TechSpot

Help remove rootkit virus identified by Malwarebytes

Solved
By pachi
Nov 30, 2010
  1. A month ago I lost one harddisk due to system crash - reason been the same notorious virus rootkit.

    My second machine Dell Optiplex, running on Win XP is now infected. I have been running Malwarebytes and Symantec virus for over a week with updated files everyday but just Malwarebytes detected the rootkit and i got a blue screen. I need to remove this carefully without loosing my second machine. Please help!
     
  2. pachi

    pachi TS Rookie Topic Starter Posts: 46

    Downloaded Combfix.exe, OTL.exe, JavaRa.zip, TFC.exe.. just waiting for your instructions sir!

    I have started and began to post the results from your 8 step process. Please review and let me know if you see any issues.

    Thanks
    Pachi
     
  3. pachi

    pachi TS Rookie Topic Starter Posts: 46

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 129):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806FF000 \WINDOWS\system32\hal.dll
    0x8AB73000 \WINDOWS\system32\KDCOM.DLL
    0xF789B000 \WINDOWS\system32\BOOTVID.dll
    0xF75A8000 ACPI.sys
    0xF7987000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
    0xF7597000 pci.sys
    0xF75F7000 isapnp.sys
    0xF7438000 qevuue.sys
    0xF7A4F000 pciide.sys
    0xF7707000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xF7989000 intelide.sys
    0xF7607000 MountMgr.sys
    0xF7419000 ftdisk.sys
    0xF798B000 dmload.sys
    0xF7871000 dmio.sys
    0xF770F000 PartMgr.sys
    0xF7617000 VolSnap.sys
    0xF7401000 atapi.sys
    0xF7627000 disk.sys
    0xF7637000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xF7851000 fltmgr.sys
    0xF798D000 ghmon.sys
    0xF7647000 PxHelp20.sys
    0xF783A000 KSecDD.sys
    0xF7B52000 Ntfs.sys
    0xF795A000 NDIS.sys
    0xF7A35000 Mup.sys
    0xF7657000 agp440.sys
    0xB9ED0000 \SystemRoot\system32\DRIVERS\smsmdm.sys
    0xB9230000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xBA720000 \SystemRoot\System32\DRIVERS\intelppm.sys
    0xB9182000 \SystemRoot\System32\DRIVERS\ialmnt5.sys
    0xB9157000 \SystemRoot\System32\DRIVERS\b57xp32.sys
    0xF776F000 \SystemRoot\System32\DRIVERS\usbuhci.sys
    0xB9133000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xF7777000 \SystemRoot\System32\DRIVERS\usbehci.sys
    0xB909D000 \SystemRoot\system32\drivers\smwdm.sys
    0xB9079000 \SystemRoot\system32\drivers\portcls.sys
    0xBA710000 \SystemRoot\system32\drivers\drmk.sys
    0xB9056000 \SystemRoot\system32\drivers\ks.sys
    0xF79FB000 \SystemRoot\system32\drivers\aeaudio.sys
    0xB9042000 \SystemRoot\System32\DRIVERS\parport.sys
    0xF7677000 \SystemRoot\System32\DRIVERS\serial.sys
    0xB984B000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xF7687000 \SystemRoot\System32\DRIVERS\imapi.sys
    0xF7697000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xF76A7000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xF777F000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xF79FD000 \SystemRoot\system32\DRIVERS\serscan.sys
    0xF7AA0000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xF76B7000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xB9847000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xB902B000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xF76C7000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xF76D7000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xF7787000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xB901A000 \SystemRoot\System32\DRIVERS\psched.sys
    0xF76E7000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xF778F000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xF7797000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xB8FEA000 \SystemRoot\System32\DRIVERS\rdpdr.sys
    0xF7587000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xF779F000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xF77A7000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xF79FF000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xB8F8C000 \SystemRoot\System32\DRIVERS\update.sys
    0xB982B000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xB6970000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB65F6000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xB79DC000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xB79DA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xB5DD3000 \SystemRoot\System32\Drivers\Null.SYS
    0xB79D8000 \SystemRoot\System32\Drivers\Beep.SYS
    0xB6783000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
    0xB677B000 \SystemRoot\System32\drivers\vga.sys
    0xB79D6000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xB79D4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xB6773000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xB676B000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB66D9000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xA49EC000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xA4993000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xA4958000 \SystemRoot\System32\Drivers\SYMTDI.SYS
    0xA4932000 \SystemRoot\System32\DRIVERS\ipnat.sys
    0xA4910000 \??\C:\Program Files\Symantec\SYMEVENT.SYS
    0xA48E8000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xA48C6000 \SystemRoot\System32\drivers\afd.sys
    0xB65D6000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xA48B2000 \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys
    0xA4887000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xB66B9000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
    0xA4817000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xB65A6000 \SystemRoot\System32\Drivers\Fips.SYS
    0xA47B9000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    0x9E9DE000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0x9EC82000 \SystemRoot\System32\DRIVERS\hidusb.sys
    0x9E9CE000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
    0x9EC7E000 \SystemRoot\System32\DRIVERS\mouhid.sys
    0x9E8B8000 \SystemRoot\System32\DRIVERS\usbccgp.sys
