Solved Help remove rootkit virus identified by Malwarebytes

Status
Not open for further replies.
P

pachi

Posts: 46   +0
A month ago I lost one harddisk due to system crash - reason been the same notorious virus rootkit.

My second machine Dell Optiplex, running on Win XP is now infected. I have been running Malwarebytes and Symantec virus for over a week with updated files everyday but just Malwarebytes detected the rootkit and i got a blue screen. I need to remove this carefully without loosing my second machine. Please help!
 
Downloaded Combfix.exe, OTL.exe, JavaRa.zip, TFC.exe.. just waiting for your instructions sir!

I have started and began to post the results from your 8 step process. Please review and let me know if you see any issues.

Thanks
Pachi
 
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 129):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0x8AB73000 \WINDOWS\system32\KDCOM.DLL
0xF789B000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7987000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7438000 qevuue.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF7989000 intelide.sys
0xF7607000 MountMgr.sys
0xF7419000 ftdisk.sys
0xF798B000 dmload.sys
0xF7871000 dmio.sys
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF7401000 atapi.sys
0xF7627000 disk.sys
0xF7637000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF7851000 fltmgr.sys
0xF798D000 ghmon.sys
0xF7647000 PxHelp20.sys
0xF783A000 KSecDD.sys
0xF7B52000 Ntfs.sys
0xF795A000 NDIS.sys
0xF7A35000 Mup.sys
0xF7657000 agp440.sys
0xB9ED0000 \SystemRoot\system32\DRIVERS\smsmdm.sys
0xB9230000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA720000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xB9182000 \SystemRoot\System32\DRIVERS\ialmnt5.sys
0xB9157000 \SystemRoot\System32\DRIVERS\b57xp32.sys
0xF776F000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xB9133000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7777000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xB909D000 \SystemRoot\system32\drivers\smwdm.sys
0xB9079000 \SystemRoot\system32\drivers\portcls.sys
0xBA710000 \SystemRoot\system32\drivers\drmk.sys
0xB9056000 \SystemRoot\system32\drivers\ks.sys
0xF79FB000 \SystemRoot\system32\drivers\aeaudio.sys
0xB9042000 \SystemRoot\System32\DRIVERS\parport.sys
0xF7677000 \SystemRoot\System32\DRIVERS\serial.sys
0xB984B000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF7687000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF7697000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF76A7000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF777F000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF79FD000 \SystemRoot\system32\DRIVERS\serscan.sys
0xF7AA0000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF76B7000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xB9847000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xB902B000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF76C7000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF76D7000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7787000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xB901A000 \SystemRoot\System32\DRIVERS\psched.sys
0xF76E7000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF778F000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7797000 \SystemRoot\System32\DRIVERS\raspti.sys
0xB8FEA000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF7587000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF779F000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF77A7000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF79FF000 \SystemRoot\System32\DRIVERS\swenum.sys
0xB8F8C000 \SystemRoot\System32\DRIVERS\update.sys
0xB982B000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xB6970000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB65F6000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xB79DC000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xB79DA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB5DD3000 \SystemRoot\System32\Drivers\Null.SYS
0xB79D8000 \SystemRoot\System32\Drivers\Beep.SYS
0xB6783000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xB677B000 \SystemRoot\System32\drivers\vga.sys
0xB79D6000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB79D4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB6773000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB676B000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB66D9000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xA49EC000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xA4993000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xA4958000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xA4932000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xA4910000 \??\C:\Program Files\Symantec\SYMEVENT.SYS
0xA48E8000 \SystemRoot\System32\DRIVERS\netbt.sys
0xA48C6000 \SystemRoot\System32\drivers\afd.sys
0xB65D6000 \SystemRoot\System32\DRIVERS\netbios.sys
