --> c:\windows\system32\comres.dll
c:\user32.dll --> c:\windows\system32\user32.dll
c:\explorer.exe --> c:\windows\explorer.exe
c:\usp10.dll --> c:\windows\system32\usp10.dll
c:\ctfmon.exe --> c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 )))))))))))))))))))))))))))))))
.
.
2011-06-24 21:35 . 2008-04-14 12:42 37376 ------w- C:\ctfmon.exe
2011-06-24 21:35 . 2008-04-14 12:42 575488 ------w- C:\user32.dll
2011-06-24 21:35 . 2008-04-14 12:41 32256 ------w- C:\midimap.dll
2011-06-24 21:35 . 2008-04-14 12:41 1444864 ------w- C:\comres.dll
2011-06-19 21:14 . 2011-06-19 21:14 -------- d-----w- c:\program files\7-Zip
2011-06-18 12:03 . 2011-06-18 12:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2011-06-16 16:36 . 2011-06-16 16:36 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2011-06-16 16:36 . 2011-06-16 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-16 16:36 . 2011-06-24 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-16 16:01 . 2011-06-16 16:01 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-16 15:57 . 2011-06-24 15:56 -------- d-----w- c:\program files\World of Warcraft
2011-06-16 06:19 . 2010-12-20 17:32 551936 ------w- c:\windows\system32\dllcache\oleaut32.dll
2011-06-16 06:17 . 2011-04-21 13:52 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-06-16 06:16 . 2011-04-30 03:01 758784 ------w- c:\windows\system32\dllcache\vgx.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-02 15:30 . 2009-12-09 14:28 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:47 . 2011-04-19 05:22 457856 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2009-04-15 02:06 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2009-04-15 02:02 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 16:11 . 2009-03-08 18:34 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 12:01 . 2009-03-08 18:35 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:52 . 2008-04-29 02:58 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
.
[-] 2009-04-14 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\SP3QFE\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\SP3GDR\tcpip.sys
.
[-] 2008-04-14 12:41 . 305A986FA2FF569D333CCA2AE3AE321D . 1444864 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
.
[-] 2009-04-15 . DB3B9755F265C37319DF9AFF4FDDF717 . 568832 . . [5.1.2600.5714] . . c:\windows\system32\winlogon.exe
.
[-] 2008-04-14 . 99C1ACB1B8F0F2CECC56515E502B5120 . 575488 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
.
[-] 2008-07-03 . 6DA7EDB6D1289B0B8A6DED512EBCB1AB . 1440768 . . [6.00.2900.5634] . . c:\windows\explorer.exe
.
[-] 2008-04-15 . DD973467A6C5CFE264F112CB3946E8BD . 263680 . . [5.1.2600.5512] . . c:\windows\regedit.exe
.
[-] 2009-04-15 . 2547D2CF090AC7636898F16957EBCEDC . 502272 . . [1.0626.6002.16497] . . c:\windows\system32\usp10.dll
.
.
[-] 2008-04-14 . CBF5945651C96E471B3A004BBDC36864 . 37376 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
.
[-] 2008-04-14 . 448937CF6D5D4A4009532DF67B205F92 . 32256 . . [5.1.2600.5512] . . c:\windows\system32\midimap.dll
.
c:\windows\System32\drivers\beep.sys ... is missing !!
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
"RunNarrator"="Narrator.exe" [2009-04-15 53248]
.
c:\documents and settings\Admin\Start Menu\Programs\Startup\
Efficient Reminder Free.lnk - c:\program files\Efficient Reminder Free\EfficientReminderFree.exe [2010-8-27 10257920]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^TimeLeft.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\TimeLeft.lnk
backup=c:\windows\pss\TimeLeft.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check.lnk
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MacroMaker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MacroMaker.lnk
backup=c:\windows\pss\MacroMaker.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 09:04 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 37376 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 -c--a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2010-07-25 23:30 3220912 ----a-w- c:\program files\Internet Download Manager\IDMan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2007-04-11 23:32 56080 -c--a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2007-04-11 23:32 56080 -c--a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2010-01-09 19:13 2935480 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
2008-09-17 15:12 737408 ----a-w- c:\program files\PowerStrip\PStrip.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 19:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 18:42 69632 -c--a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-08-15 15:47 1404928 -c--a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2010-03-09 02:52 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\mIRC\\mirc.exe"=
"c:\\mirc-babra\\mirc.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Old Computer Files\\mirc-diamonds\\mirc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Admin\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-x.x.x.x-4.0.0.12911-Downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56589:TCP"= 56589:TCP:Pando Media Booster
"56589:UDP"= 56589:UDP:Pando Media Booster
"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/8/2010 6:49 AM 64288]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [7/14/2007 6:37 PM 27992]
R4 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/16/2011 9:36 AM 366640]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S3 FARMNTIO;FARMNTIO;c:\windows\system32\drivers\FarMntIo.sys [12/11/2009 12:05 AM 13184]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 LLRING0;LLRING0;\??\c:\program files\FortressMU\FMU S4 V3\fortress 3d\MuGuard\llck1.sys --> c:\program files\FortressMU\FMU S4 V3\fortress 3d\MuGuard\llck1.sys [?]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [12/9/2009 4:19 PM 40060]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-08-16 20:43 451872 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2009-03-08 18:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-20 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office-2002\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_674125AABFE11C21.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\o564exhs.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-06-24 14:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1935655697-1580818891-1644491937-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,2e,01,e1,86,3f,ee,46,82,50,9d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,2e,01,e1,86,3f,ee,46,82,50,9d,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,2e,01,e1,86,3f,ee,46,82,50,9d,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):7b,47,c9,1b,c9,cb,7e,02,ce,f6,b0,b7,b0,17,6d,de,79,38,af,ec,82,
91,67,1b,a0,51,b3,41,f2,41,19,cd,c4,a4,8c,de,48,b6,be,ab,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f8eeab2b-dc06-4946-916b-ec1b4f33bc90}]
@Denied: (Full) (Everyone)
"Model"=dword:00000155
"Therad"=dword:00000015
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(464)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll
.
- - - - - - - > 'lsass.exe'(520)
c:\windows\system32\setupapi.dll
.
Completion time: 2011-06-24 14:49:07
ComboFix-quarantined-files.txt 2011-06-24 21:49
ComboFix2.txt 2011-06-24 03:14
.
Pre-Run: 240,827,006,976 bytes free
Post-Run: 240,816,386,048 bytes free
.
- - End Of File - - 344E337D77D8D4C34CB14B9B46C8F45F
__________________
Babra is offline  
Old 06-24-2011, 10:38 PM   #14
Security Team
Analyst
 