    0x9EC76000 \SystemRoot\System32\DRIVERS\kbdhid.sys
    0x9E1E0000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    0x9E385000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0x9E1C8000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xA0881000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0x9EC5E000 \SystemRoot\System32\drivers\Dxapi.sys
    0x9E50C000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA028000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF020000 \SystemRoot\System32\ialmdnt5.dll
    0xBF012000 \SystemRoot\System32\ialmrnt5.dll
    0xBF040000 \SystemRoot\System32\ialmdev5.DLL
    0xBF065000 \SystemRoot\System32\ialmdd5.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB6D78000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0x9E113000 \SystemRoot\system32\drivers\wdmaud.sys
    0x9E3A5000 \SystemRoot\system32\drivers\sysaudio.sys
    0x9DDC0000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xA1305000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xBA760000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
    0x9DA20000 \SystemRoot\System32\DRIVERS\srv.sys
    0x9CD49000 \SystemRoot\System32\Drivers\HTTP.sys
    0x9CAC1000 \??\C:\Program Files\Symantec AntiVirus\savrt.sys
    0x9C973000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101129.002\navex15.sys
    0x9C95F000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101129.002\naveng.sys
    0x9CBD1000 \SystemRoot\System32\Drivers\usbaapl.sys
    0x9B677000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 66):
    0 System Idle Process
    4 System
    616 C:\WINDOWS\system32\smss.exe
    664 csrss.exe
    688 C:\WINDOWS\system32\winlogon.exe
    736 C:\WINDOWS\system32\services.exe
    756 C:\WINDOWS\system32\lsass.exe
    936 C:\WINDOWS\system32\svchost.exe
    1012 svchost.exe
    1248 svchost.exe
    1456 svchost.exe
    1592 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    1644 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    1796 C:\WINDOWS\system32\spoolsv.exe
    816 C:\WINDOWS\explorer.exe
    1236 C:\WINDOWS\system32\hkcmd.exe
    1296 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    1304 C:\PROGRA~1\SYMANT~1\VPTray.exe
    1312 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    1384 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1392 C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    1408 C:\Program Files\QuickTime\QTTask.exe
    1444 C:\Program Files\iTunes\iTunesHelper.exe
    1576 C:\WINDOWS\system32\rundll32.exe
    1844 C:\WINDOWS\system32\ctfmon.exe
    1904 C:\Program Files\Messenger\msmsgs.exe
    1984 svchost.exe
    2040 C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    236 C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
    292 C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
    344 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    484 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    632 C:\Program Files\Bonjour\mDNSResponder.exe
    652 C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    1200 C:\Program Files\Symantec AntiVirus\DefWatch.exe
    2148 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    2256 C:\Program Files\Java\jre6\bin\jqs.exe
    2308 C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    2336 C:\Program Files\Symantec\Ghost\ngctw32.exe
    2484 C:\Program Files\WinZip\WZQKPICK.EXE
    2896 C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
    2928 C:\Program Files\Symantec AntiVirus\SavRoam.exe
    3264 C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
    3324 C:\WINDOWS\system32\svchost.exe
    3364 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
    3424 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    3592 C:\Program Files\RealVNC\WinVNC\winvnc.exe
    3704 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    3884 C:\WINDOWS\system32\searchindexer.exe
    3980 C:\WINDOWS\system32\CCM\CcmExec.exe
    4016 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    2388 C:\WINDOWS\system32\svchost.exe
    2760 C:\Program Files\iPod\bin\iPodService.exe
    1360 alg.exe
    3204 C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    2372 C:\Program Files\Internet Explorer\iexplore.exe
    1380 C:\Program Files\Internet Explorer\iexplore.exe
    3296 C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    1440 WISPTIS.EXE
    5576 C:\Program Files\Internet Explorer\iexplore.exe
    3672 C:\WINDOWS\system32\svchost.exe
    4240 C:\Program Files\Internet Explorer\iexplore.exe
    3156 C:\Program Files\Internet Explorer\iexplore.exe
    4608 C:\Documents and Settings\Administrator\My Documents\MBRCheck.exe
    5920 wmiprvse.exe
    900 <unknown>

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD800JD-75HKA1, Rev: 14.03G14

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
  4. pachi

    pachi TS Rookie Topic Starter Posts: 46

    ComboFix 10-11-30.02 - administrator 11/30/2010 19:45:19.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2275 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Administrator\Local Settings\Application Data\{319D5F58-2B6E-44A5-85E3-DFE8F39FA975}
    c:\documents and settings\Administrator\Local Settings\Application Data\{319D5F58-2B6E-44A5-85E3-DFE8F39FA975}\chrome.manifest
    c:\documents and settings\Administrator\Local Settings\Application Data\{319D5F58-2B6E-44A5-85E3-DFE8F39FA975}\chrome\content\_cfg.js
    c:\documents and settings\Administrator\Local Settings\Application Data\{319D5F58-2B6E-44A5-85E3-DFE8F39FA975}\chrome\content\overlay.xul
    c:\documents and settings\Administrator\Local Settings\Application Data\{319D5F58-2B6E-44A5-85E3-DFE8F39FA975}\install.rdf
    c:\documents and settings\JayV\System
    c:\documents and settings\JayV\System\win_qs7.jqx
    c:\documents and settings\JayV\System\win_qs8.jqx
    c:\windows\axagupiseriyo.dll

    .
    \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_6TO4


    ((((((((((((((((((((((((( Files Created from 2010-11-01 to 2010-12-01 )))))))))))))))))))))))))))))))
    .