0xA48B2000 \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys
0xA4887000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xB66B9000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
0xA4817000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xB65A6000 \SystemRoot\System32\Drivers\Fips.SYS
0xA47B9000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0x9E9DE000 \SystemRoot\System32\DRIVERS\wanarp.sys
0x9EC82000 \SystemRoot\System32\DRIVERS\hidusb.sys
0x9E9CE000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0x9EC7E000 \SystemRoot\System32\DRIVERS\mouhid.sys
0x9E8B8000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0x9EC76000 \SystemRoot\System32\DRIVERS\kbdhid.sys
0x9E1E0000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0x9E385000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9E1C8000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xA0881000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0x9EC5E000 \SystemRoot\System32\drivers\Dxapi.sys
0x9E50C000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA028000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF040000 \SystemRoot\System32\ialmdev5.DLL
0xBF065000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB6D78000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0x9E113000 \SystemRoot\system32\drivers\wdmaud.sys
0x9E3A5000 \SystemRoot\system32\drivers\sysaudio.sys
0x9DDC0000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xA1305000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xBA760000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0x9DA20000 \SystemRoot\System32\DRIVERS\srv.sys
0x9CD49000 \SystemRoot\System32\Drivers\HTTP.sys
0x9CAC1000 \??\C:\Program Files\Symantec AntiVirus\savrt.sys
0x9C973000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101129.002\navex15.sys
0x9C95F000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101129.002\naveng.sys
0x9CBD1000 \SystemRoot\System32\Drivers\usbaapl.sys
0x9B677000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 66):
0 System Idle Process
4 System
616 C:\WINDOWS\system32\smss.exe
664 csrss.exe
688 C:\WINDOWS\system32\winlogon.exe
736 C:\WINDOWS\system32\services.exe
756 C:\WINDOWS\system32\lsass.exe
936 C:\WINDOWS\system32\svchost.exe
1012 svchost.exe
1248 svchost.exe
1456 svchost.exe
1592 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1644 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1796 C:\WINDOWS\system32\spoolsv.exe
816 C:\WINDOWS\explorer.exe
1236 C:\WINDOWS\system32\hkcmd.exe
1296 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
1304 C:\PROGRA~1\SYMANT~1\VPTray.exe
1312 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
1384 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1392 C:\Program Files\HP\HP Software Update\hpwuschd2.exe
1408 C:\Program Files\QuickTime\QTTask.exe
1444 C:\Program Files\iTunes\iTunesHelper.exe
1576 C:\WINDOWS\system32\rundll32.exe
1844 C:\WINDOWS\system32\ctfmon.exe
1904 C:\Program Files\Messenger\msmsgs.exe
1984 svchost.exe
2040 C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
236 C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
292 C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
344 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
484 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
632 C:\Program Files\Bonjour\mDNSResponder.exe
652 C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
1200 C:\Program Files\Symantec AntiVirus\DefWatch.exe
2148 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
2256 C:\Program Files\Java\jre6\bin\jqs.exe
2308 C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
2336 C:\Program Files\Symantec\Ghost\ngctw32.exe
2484 C:\Program Files\WinZip\WZQKPICK.EXE
2896 C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
2928 C:\Program Files\Symantec AntiVirus\SavRoam.exe
3264 C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
3324 C:\WINDOWS\system32\svchost.exe
3364 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
3424 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
3592 C:\Program Files\RealVNC\WinVNC\winvnc.exe
3704 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
3884 C:\WINDOWS\system32\searchindexer.exe
3980 C:\WINDOWS\system32\CCM\CcmExec.exe
4016 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2388 C:\WINDOWS\system32\svchost.exe
2760 C:\Program Files\iPod\bin\iPodService.exe
1360 alg.exe
3204 C:\Program Files\Common Files\Java\Java Update\jucheck.exe
2372 C:\Program Files\Internet Explorer\iexplore.exe
1380 C:\Program Files\Internet Explorer\iexplore.exe
3296 C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
1440 WISPTIS.EXE
5576 C:\Program Files\Internet Explorer\iexplore.exe
3672 C:\WINDOWS\system32\svchost.exe
4240 C:\Program Files\Internet Explorer\iexplore.exe
3156 C:\Program Files\Internet Explorer\iexplore.exe
4608 C:\Documents and Settings\Administrator\My Documents\MBRCheck.exe
5920 wmiprvse.exe
900 <unknown>