RPMcMurphy's Avatar
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,010
OS: Windows Vista / Win 7


Re: Virus suspected
Babra:

Please do this for me:

Go to My Computer-> Tools-> Folder Options-> View tab:
  • Under the Hidden files and folders heading:
  • Select - Show hidden files and folders.
  • Uncheck- Hide protected operating system files (recommended) option.
  • Also, make sure there is no checkmark beside Hide file extensions for known file types.
  • Click OK. (Remember to Hide files and folders once done)
Please go to one of the below sites to scan the following files:
virscan.org
Virus Total

Click on Browse, and upload the following file for analysis:
c:\windows\system32\midimap.dll

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
__________________


ASAP & UNITE Member
RPMcMurphy is offline  
Old 06-25-2011, 07:05 AM   #15
Registered Member
 
Babra's Avatar
 
Join Date: Jul 2005
Location: California
Posts: 16
OS: WinXP Pro Service Pack 3


Re: Virus suspected
VirSCAN.org Scanned Report :
Scanned time : 2011/06/25 07:00:55 (PDT)
Scanner results: Scanners did not find malware!
File Name : midimap.dll
File Size : 32256 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : 448937cf6d5d4a4009532df67b205f92
SHA1 : e56e78ad3e2dde06a630ba4b74bee61090c2b43c
Online report : midimap.dll MD5:448937cf6d5d4a4009532df67b205f92 - VirSCAN.org Scanners did not find malware!

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.2 20110625143734 2011-06-25 5.46 -
AhnLab V3 2011.06.24.01 2011.06.24 2011-06-24 8.51 -
AntiVir 8.2.5.24 7.11.10.104 2011-06-24 0.28 -
Antiy 2.0.18 20110205.7694535 2011-02-05 0.12 -
Arcavir 2011 201105080215 2011-05-08 0.03 -
Authentium 5.1.1 201106241321 2011-06-24 1.43 -
AVAST! 4.7.4 110625-0 2011-06-25 0.01 -
AVG 8.5.850 271.1.1/3725 2011-06-25 0.25 -
BitDefender 7.90123.7406640 7.37559 2011-05-24 0.00 -
ClamAV 0.96.5 13238 2011-06-25 0.02 -
Comodo 4.0 9182 2011-06-25 1.45 -
CP Secure 1.3.0.5 2011.06.25 2011-06-25 0.05 -
Dr.Web 5.0.2.3300 2011.06.25 2011-06-25 12.84 -
F-Prot 4.4.4.56 20110624 2011-06-24 1.45 -
F-Secure 7.02.73807 2011.06.25.01 2011-06-25 12.97 -
Fortinet 4.2.257 13.360 2011-06-24 3.71 -
GData 22.711/22.183 20110625 2011-06-25 13.46 -
ViRobot 20110624 2011.06.24 2011-06-24 0.35 -
Ikarus T3.1.32.20.0 2011.06.25.78677 2011-06-25 4.81 -
JiangMin 13.0.900 2011.06.24 2011-06-24 1.58 -
Kaspersky 5.5.10 2011.06.25 2011-06-25 0.12 -
KingSoft 2009.2.5.15 2011.6.25.9 2011-06-25 0.81 -
McAfee 5400.1158 6387 2011-06-24 9.66 -
Microsoft 1.7000 2011.06.24 2011-06-24 15.37 -
NOD32 3.0.21 6228 2011-06-22 0.01 -
Norman 6.07.10 6.07.00 2011-06-25 18.02 -
Panda 9.05.01 2011.06.24 2011-06-24 3.06 -
Trend Micro 9.200-1012 8.248.03 2011-06-25 0.03 -
Quick Heal 11.00 2011.06.23 2011-06-23 4.22 -
Rising 20.0 23.63.04.01 2011-06-24 3.21 -
Sophos 3.20.2 4.66 2011-06-25 5.47 -
Sunbelt 3.9.2496.2 9684 2011-06-24 0.98 -
Symantec 1.3.0.24 20110624.002 2011-06-24 0.07 -
nProtect 20110601.01 3460661 2011-06-01 8.31 -
The Hacker 6.7.0.1 v00176 2011-04-18 0.56 -
VBA32 3.12.16.3 20110624.1226 2011-06-24 4.93 -
VirusBuster 5.3.0.4 14.0.94.0/5468796 2011-06-24 0.00 -
__________________
Babra is offline  
Old 06-25-2011, 08:45 PM   #16
Security Team
Analyst
 