    2010-11-20 16:13 . 2008-04-14 07:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
    2010-11-20 16:13 . 2008-04-14 07:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
    2010-11-20 16:13 . 2008-04-14 12:42 16384 ----a-w- c:\windows\system32\ipsink.ax
    2010-11-20 16:13 . 2008-04-14 07:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
    2010-11-20 16:13 . 2008-04-14 07:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
    2010-11-20 16:12 . 2008-04-14 07:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
    2010-11-20 16:12 . 2008-04-14 07:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
    2010-11-20 16:12 . 2008-04-14 07:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
    2010-11-20 16:12 . 2008-04-14 07:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
    2010-11-20 16:10 . 2008-04-14 12:42 43008 ----a-w- c:\windows\system32\ksxbar.ax
    2010-11-18 03:18 . 2010-11-18 03:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-11-14 02:08 . 2010-11-14 02:08 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-11-30 00:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-13 23:57 . 2010-12-01 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-13 23:57 . 2010-11-30 00:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-13 19:25 . 2010-12-01 00:20 0 ----a-w- c:\windows\Ppoluwenanojoway.bin
    2010-11-13 19:22 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\mJiBo02042
    2010-11-13 19:19 . 2010-12-01 03:10 763904 ----a-w- c:\windows\system32\drivers\qevuue.sys
    2010-11-13 19:18 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
    2010-11-13 19:18 . 2010-11-13 19:18 0 ----a-w- c:\windows\system32\lsp179C.tmp
    2010-11-12 09:14 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2412747F-8DCD-4EE2-B6F4-2809C630C6E7}\mpengine.dll
    2010-11-03 05:28 . 2010-11-03 05:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 18:41 . 2010-01-22 22:14 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2008-09-11 15:00 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2010-09-27 20:57 . 2010-09-27 20:57 2826240 ----a-w- c:\windows\system32\GPhotos.scr
    2010-09-23 20:52 . 2010-09-23 20:52 922112 ------w- c:\windows\system32\imapi2fs.dll
    2010-09-23 20:52 . 2010-09-23 20:52 426496 ------w- c:\windows\system32\imapi2.dll
    2010-09-18 19:23 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2003-07-16 16:28 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2003-07-16 16:28 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-13 03:59 . 2010-09-13 03:59 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
    2010-09-13 03:58 . 2010-09-13 03:58 57344 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
    2010-09-10 05:58 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2003-07-16 16:24 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-14 05:17 . 2008-08-30 00:50 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2010-09-14 05:17 . 2008-08-30 00:50 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2010-09-14 05:17 . 2008-08-30 00:52 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2009-04-23 18:04 . 2009-04-23 18:04 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-08-15 50592]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-05-06 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-05-06 118784]
    "WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
    "NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2004-08-26 439448]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
    "VF0060 STISvc"="V0060Pin.dll" [2004-11-01 36864]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
    "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

    c:\documents and settings\JayV\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2007-10-23 44655]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2005-10-27 28672]
    eFax Live Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-7-23 17408]
    eFax Tray Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GTray.exe [2004-7-23 40960]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-2 724992]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-10-25 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1136\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1138\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1539\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-16615\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2698\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2874\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2899\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3413\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3440\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3614\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3791\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3851\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4186\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4210\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-500\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5620\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5680\Scripts\Logon\0\0]
    "Script"=%LOGONSERVER%\NETLOGON\logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6034\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6156\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6631\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6638\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6778\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7087\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7361\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7745\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7802\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7812\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7953\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7985\Scripts\Logon\0\0]
    "Script"=logon.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
    "c:\\Program Files\\AIM95\\aim.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "59152:UDP"= 59152:UDP:SonicWALL Compliance 59152
    "59153:UDP"= 59153:UDP:SonicWALL Compliance 59153

    R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [8/26/2004 4:03 PM 6496]
    R2 NGClient;Symantec Ghost Win32 Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [8/26/2004 4:35 PM 439448]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2010 10:37 PM 102448]
    S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/10/2010 2:41 PM 135664]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 DigimHID;DigimHID;c:\windows\system32\drivers\DigimHID.SYS [2/5/2007 9:09 AM 5248]
    S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [11/20/2010 9:11 AM 196409]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - qevuue

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]