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD800JD-75HKA1, Rev: 14.03G14

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
 
ComboFix 10-11-30.02 - administrator 11/30/2010 19:45:19.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2275 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\{319D5F58-2B6E-44A5-85E3-DFE8F39FA975}
c:\documents and settings\Administrator\Local Settings\Application Data\{319D5F58-2B6E-44A5-85E3-DFE8F39FA975}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{319D5F58-2B6E-44A5-85E3-DFE8F39FA975}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{319D5F58-2B6E-44A5-85E3-DFE8F39FA975}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{319D5F58-2B6E-44A5-85E3-DFE8F39FA975}\install.rdf
c:\documents and settings\JayV\System
c:\documents and settings\JayV\System\win_qs7.jqx
c:\documents and settings\JayV\System\win_qs8.jqx
c:\windows\axagupiseriyo.dll

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


((((((((((((((((((((((((( Files Created from 2010-11-01 to 2010-12-01 )))))))))))))))))))))))))))))))
.

2010-11-20 16:13 . 2008-04-14 07:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-11-20 16:13 . 2008-04-14 07:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-11-20 16:13 . 2008-04-14 07:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2010-11-20 16:13 . 2008-04-14 07:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2010-11-20 16:13 . 2008-04-14 12:42 16384 ----a-w- c:\windows\system32\ipsink.ax
2010-11-20 16:13 . 2008-04-14 07:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2010-11-20 16:13 . 2008-04-14 07:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2010-11-20 16:12 . 2008-04-14 07:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2010-11-20 16:12 . 2008-04-14 07:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2010-11-20 16:12 . 2008-04-14 07:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-11-20 16:12 . 2008-04-14 07:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2010-11-20 16:12 . 2008-04-14 07:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2010-11-20 16:12 . 2008-04-14 07:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2010-11-20 16:12 . 2008-04-14 07:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2010-11-20 16:12 . 2008-04-14 07:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2010-11-20 16:10 . 2008-04-14 12:42 43008 ----a-w- c:\windows\system32\ksxbar.ax
2010-11-18 03:18 . 2010-11-18 03:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-14 02:08 . 2010-11-14 02:08 -------- d-----w- c:\windows\system32\MpEngineStore
2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-11-13 23:57 . 2010-11-30 00:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-13 23:57 . 2010-12-01 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 23:57 . 2010-11-30 00:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-13 19:25 . 2010-12-01 00:20 0 ----a-w- c:\windows\Ppoluwenanojoway.bin
2010-11-13 19:22 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\mJiBo02042
2010-11-13 19:19 . 2010-12-01 03:10 763904 ----a-w- c:\windows\system32\drivers\qevuue.sys
2010-11-13 19:18 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
2010-11-13 19:18 . 2010-11-13 19:18 0 ----a-w- c:\windows\system32\lsp179C.tmp
2010-11-12 09:14 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2412747F-8DCD-4EE2-B6F4-2809C630C6E7}\mpengine.dll
2010-11-03 05:28 . 2010-11-03 05:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 18:41 . 2010-01-22 22:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 23:21 . 2008-09-11 15:00 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2010-09-27 20:57 . 2010-09-27 20:57 2826240 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-23 20:52 . 2010-09-23 20:52 922112 ------w- c:\windows\system32\imapi2fs.dll
2010-09-23 20:52 . 2010-09-23 20:52 426496 ------w- c:\windows\system32\imapi2.dll
2010-09-18 19:23 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2003-07-16 16:28 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2003-07-16 16:28 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-13 03:59 . 2010-09-13 03:59 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2010-09-13 03:58 . 2010-09-13 03:58 57344 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2010-09-10 05:58 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2003-07-16 16:24 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-14 05:17 . 2008-08-30 00:50 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-09-14 05:17 . 2008-08-30 00:50 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-09-14 05:17 . 2008-08-30 00:52 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-04-23 18:04 . 2009-04-23 18:04 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-08-15 50592]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-05-06 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-05-06 118784]
"WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
"NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2004-08-26 439448]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"VF0060 STISvc"="V0060Pin.dll" [2004-11-01 36864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

c:\documents and settings\JayV\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2007-10-23 44655]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2005-10-27 28672]
eFax Live Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-7-23 17408]
eFax Tray Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GTray.exe [2004-7-23 40960]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-2 724992]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-10-25 106560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1136\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NETLOGON\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1138\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NETLOGON\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1539\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-16615\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2698\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NETLOGON\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2874\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2899\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3413\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NETLOGON\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3440\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3614\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3791\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3851\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4186\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4210\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-500\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NETLOGON\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5620\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5680\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NETLOGON\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6034\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6156\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6631\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6638\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6778\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7087\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7361\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7745\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7802\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7812\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7953\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7985\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59152:UDP"= 59152:UDP:SonicWALL Compliance 59152
"59153:UDP"= 59153:UDP:SonicWALL Compliance 59153

R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [8/26/2004 4:03 PM 6496]
R2 NGClient;Symantec Ghost Win32 Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [8/26/2004 4:35 PM 439448]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2010 10:37 PM 102448]
S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/10/2010 2:41 PM 135664]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 DigimHID;DigimHID;c:\windows\system32\drivers\DigimHID.SYS [2/5/2007 9:09 AM 5248]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [11/20/2010 9:11 AM 196409]

--- Other Services/Drivers In Memory ---

*Deregistered* - qevuue

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ccsend.com
Trusted Zone: constantcontact.com
Trusted Zone: ic.aiall
Trusted Zone: icrossing.com
Trusted Zone: icrossing.net
Trusted Zone: projectorpsa.com
Trusted Zone: proxicom.com
Trusted Zone: prxm.corp
Trusted Zone: zendesk.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.10.140/img/NetCamPlayerWeb11g.ocx
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Xyacasus - c:\windows\axagupiseriyo.dll
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-30 20:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qevuue]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1004336348-651377827-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(592)
c:\windows\system32\WININET.dll
c:\program files\eFax Messenger Plus 3.3\J2GPfcW.dll
c:\program files\eFax Messenger Plus 3.3\J2GRes_Enu.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\spkrmon.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\RunDLL32.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\SearchProtocolHost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
c:\windows\system32\SearchFilterHost.exe
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2010-11-30 20:19:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-01 03:19