RPMcMurphy's Avatar
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,010
OS: Windows Vista / Win 7


Re: Virus suspected
Babra:

Is the installation disk your using a Windows XP Professional, Service Pack 3 disk? Please do this next:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java(TM) can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes copy and paste the results into your next reply.
Please include the following in your next post:
  • MBAM log
  • ESET log
__________________


ASAP & UNITE Member
RPMcMurphy is offline  
Old 06-25-2011, 08:55 PM   #17
Registered Member
 
Babra's Avatar
 
Join Date: Jul 2005
Location: California
Posts: 16
OS: WinXP Pro Service Pack 3


Re: Virus suspected
I can't complete the first step. I do not have an Update Tab in the Java Control Panel nor can I find anything in any tab that offers a button to update.

I do have a WinXP Pro SP3 disk.
__________________
Babra is offline  
Old 06-25-2011, 09:54 PM   #18
Security Team
Analyst
 
RPMcMurphy's Avatar
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,010
OS: Windows Vista / Win 7


Re: Virus suspected
OK, update Java by going to this page. Press the "Free Java Download" button near the center of the page and follow the prompts from there.

Then run those two scans and post the logs for me.
__________________


ASAP & UNITE Member
RPMcMurphy is offline  
Old 06-25-2011, 11:09 PM   #19
Registered Member
 
Babra's Avatar
 
Join Date: Jul 2005
Location: California
Posts: 16
OS: WinXP Pro Service Pack 3


Re: Virus suspected
Malwarebytes' Anti-Malware 1.51.0.1200
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 6952

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/25/2011 10:16:35 PM
mbam-log-2011-06-25 (22-16-35).txt

Scan type: Quick scan
Objects scanned: 146686
Time elapsed: 2 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\ctfmon.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.


-----------------------------------------

ESET Online Scanner

Scan results

No threats found.

Scanned Files: 117916
Infected Files: 0
Cleaned Files: 0
Total scan time: 00:39:16
Scan status: Finished
__________________
Babra is offline  
Old 06-26-2011, 07:04 PM   #20
Security Team
Analyst
 
RPMcMurphy's Avatar
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,010
OS: Windows Vista / Win 7


Re: Virus suspected
Babra:

Please do this next:

Please go to one of the below sites to scan the following files:

Virus Total
virscan.org

Click on Browse, and upload the following files, one at a time, for analysis:
c:\windows\system32\comres.dll
c:\windows\system32\user32.dll
c:\windows\regedit.exe
c:\windows\system32\ctfmon.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

Download Genuine Advantage Diagnostic Tool from HERE and save it to your desktop
  • Double click on the file to run it
  • When it is finished a report will open. Go to the "Windows" tab
  • Press the "Copy" button and paste the results in your next post
Please include the following in your next post:
  • File analysis results
  • MGAD log

__________________


ASAP & UNITE Member
RPMcMurphy is offline  
 
Page 1 of 2 1 2

« Google Redirect Virus and other associated problems | XP Internet Security 2012 Firewall Alert »
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Unknown threat... Alonzo Resolved HJT Threads 24 06-18-2011 12:22 PM
.dll files missing, browser opens new tabs, google search redirects. jtatauburn Resolved HJT Threads 24 04-02-2011 09:38 PM
computer freezes redirects to different sites on google lubo1 Inactive Malware Help Topics 8 02-21-2011 09:28 PM
Browser Redirect Issue bob2881 Resolved HJT Threads 21 02-21-2011 06:48 PM

Post a Question




All times are GMT -7. The time now is 11:24 PM.

Contact Us - Tech Support Forum - Site Map - Community Rules - Terms of Service - Privacy - Privacy Statement - Top

Copyright 2001 - 2012, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security