    2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: ccsend.com
    Trusted Zone: constantcontact.com
    Trusted Zone: ic.aiall
    Trusted Zone: icrossing.com
    Trusted Zone: icrossing.net
    Trusted Zone: projectorpsa.com
    Trusted Zone: proxicom.com
    Trusted Zone: prxm.corp
    Trusted Zone: zendesk.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.10.140/img/NetCamPlayerWeb11g.ocx
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\
    FF - prefs.js: browser.startup.homepage -
    FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.order.1 - Search
    FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-Xyacasus - c:\windows\axagupiseriyo.dll
    AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-30 20:09
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qevuue]

    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1004336348-651377827-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(592)
    c:\windows\system32\WININET.dll
    c:\program files\eFax Messenger Plus 3.3\J2GPfcW.dll
    c:\program files\eFax Messenger Plus 3.3\J2GRes_Enu.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Symantec AntiVirus\DefWatch.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Analog Devices\SoundMAX\spkrmon.exe
    c:\program files\Symantec AntiVirus\Rtvscan.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\windows\system32\SearchIndexer.exe
    c:\windows\system32\RunDLL32.exe
    c:\windows\system32\CCM\CcmExec.exe
    c:\program files\Symantec AntiVirus\DoScan.exe
    c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
    c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\SearchProtocolHost.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\msiexec.exe
    c:\program files\Common Files\Java\Java Update\jucheck.exe
    c:\windows\system32\SearchFilterHost.exe
    c:\windows\system32\HPZipm12.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-30 20:19:05 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-01 03:19