Pre-Run: 37,342,138,368 bytes free
Post-Run: 39,402,119,168 bytes free

- - End Of File - - C4C0553CD0F1E2239B7EC3F5D5E2D3F7
 
2010/11/30 20:29:48.0712 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56
2010/11/30 20:29:48.0712 ================================================================================
2010/11/30 20:29:48.0712 SystemInfo:
2010/11/30 20:29:48.0712
2010/11/30 20:29:48.0712 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/30 20:29:48.0712 Product type: Workstation
2010/11/30 20:29:48.0712 ComputerName: COMPUTER
2010/11/30 20:29:48.0712 UserName: administrator
2010/11/30 20:29:48.0712 Windows directory: C:\WINDOWS
2010/11/30 20:29:48.0712 System windows directory: C:\WINDOWS
2010/11/30 20:29:48.0712 Processor architecture: Intel x86
2010/11/30 20:29:48.0712 Number of processors: 2
2010/11/30 20:29:48.0712 Page size: 0x1000
2010/11/30 20:29:48.0712 Boot type: Normal boot
2010/11/30 20:29:48.0712 ================================================================================
2010/11/30 20:29:48.0869 Initialize success
2010/11/30 20:29:54.0338 ================================================================================
2010/11/30 20:29:54.0338 Scan started
2010/11/30 20:29:54.0338 Mode: Manual;
2010/11/30 20:29:54.0338 ================================================================================
2010/11/30 20:29:56.0197 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/30 20:29:56.0260 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/30 20:29:56.0338 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/11/30 20:29:56.0369 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/30 20:29:56.0431 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/30 20:29:56.0478 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/11/30 20:29:56.0728 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/30 20:29:56.0775 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/30 20:29:56.0853 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/30 20:29:56.0885 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/30 20:29:56.0947 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/11/30 20:29:57.0025 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/30 20:29:57.0119 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/30 20:29:57.0166 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/11/30 20:29:57.0275 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/30 20:29:57.0306 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/30 20:29:57.0353 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/30 20:29:57.0588 DigimHID (542c9e8f02166e2d4e6f565d4162321e) C:\WINDOWS\system32\DRIVERS\DigimHID.sys
2010/11/30 20:29:57.0744 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/30 20:29:57.0869 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/30 20:29:57.0947 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/30 20:29:57.0994 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/30 20:29:58.0056 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/30 20:29:58.0119 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2010/11/30 20:29:58.0150 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2010/11/30 20:29:58.0181 Dot4Scan (bd05306428da63369692477ddc0f6f5f) C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys
2010/11/30 20:29:58.0260 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/30 20:29:58.0431 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/11/30 20:29:58.0463 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2010/11/30 20:29:58.0525 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/30 20:29:58.0572 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/11/30 20:29:58.0635 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/30 20:29:58.0681 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/11/30 20:29:58.0728 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/30 20:29:58.0791 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/30 20:29:58.0822 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/30 20:29:58.0885 G400 (36feb2ddce5f84128c2a8dbc60538dad) C:\WINDOWS\system32\DRIVERS\G400m.sys
2010/11/30 20:29:59.0072 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/11/30 20:29:59.0135 GhMon (8a308adb228964a5c870c52f074b2b12) C:\WINDOWS\system32\Drivers\ghmon.sys
2010/11/30 20:29:59.0181 GhPostConfig (533068628f3f0d4457e97d8d23039a05) C:\WINDOWS\system32\Drivers\ghpcw2k.sys
2010/11/30 20:29:59.0213 GhPostConfig_Auto (533068628f3f0d4457e97d8d23039a05) C:\WINDOWS\system32\Drivers\ghpcw2k.sys
2010/11/30 20:29:59.0306 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/30 20:29:59.0353 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/30 20:29:59.0463 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/30 20:29:59.0525 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2010/11/30 20:29:59.0619 ialm (6d4b680d5bf352cd0951aadd4de119ef) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/11/30 20:29:59.0697 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/30 20:29:59.0791 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/11/30 20:29:59.0853 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/11/30 20:29:59.0885 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/30 20:29:59.0947 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/30 20:30:00.0010 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/30 20:30:00.0088 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/30 20:30:00.0119 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/30 20:30:00.0275 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/30 20:30:00.0322 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/30 20:30:00.0385 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/30 20:30:00.0400 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/11/30 20:30:00.0447 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/30 20:30:00.0494 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/30 20:30:00.0588 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/30 20:30:00.0682 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/30 20:30:00.0728 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/30 20:30:00.0853 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/30 20:30:00.0885 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/30 20:30:00.0947 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/30 20:30:01.0010 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/30 20:30:01.0072 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/30 20:30:01.0103 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/30 20:30:01.0135 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/30 20:30:01.0166 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/30 20:30:01.0244 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/30 20:30:01.0307 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/11/30 20:30:01.0353 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/30 20:30:01.0400 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/11/30 20:30:01.0603 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101129.002\naveng.sys