    Pre-Run: 37,342,138,368 bytes free
    Post-Run: 39,402,119,168 bytes free

    - - End Of File - - C4C0553CD0F1E2239B7EC3F5D5E2D3F7
     
  5. pachi

    pachi TS Rookie Topic Starter Posts: 46

    2010/11/30 20:29:48.0712 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56
    2010/11/30 20:29:48.0712 ================================================================================
    2010/11/30 20:29:48.0712 SystemInfo:
    2010/11/30 20:29:48.0712
    2010/11/30 20:29:48.0712 OS Version: 5.1.2600 ServicePack: 3.0
    2010/11/30 20:29:48.0712 Product type: Workstation
    2010/11/30 20:29:48.0712 ComputerName: COMPUTER
    2010/11/30 20:29:48.0712 UserName: administrator
    2010/11/30 20:29:48.0712 Windows directory: C:\WINDOWS
    2010/11/30 20:29:48.0712 System windows directory: C:\WINDOWS
    2010/11/30 20:29:48.0712 Processor architecture: Intel x86
    2010/11/30 20:29:48.0712 Number of processors: 2
    2010/11/30 20:29:48.0712 Page size: 0x1000
    2010/11/30 20:29:48.0712 Boot type: Normal boot
    2010/11/30 20:29:48.0712 ================================================================================
    2010/11/30 20:29:48.0869 Initialize success
    2010/11/30 20:29:54.0338 ================================================================================
    2010/11/30 20:29:54.0338 Scan started
    2010/11/30 20:29:54.0338 Mode: Manual;
    2010/11/30 20:29:54.0338 ================================================================================
    2010/11/30 20:29:56.0197 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/11/30 20:29:56.0260 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/11/30 20:29:56.0338 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
    2010/11/30 20:29:56.0369 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/11/30 20:29:56.0431 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/11/30 20:29:56.0478 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2010/11/30 20:29:56.0728 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/11/30 20:29:56.0775 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/11/30 20:29:56.0853 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/11/30 20:29:56.0885 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/11/30 20:29:56.0947 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
    2010/11/30 20:29:57.0025 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/11/30 20:29:57.0119 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/11/30 20:29:57.0166 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2010/11/30 20:29:57.0275 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/11/30 20:29:57.0306 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/11/30 20:29:57.0353 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/11/30 20:29:57.0588 DigimHID (542c9e8f02166e2d4e6f565d4162321e) C:\WINDOWS\system32\DRIVERS\DigimHID.sys
    2010/11/30 20:29:57.0744 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/11/30 20:29:57.0869 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/11/30 20:29:57.0947 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/11/30 20:29:57.0994 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/11/30 20:29:58.0056 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/11/30 20:29:58.0119 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
    2010/11/30 20:29:58.0150 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
    2010/11/30 20:29:58.0181 Dot4Scan (bd05306428da63369692477ddc0f6f5f) C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys
    2010/11/30 20:29:58.0260 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/11/30 20:29:58.0431 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    2010/11/30 20:29:58.0463 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    2010/11/30 20:29:58.0525 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/11/30 20:29:58.0572 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2010/11/30 20:29:58.0635 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/11/30 20:29:58.0681 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2010/11/30 20:29:58.0728 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2010/11/30 20:29:58.0791 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/11/30 20:29:58.0822 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/11/30 20:29:58.0885 G400 (36feb2ddce5f84128c2a8dbc60538dad) C:\WINDOWS\system32\DRIVERS\G400m.sys
    2010/11/30 20:29:59.0072 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2010/11/30 20:29:59.0135 GhMon (8a308adb228964a5c870c52f074b2b12) C:\WINDOWS\system32\Drivers\ghmon.sys
    2010/11/30 20:29:59.0181 GhPostConfig (533068628f3f0d4457e97d8d23039a05) C:\WINDOWS\system32\Drivers\ghpcw2k.sys
    2010/11/30 20:29:59.0213 GhPostConfig_Auto (533068628f3f0d4457e97d8d23039a05) C:\WINDOWS\system32\Drivers\ghpcw2k.sys
    2010/11/30 20:29:59.0306 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/11/30 20:29:59.0353 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/11/30 20:29:59.0463 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/11/30 20:29:59.0525 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
    2010/11/30 20:29:59.0619 ialm (6d4b680d5bf352cd0951aadd4de119ef) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2010/11/30 20:29:59.0697 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/11/30 20:29:59.0791 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2010/11/30 20:29:59.0853 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/11/30 20:29:59.0885 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/11/30 20:29:59.0947 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/11/30 20:30:00.0010 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/11/30 20:30:00.0088 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/11/30 20:30:00.0119 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/11/30 20:30:00.0275 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/11/30 20:30:00.0322 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/11/30 20:30:00.0385 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/11/30 20:30:00.0400 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2010/11/30 20:30:00.0447 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/11/30 20:30:00.0494 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/11/30 20:30:00.0588 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/11/30 20:30:00.0682 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/11/30 20:30:00.0728 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/11/30 20:30:00.0853 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/11/30 20:30:00.0885 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/11/30 20:30:00.0947 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/11/30 20:30:01.0010 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/11/30 20:30:01.0072 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/11/30 20:30:01.0103 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/11/30 20:30:01.0135 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/11/30 20:30:01.0166 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/11/30 20:30:01.0244 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/11/30 20:30:01.0307 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2010/11/30 20:30:01.0353 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/11/30 20:30:01.0400 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2010/11/30 20:30:01.0603 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101129.002\naveng.sys
    2010/11/30 20:30:01.0682 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101129.002\navex15.sys
    2010/11/30 20:30:01.0853 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/11/30 20:30:01.0916 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2010/11/30 20:30:01.0978 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/11/30 20:30:02.0041 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/11/30 20:30:02.0057 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/11/30 20:30:02.0088 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/11/30 20:30:02.0103 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/11/30 20:30:02.0182 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/11/30 20:30:02.0291 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/11/30 20:30:02.0385 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/11/30 20:30:02.0447 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/11/30 20:30:02.0494 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/11/30 20:30:02.0525 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/11/30 20:30:02.0572 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
    2010/11/30 20:30:02.0682 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/11/30 20:30:02.0697 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/11/30 20:30:02.0728 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/11/30 20:30:02.0760 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/11/30 20:30:02.0822 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/11/30 20:30:02.0869 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/11/30 20:30:03.0103 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/11/30 20:30:03.0228 prepdrvr (3909be53ad8e2bfcac9d9148e4b2b270) C:\WINDOWS\system32\CCM\prepdrv.sys
    2010/11/30 20:30:03.0244 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2010/11/30 20:30:03.0275 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/11/30 20:30:03.0322 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/11/30 20:30:03.0338 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2010/11/30 20:30:03.0353 Suspicious service (NoAccess): qevuue
    2010/11/30 20:30:03.0416 qevuue (04c326d963c612aa98da6c044ee606d7) C:\WINDOWS\system32\drivers\qevuue.sys
    2010/11/30 20:30:03.0416 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\qevuue.sys. md5: 04c326d963c612aa98da6c044ee606d7
    2010/11/30 20:30:03.0416 qevuue - detected Locked service (1)
    2010/11/30 20:30:03.0682 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/11/30 20:30:03.0713 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/11/30 20:30:03.0791 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/11/30 20:30:03.0807 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/11/30 20:30:03.0838 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/11/30 20:30:03.0869 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/11/30 20:30:03.0932 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/11/30 20:30:03.0979 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/11/30 20:30:04.0025 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/11/30 20:30:04.0119 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
    2010/11/30 20:30:04.0182 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
    2010/11/30 20:30:04.0385 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
    2010/11/30 20:30:04.0463 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
    2010/11/30 20:30:04.0525 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/11/30 20:30:04.0697 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/11/30 20:30:04.0713 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/11/30 20:30:04.0775 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/11/30 20:30:04.0885 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2010/11/30 20:30:04.0963 smsmdd (4b4ab78e866bbecf93f6eabc3270178a) C:\WINDOWS\system32\DRIVERS\smsmdm.sys
    2010/11/30 20:30:05.0072 smwdm (4aa922332433cdeb8b82c072c212e32e) C:\WINDOWS\system32\drivers\smwdm.sys
    2010/11/30 20:30:05.0213 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    2010/11/30 20:30:05.0291 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/11/30 20:30:05.0354 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/11/30 20:30:05.0447 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/11/30 20:30:05.0525 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
    2010/11/30 20:30:05.0557 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2010/11/30 20:30:05.0604 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/11/30 20:30:05.0682 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/11/30 20:30:05.0885 SymEvent (de6d1102d55926354171ae4e73936725) C:\Program Files\Symantec\SYMEVENT.SYS
    2010/11/30 20:30:06.0010 SYMREDRV (6c0a85982f4e0d672b85a2bfb50a24b5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
    2010/11/30 20:30:06.0088 SYMTDI (cdda3ba3f7d5b63ff9f85cb478c11473) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
    2010/11/30 20:30:06.0213 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/11/30 20:30:06.0338 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/11/30 20:30:06.0416 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/11/30 20:30:06.0447 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/11/30 20:30:06.0510 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/11/30 20:30:06.0619 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/11/30 20:30:06.0729 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/11/30 20:30:06.0807 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2010/11/30 20:30:06.0885 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    2010/11/30 20:30:06.0916 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/11/30 20:30:06.0979 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/11/30 20:30:07.0025 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/11/30 20:30:07.0057 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2010/11/30 20:30:07.0119 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/11/30 20:30:07.0182 usbser (49106ee29074e6a3d3ac9e24c6d791d8) C:\WINDOWS\system32\drivers\usbser.sys
    2010/11/30 20:30:07.0322 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/11/30 20:30:07.0385 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/11/30 20:30:07.0463 V0060VID (b70abf0aeb47c1301a69b5d06b3079ca) C:\WINDOWS\system32\DRIVERS\V0060Vid.sys
    2010/11/30 20:30:07.0510 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/11/30 20:30:07.0604 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/11/30 20:30:07.0697 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/11/30 20:30:07.0807 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/11/30 20:30:07.0994 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2010/11/30 20:30:08.0072 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2010/11/30 20:30:08.0151 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2010/11/30 20:30:08.0197 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2010/11/30 20:30:08.0416 ================================================================================
    2010/11/30 20:30:08.0416 Scan finished
    2010/11/30 20:30:08.0416 ================================================================================
    2010/11/30 20:30:08.0447 Detected object count: 1
    2010/11/30 20:30:20.0120 Locked service(qevuue) - User select action: Skip
     