2010/11/30 20:30:01.0682 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101129.002\navex15.sys
2010/11/30 20:30:01.0853 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/30 20:30:01.0916 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/11/30 20:30:01.0978 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/30 20:30:02.0041 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/30 20:30:02.0057 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/30 20:30:02.0088 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/30 20:30:02.0103 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/30 20:30:02.0182 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/30 20:30:02.0291 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/30 20:30:02.0385 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/30 20:30:02.0447 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/30 20:30:02.0494 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/30 20:30:02.0525 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/30 20:30:02.0572 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2010/11/30 20:30:02.0682 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/30 20:30:02.0697 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/30 20:30:02.0728 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/30 20:30:02.0760 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/30 20:30:02.0822 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/30 20:30:02.0869 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/30 20:30:03.0103 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/30 20:30:03.0228 prepdrvr (3909be53ad8e2bfcac9d9148e4b2b270) C:\WINDOWS\system32\CCM\prepdrv.sys
2010/11/30 20:30:03.0244 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/11/30 20:30:03.0275 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/30 20:30:03.0322 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/30 20:30:03.0338 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/30 20:30:03.0353 Suspicious service (NoAccess): qevuue
2010/11/30 20:30:03.0416 qevuue (04c326d963c612aa98da6c044ee606d7) C:\WINDOWS\system32\drivers\qevuue.sys
2010/11/30 20:30:03.0416 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\qevuue.sys. md5: 04c326d963c612aa98da6c044ee606d7
2010/11/30 20:30:03.0416 qevuue - detected Locked service (1)
2010/11/30 20:30:03.0682 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/30 20:30:03.0713 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/30 20:30:03.0791 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/30 20:30:03.0807 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/30 20:30:03.0838 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/30 20:30:03.0869 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/30 20:30:03.0932 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/11/30 20:30:03.0979 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/30 20:30:04.0025 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/30 20:30:04.0119 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2010/11/30 20:30:04.0182 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/11/30 20:30:04.0385 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
2010/11/30 20:30:04.0463 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2010/11/30 20:30:04.0525 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/30 20:30:04.0697 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/30 20:30:04.0713 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/30 20:30:04.0775 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/30 20:30:04.0885 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/11/30 20:30:04.0963 smsmdd (4b4ab78e866bbecf93f6eabc3270178a) C:\WINDOWS\system32\DRIVERS\smsmdm.sys
2010/11/30 20:30:05.0072 smwdm (4aa922332433cdeb8b82c072c212e32e) C:\WINDOWS\system32\drivers\smwdm.sys
2010/11/30 20:30:05.0213 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2010/11/30 20:30:05.0291 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/30 20:30:05.0354 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/30 20:30:05.0447 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/30 20:30:05.0525 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2010/11/30 20:30:05.0557 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/11/30 20:30:05.0604 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/30 20:30:05.0682 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/30 20:30:05.0885 SymEvent (de6d1102d55926354171ae4e73936725) C:\Program Files\Symantec\SYMEVENT.SYS
2010/11/30 20:30:06.0010 SYMREDRV (6c0a85982f4e0d672b85a2bfb50a24b5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2010/11/30 20:30:06.0088 SYMTDI (cdda3ba3f7d5b63ff9f85cb478c11473) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2010/11/30 20:30:06.0213 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/30 20:30:06.0338 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/30 20:30:06.0416 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/30 20:30:06.0447 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/30 20:30:06.0510 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/30 20:30:06.0619 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/30 20:30:06.0729 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/30 20:30:06.0807 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/11/30 20:30:06.0885 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/11/30 20:30:06.0916 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/30 20:30:06.0979 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/30 20:30:07.0025 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/30 20:30:07.0057 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/11/30 20:30:07.0119 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/30 20:30:07.0182 usbser (49106ee29074e6a3d3ac9e24c6d791d8) C:\WINDOWS\system32\drivers\usbser.sys
2010/11/30 20:30:07.0322 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/30 20:30:07.0385 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/11/30 20:30:07.0463 V0060VID (b70abf0aeb47c1301a69b5d06b3079ca) C:\WINDOWS\system32\DRIVERS\V0060Vid.sys
2010/11/30 20:30:07.0510 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/30 20:30:07.0604 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/30 20:30:07.0697 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/30 20:30:07.0807 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/30 20:30:07.0994 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/11/30 20:30:08.0072 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/11/30 20:30:08.0151 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/11/30 20:30:08.0197 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/11/30 20:30:08.0416 ================================================================================
2010/11/30 20:30:08.0416 Scan finished
2010/11/30 20:30:08.0416 ================================================================================
2010/11/30 20:30:08.0447 Detected object count: 1
2010/11/30 20:30:20.0120 Locked service(qevuue) - User select action: Skip
 
Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
Thanks Broni,

I just run the MBM overnight. Rootkit still exists. From show results I deleted the infected file.
 
MBM log from this morning.

MBM log from this morning attached to this post.
 

Attachments

  • mbam-log-2010-12-01 (09-48-30).txt
    977 bytes · Views: 0
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-02 21:27:51
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e WDC_WD800JD-75HKA1 rev.14.03G14
Running: 6w25mgz1[1].exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pgldqpow.sys


---- System - GMER 1.0.15 ----

SSDT 8A911408 ZwAlertResumeThread
SSDT 8AA52390 ZwAlertThread
SSDT 8AA8AC60 ZwAllocateVirtualMemory
SSDT 8A8F4B70 ZwConnectPort
SSDT 8A961E78 ZwCreateMutant
SSDT 8A9612B8 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA9C3E350] <-- ROOTKIT !!!
SSDT 8AABDC08 ZwFreeVirtualMemory
SSDT 8A93E958 ZwImpersonateAnonymousToken
SSDT 8AA8AB98 ZwImpersonateThread
SSDT 8A970AC8 ZwMapViewOfSection
SSDT 8ABE7178 ZwOpenEvent
SSDT 8A96D110 ZwOpenProcessToken
SSDT 8ABC7A50 ZwOpenThreadToken
SSDT 8ABE6BC8 ZwQueryValueKey
SSDT 8A9B6808 ZwResumeThread
SSDT 8A95CE50 ZwSetContextThread
SSDT 8AAA8DE8 ZwSetInformationProcess
SSDT 8A90D0B0 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA9C3E580] <-- ROOTKIT !!!
SSDT 8AA8CF00 ZwSuspendProcess
SSDT 8AC3C350 ZwSuspendThread
SSDT 8A9667B0 ZwTerminateProcess
SSDT 8AC82268 ZwTerminateThread
SSDT 8AA8CA08 ZwUnmapViewOfSection
SSDT 8A750110 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 1DA 804E4A34 4 Bytes JMP D32FD4CC
.text ntoskrnl.exe!ZwYieldExecution + 406 804E4C60 8 Bytes CALL 30D8F6F2
? C:\WINDOWS\system32\drivers\qevuue.sys A device attached to the system is not functioning.
PAGE Ntfs.sys F7B77E55 4 Bytes CALL 8ACAD591

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9ACD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254656 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1940] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E538F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[2824] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9ACD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254656 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3900] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3900] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E538F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
? C:\WINDOWS\System32\svchost.exe[3948] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[1940] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[3900] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 51EC8B55
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 1845DB51
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] F855DD56
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] E8084DDC
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] 000004D2
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] FF184589
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 40515C15
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] F845DD00
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] 8B104DDC
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 1865DAF0
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 0004B9E8
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] 8BC88B00
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] F74199C6
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] C28B5EF9
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 2B08244C
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] 9904244C
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] 8BF9F741
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 244403C2
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] FF56C304
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 40515C15
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 244C8B00
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 244403C1
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 15FFC308
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] [0040515C] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 04244C8B
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] F9F74199
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] FFC3C28B
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 40515C15
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] 646A9900
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 33F9F759
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 24543BC0
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C09C0F04
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 0204EC81
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 68560000
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 00000100
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] 515415FF
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B590040
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 00FFB8F0
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 8D500000
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] FFFEFC8D
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] C93351FF
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 558D5151
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 8D5052FC
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] FFFDFC85
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 40504415
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 56216A00
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] FFFC75FF
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 40515815
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 0CC48300
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] C01BD8F7
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] C95EC623
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 458B5151
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 33565308
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 57C88BF6
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 33FC7589
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 01518DFF
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 8441198A
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 2BF975DB
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 802974CA
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 7420063C
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 75FF850A
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 45FF470C
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8506EBFC
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 46C88BFF
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 8A01518D
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] DB844119
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] CA2BF975
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] D772F13B
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 5FFC458B
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C3C95B5E
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 83EC8B55
IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 56530CEC

---- Devices - GMER 1.0.15 ----

Device 8ABE5550
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice ghmon.sys (Ghost Enterprise client - volume mount filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip 8A96FA80
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp 8A96FA80
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp 8A96FA80
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp 8A96FA80

Device \Driver\SYMTDI \Device\SymTDI 8A96FA80
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] qevuue <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\qevuue@goxgcpvq 188204166
Reg HKLM\SYSTEM\CurrentControlSet\Services\qevuue@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\qevuue@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\qevuue@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\qevuue@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\qevuue@goxgcpvq 188204166
Reg HKLM\SYSTEM\ControlSet002\Services\qevuue@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\qevuue@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\qevuue@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\qevuue@Group Boot Bus Extender
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\Sus@FlushCacheFiles ???}????@????????????????u???????|???|????Z??????????|?|?|?|?|?|?|???????|??????????????????21????????????????f??}???|???????|????x???????????H??????>???????????????????|???|??WWW_OpenURL??|??? ???????|????????????????&??????????????s??????1???????????????? ???????|???????????%????????*???????????r????????????????????????e???????|????? ???????|?????|????????????????????????c???? ???????|??????????????????????????????????? ???????|?????}??????????x?????????????l???Local???? ???????|???????????|????????(?????1?????????????????????????}??????????|????????e??????????|?????????n????Matches all ICMP packets between this computer and any other computer.??????ipsecFilter{72385235-70fa-11d1-864c-14a300000000}?????"??|????????e?????All ICMP Traffic??????N??|???????D??{72385235-70fa-11d1-864c-14a300000000}??????? ??????????????e?????p??|????????????g??|????????a?????????????R????????? ?ICMP???????????????????????????????????????????????d?????|?|?|?|?|?|?|?|?|???????|???w??????????li??SOFTWARE\Policies\Microsoft\Windows