  6. pachi

    pachi TS Rookie Topic Starter Posts: 46

    Hijack.log

    hijack log file
     

    Attached Files:

  7. pachi

    pachi TS Rookie Topic Starter Posts: 46

    extras.txt log

    extras.txt log
     

    Attached Files:

  8. pachi

    pachi TS Rookie Topic Starter Posts: 46

    OTL run log

    OTL run log
     

    Attached Files:

    • OTL.Txt
      File size:
      81.2 KB
      Views:
      0
  9. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  10. pachi

    pachi TS Rookie Topic Starter Posts: 46

    Thanks Broni,

    I just run the MBM overnight. Rootkit still exists. From show results I deleted the infected file.
     
  11. pachi

    pachi TS Rookie Topic Starter Posts: 46

    MBM log from this morning.

    MBM log from this morning attached to this post.
     

    Attached Files:

     
  12. Broni

    Broni Malware Annihilator Posts: 47,156   +264

     
  13. pachi

    pachi TS Rookie Topic Starter Posts: 46

    I am unable to run update MBM. Getting blue screen the second i check for update.
     
  14. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    Complete all steps, you can, including not updated MBAM log.
     
  15. pachi

    pachi TS Rookie Topic Starter Posts: 46

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-12-02 21:27:51
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e WDC_WD800JD-75HKA1 rev.14.03G14
    Running: 6w25mgz1[1].exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pgldqpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT 8A911408 ZwAlertResumeThread
    SSDT 8AA52390 ZwAlertThread
    SSDT 8AA8AC60 ZwAllocateVirtualMemory
    SSDT 8A8F4B70 ZwConnectPort
    SSDT 8A961E78 ZwCreateMutant
    SSDT 8A9612B8 ZwCreateThread
    SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA9C3E350] <-- ROOTKIT !!!
    SSDT 8AABDC08 ZwFreeVirtualMemory
    SSDT 8A93E958 ZwImpersonateAnonymousToken
    SSDT 8AA8AB98 ZwImpersonateThread
    SSDT 8A970AC8 ZwMapViewOfSection
    SSDT 8ABE7178 ZwOpenEvent
    SSDT 8A96D110 ZwOpenProcessToken
    SSDT 8ABC7A50 ZwOpenThreadToken
    SSDT 8ABE6BC8 ZwQueryValueKey
    SSDT 8A9B6808 ZwResumeThread
    SSDT 8A95CE50 ZwSetContextThread
    SSDT 8AAA8DE8 ZwSetInformationProcess
    SSDT 8A90D0B0 ZwSetInformationThread
    SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA9C3E580] <-- ROOTKIT !!!
    SSDT 8AA8CF00 ZwSuspendProcess
    SSDT 8AC3C350 ZwSuspendThread
    SSDT 8A9667B0 ZwTerminateProcess
    SSDT 8AC82268 ZwTerminateThread
    SSDT 8AA8CA08 ZwUnmapViewOfSection
    SSDT 8A750110 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!ZwYieldExecution + 1DA 804E4A34 4 Bytes JMP D32FD4CC
    .text ntoskrnl.exe!ZwYieldExecution + 406 804E4C60 8 Bytes CALL 30D8F6F2
    ? C:\WINDOWS\system32\drivers\qevuue.sys A device attached to the system is not functioning.
    PAGE Ntfs.sys F7B77E55 4 Bytes CALL 8ACAD591