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 09: copy of MBR

---- EOF - GMER 1.0.15 ----
 
Attach log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-27.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/25/2004 9:30:04 AM
System Uptime: 12/2/2010 6:41:14 PM (3 hours ago)

Motherboard: Dell Inc. | | 0G5611
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 36.437 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

3100_3200_3300_Help
3100_3200_3300trb
3300
ACECAD DigiMemo Manager
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
AiO_Scan_CDA
AiOSoftwareNPI
AOL Instant Messenger
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AudibleManager
Barracuda Networks Outlook Plugin 0.9d
Bonjour
Broadcom Gigabit Integrated Controller
Buzz Lightyear Astro Blasters
Capture NX 2
Compatibility Pack for the 2007 Office system
Configuration Manager Client
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
Creative WebCam Live! Ultra Driver (1.01.03.0127)
CueTour
Dell ResourceCD
DesignPro 5.0 Limited Edition
Destinations
DeviceManagementQFolder
DivX Version Checker
DocProc
DocProcQFolder
Documents To Go
eFax Messenger Plus 3.3
eSupportQFolder
Fax_CDA
FileZilla Client 3.3.5.1
FullDPAppQFolder
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GTK+ Runtime 2.12.1 rev a (remove only)
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB981793)
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Assistant
HP Solution Center 7.0
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevices
InstantShareDevicesMFC
Intel(R) Graphics Media Accelerator Driver
Internet Tablet Video Converter 0.22
iTunes
J2SE Runtime Environment 5.0 Update 3
Java Auto Updater
Java(TM) 6 Update 18
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
LAS Tracking Key / 3100 Programs
LimeWire 4.16.6
LiveUpdate 3.1 (Symantec Corporation)
Macromedia Flash Player 8
magicJack
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Add-in 1.4
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.19)
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NewCopy_CDA
Nikon Message Center
Nikon RAW Codec
Nikon Transfer
Nokia Dicas Codecs
OCR Software by I.R.I.S 7.0
OGA Notifier 2.0.0048.0
PanoStandAlone
Photocopier Version 2.28
PhotoGallery
Picasa 3
Picture Control Utility
Pidgin
PowerDVD
ProductContextNPI
QuickBooks Premier: Professional Services Edition 2004
Quicken 2008
QuickTime
RandMap
RDC
Readme
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SigmaTel Audio
SkinsHP1
SlideShow
SolutionCenter
Sonic_PrimoSDK
SoundMAX
Status
Symantec AntiVirus
Symantec Ghost Console Client
Toolbox
Transym TOCR
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
ViewNX
Viewpoint Media Player
Visual Hindsight Professional Edition 1.2
VNC 3.3.7
WebEx
WebEx Meeting Manager for Mozilla Firefox/Netscape Navigator
WebFldrs XP
WebReg
WIMGAPI
Windows Defender
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
WinZip

==== Event Viewer Messages From Past Week ========

12/2/2010 6:45:52 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
12/2/2010 6:44:27 PM, error: System Error [1003] - Error code 100000d1, parameter1 f79bb000, parameter2 00000002, parameter3 00000000, parameter4 f743c741.
12/2/2010 6:43:28 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
12/2/2010 6:42:28 PM, error: SRService [104] - The System Restore initialization process failed.
12/2/2010 6:21:26 PM, error: System Error [1003] - Error code 100000d1, parameter1 f79cf000, parameter2 00000002, parameter3 00000000, parameter4 f743c741.
12/2/2010 6:20:49 PM, error: System Error [1003] - Error code 100000d1, parameter1 f79b5000, parameter2 00000002, parameter3 00000000, parameter4 f743c741.

==== End Of File ===========================
 
DDS log

DDS (Ver_10-11-27.01) - NTFSx86
Run by administrator at 21:31:26.98 on Thu 12/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2319 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
"C:\WINDOWS\System32\svchost.exe"
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\SearchProtocolHost.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [cdloader] "c:\documents and settings\administrator\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [WinVNC] "c:\program files\realvnc\winvnc\WinVNC.exe" -servicehelper
mRun: [NGClient] c:\program files\symantec\ghost\ngctw32.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\datavi~1.lnk - c:\program files\common files\dataviz\DvzIncMsgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\efaxli~1.lnk - c:\program files\efax messenger plus 3.3\J2GDllCmd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\efaxtr~1.lnk - c:\program files\efax messenger plus 3.3\J2GTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: ccsend.com
Trusted Zone: constantcontact.com
Trusted Zone: ic.aiall
Trusted Zone: icrossing.com
Trusted Zone: icrossing.net
Trusted Zone: projectorpsa.com
Trusted Zone: proxicom.com
Trusted Zone: prxm.corp
Trusted Zone: zendesk.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/68.08/uploader2.cab
DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.10.140/img/NetCamPlayerWeb11g.ocx
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264198550417
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264199414715
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://192.168.15.253:8080/bl_camera.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://compuwaremc.webex.com/client/T27L10NSP11EP5/webex/ieatgpc.cab
Handler: ezstor - {6344A3A0-96A7-11D4-88CC-000000000000} - c:\windows\system32\viewers\ezspp.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7ag21vps.default\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\7ag21vps.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\7ag21vps.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7ag21vps.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=

============= SERVICES / DRIVERS ===============

R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [2004-8-26 6496]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 NGClient;Symantec Ghost Win32 Client Agent;c:\program files\symantec\ghost\ngctw32.exe [2004-8-26 439448]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-31 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101202.002\naveng.sys [2010-12-2 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101202.002\navex15.sys [2010-12-2 1371184]
R3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [2010-11-20 196409]
S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [2004-8-26 198720]
S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [2004-8-26 198720]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-10 135664]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 DigimHID;DigimHID;c:\windows\system32\drivers\DigimHID.SYS [2007-2-5 5248]

=============== Created Last 30 ================

2010-12-02 18:18:57 -------- d-----w- C:\HouseBeautiful
2010-12-01 03:43:29 388096 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-01 03:43:28 -------- d-----w- c:\program files\Trend Micro
2010-12-01 02:01:59 -------- d-sha-r- C:\cmdcons
2010-11-20 16:13:14 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-11-20 16:13:14 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-11-20 16:13:07 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2010-11-20 16:13:07 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2010-11-20 16:13:03 16384 ----a-w- c:\windows\system32\ipsink.ax
2010-11-20 16:13:03 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2010-11-20 16:13:03 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2010-11-20 16:12:58 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2010-11-20 16:12:58 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2010-11-20 16:12:53 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-11-20 16:12:53 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2010-11-20 16:12:49 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2010-11-20 16:12:49 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2010-11-20 16:12:45 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2010-11-20 16:12:45 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2010-11-20 16:10:58 43008 ----a-w- c:\windows\system32\ksxbar.ax
2010-11-14 02:08:55 -------- d-----w- c:\windows\system32\MpEngineStore
2010-11-13 23:57:30 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-11-13 23:57:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-13 23:57:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-13 23:57:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-13 23:57:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 19:25:52 0 ----a-w- c:\windows\Ppoluwenanojoway.bin
2010-11-13 19:22:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\mJiBo02042
2010-11-13 19:19:07 763904 ----a-w- c:\windows\system32\drivers\qevuue.sys
2010-11-13 19:18:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\WSTB
2010-11-12 09:14:31 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{2412747f-8dcd-4ee2-b6f4-2809c630c6e7}\mpengine.dll
2010-11-03 05:28:28 -------- d-----w- c:\docume~1\admini~1\applic~1\Windows Search

==================== Find3M ====================

2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-27 20:57:44 2826240 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-23 20:52:32 922112 ------w- c:\windows\system32\imapi2fs.dll
2010-09-23 20:52:32 426496 ------w- c:\windows\system32\imapi2.dll
2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

============= FINISH: 21:32:27.26 ===============
 
MBAM fails while updating current file (today's file) when at 25 %. Blue screen
with system32\drivers\qevuue.sys IRQ .... error.

should I try again now?
 
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5236

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/3/2010 7:06:37 AM
mbam-log-2010-12-03 (07-06-37).txt

Scan type: Full scan (C:\|)
Objects scanned: 568038
Time elapsed: 57 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\drivers\qevuue.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
 
MBAM LOG : Rootkit.agent still exists.

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5238

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/3/2010 9:18:57 AM
mbam-log-2010-12-03 (09-18-57).txt

Scan type: Quick scan
Objects scanned: 483911
Time elapsed: 8 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\drivers\qevuue.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
 
Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

==============================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.pif
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Status
Not open for further replies.

Similar threads

midian182
Cruise self-driving car runs over and stops on pedestrian after they were hit by human...
Replies
3
Views
470
Hotlynx16
H
IIEleven11
  • Locked
Inactive-A Help with FRST Log Please
2
Replies
27
Views
6K
Broni
Broni
N
Routers from Asus, Netgear, and Cisco are being targeted by a sophisticated malware campaign
Replies
4
Views
855
Avro Arrow
Avro Arrow

Latest posts

Back