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9ACD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254656 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1940] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1940] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1940] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E538F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\WINDOWS\system32\SearchIndexer.exe[2824] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3676] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9ACD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254656 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3900] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3900] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3900] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E538F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    ? C:\WINDOWS\System32\svchost.exe[3948] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Internet Explorer\iexplore.exe[1940] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
    IAT C:\Program Files\Internet Explorer\iexplore.exe[3900] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 51EC8B55
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 1845DB51
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] F855DD56
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] E8084DDC
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] 000004D2
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] FF184589
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 40515C15
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] F845DD00
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] 8B104DDC
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 1865DAF0
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 0004B9E8
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] 8BC88B00
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] F74199C6
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] C28B5EF9
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 2B08244C
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] 9904244C
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] 8BF9F741
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 244403C2
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] FF56C304
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 40515C15
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 244C8B00
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 244403C1
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 15FFC308
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] [0040515C] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 04244C8B
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] F9F74199
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] FFC3C28B
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 40515C15
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] 646A9900
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 33F9F759
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 24543BC0
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C09C0F04
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] EC8B55C3
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 0204EC81
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 68560000
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 00000100
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] 515415FF
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B590040
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 00FFB8F0
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 8D500000
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] FFFEFC8D
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] C93351FF
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 558D5151
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 8D5052FC
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] FFFDFC85
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 40504415
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 56216A00
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] FFFC75FF
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 40515815
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 0CC48300
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] C01BD8F7
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] C95EC623
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] EC8B55C3
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 458B5151
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 33565308
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 57C88BF6
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 33FC7589
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 01518DFF
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 8441198A
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 2BF975DB
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 802974CA
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 7420063C
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 75FF850A
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 45FF470C
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8506EBFC
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 46C88BFF
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 8A01518D
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] DB844119
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] CA2BF975
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] D772F13B
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 5FFC458B
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C3C95B5E
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 83EC8B55
    IAT C:\WINDOWS\System32\svchost.exe[3948] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 56530CEC

    ---- Devices - GMER 1.0.15 ----

    Device 8ABE5550
    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

    AttachedDevice ghmon.sys (Ghost Enterprise client - volume mount filter/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip 8A96FA80
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp 8A96FA80
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp 8A96FA80
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp 8A96FA80

    Device \Driver\SYMTDI \Device\SymTDI 8A96FA80
    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

    ---- Services - GMER 1.0.15 ----

    Service (*** hidden *** ) [BOOT] qevuue <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\qevuue@goxgcpvq 188204166
    Reg HKLM\SYSTEM\CurrentControlSet\Services\qevuue@Type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\qevuue@Start 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\qevuue@ErrorControl 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\qevuue@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet002\Services\qevuue@goxgcpvq 188204166
    Reg HKLM\SYSTEM\ControlSet002\Services\qevuue@Type 1
    Reg HKLM\SYSTEM\ControlSet002\Services\qevuue@Start 0
    Reg HKLM\SYSTEM\ControlSet002\Services\qevuue@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet002\Services\qevuue@Group Boot Bus Extender
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\Sus@FlushCacheFiles ???}????@????????????????u???????|???|????Z??????????|?|?|?|?|?|?|???????|??????????????????21????????????????f??}???|???????|????x???????????H??????>???????????????????|???|??WWW_OpenURL??|??? ???????|????????????????&??????????????s??????1???????????????? ???????|???????????%????????*???????????r????????????????????????e???????|????? ???????|?????|????????????????????????c???? ???????|??????????????????????????????????? ???????|?????}??????????x?????????????l???Local???? ???????|???????????|????????(?????1?????????????????????????}??????????|????????e??????????|?????????n????Matches all ICMP packets between this computer and any other computer.??????ipsecFilter{72385235-70fa-11d1-864c-14a300000000}?????"??|????????e?????All ICMP Traffic??????N??|???????D??{72385235-70fa-11d1-864c-14a300000000}??????? ??????????????e?????p??|????????????g??|????????a?????????????R????????? ?ICMP???????????????????????????????????????????????d?????|?|?|?|?|?|?|?|?|???????|???w??????????li??SOFTWARE\Policies\Microsoft\Windows

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 09: copy of MBR

    ---- EOF - GMER 1.0.15 ----
     
  16. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    Go on............
     
  17. pachi

    pachi TS Rookie Topic Starter Posts: 46

    Attach log

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-27.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 10/25/2004 9:30:04 AM
    System Uptime: 12/2/2010 6:41:14 PM (3 hours ago)

    Motherboard: Dell Inc. | | 0G5611
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 74 GiB total, 36.437 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    3100_3200_3300_Help
    3100_3200_3300trb
    3300
    ACECAD DigiMemo Manager
    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0
    AiO_Scan_CDA
    AiOSoftwareNPI
    AOL Instant Messenger
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AudibleManager
    Barracuda Networks Outlook Plugin 0.9d
    Bonjour
    Broadcom Gigabit Integrated Controller
    Buzz Lightyear Astro Blasters
    Capture NX 2
    Compatibility Pack for the 2007 Office system
    Configuration Manager Client
    CP_CalendarTemplates1
    cp_OnlineProjectsConfig
    CP_Package_Basic1
    CP_Panorama1Config
    cp_PosterPrintConfig
    Creative WebCam Live! Ultra Driver (1.01.03.0127)
    CueTour
    Dell ResourceCD
    DesignPro 5.0 Limited Edition
    Destinations
    DeviceManagementQFolder
    DivX Version Checker
    DocProc
    DocProcQFolder
    Documents To Go
    eFax Messenger Plus 3.3
    eSupportQFolder
    Fax_CDA
    FileZilla Client 3.3.5.1
    FullDPAppQFolder
    Google Chrome
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    GTK+ Runtime 2.12.1 rev a (remove only)
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB981793)
    HP Imaging Device Functions 7.0
    HP Photosmart Premier Software 6.5
    HP Photosmart, Officejet and Deskjet 7.0.A
    HP Product Assistant
    HP Solution Center 7.0
    HPPhotoSmartExpress
    HPProductAssistant
    InstantShareDevices
    InstantShareDevicesMFC
    Intel(R) Graphics Media Accelerator Driver
    Internet Tablet Video Converter 0.22
    iTunes
    J2SE Runtime Environment 5.0 Update 3
    Java Auto Updater
    Java(TM) 6 Update 18
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1
    LAS Tracking Key / 3100 Programs
    LimeWire 4.16.6
    LiveUpdate 3.1 (Symantec Corporation)
    Macromedia Flash Player 8
    magicJack
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Live Add-in 1.4
    Microsoft Office OneNote 2003
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (3.0.19)
    MSN Music Assistant
    MSXML 4.0 SP2 (KB925672)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NewCopy_CDA
    Nikon Message Center
    Nikon RAW Codec
    Nikon Transfer
    Nokia Dicas Codecs
    OCR Software by I.R.I.S 7.0
    OGA Notifier 2.0.0048.0
    PanoStandAlone
    Photocopier Version 2.28
    PhotoGallery
    Picasa 3
    Picture Control Utility
    Pidgin
    PowerDVD
    ProductContextNPI
    QuickBooks Premier: Professional Services Edition 2004
    Quicken 2008
    QuickTime
    RandMap
    RDC
    Readme
    Scan
    ScannerCopy
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB913433)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SigmaTel Audio
    SkinsHP1
    SlideShow
    SolutionCenter
    Sonic_PrimoSDK
    SoundMAX
    Status
    Symantec AntiVirus
    Symantec Ghost Console Client
    Toolbox
    Transym TOCR
    TrayApp
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB943729)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    ViewNX
    Viewpoint Media Player
    Visual Hindsight Professional Edition 1.2
    VNC 3.3.7
    WebEx
    WebEx Meeting Manager for Mozilla Firefox/Netscape Navigator
    WebFldrs XP
    WebReg
    WIMGAPI
    Windows Defender
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows PowerShell(TM) 1.0
    Windows Search 4.0
    Windows XP Service Pack 3
    WinRAR archiver
    WinZip

    ==== Event Viewer Messages From Past Week ========

    12/2/2010 6:45:52 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
    12/2/2010 6:44:27 PM, error: System Error [1003] - Error code 100000d1, parameter1 f79bb000, parameter2 00000002, parameter3 00000000, parameter4 f743c741.
    12/2/2010 6:43:28 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
    12/2/2010 6:42:28 PM, error: SRService [104] - The System Restore initialization process failed.
    12/2/2010 6:21:26 PM, error: System Error [1003] - Error code 100000d1, parameter1 f79cf000, parameter2 00000002, parameter3 00000000, parameter4 f743c741.
    12/2/2010 6:20:49 PM, error: System Error [1003] - Error code 100000d1, parameter1 f79b5000, parameter2 00000002, parameter3 00000000, parameter4 f743c741.

    ==== End Of File ===========================
     
  18. pachi

    pachi TS Rookie Topic Starter Posts: 46

    DDS log

    DDS (Ver_10-11-27.01) - NTFSx86
    Run by administrator at 21:31:26.98 on Thu 12/02/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2319 [GMT -7:00]

    AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\Symantec\Ghost\ngctw32.exe
    C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    "C:\WINDOWS\System32\svchost.exe"
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\HPZinw12.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Desktop\dds.scr
    C:\WINDOWS\system32\SearchProtocolHost.exe

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = *.local
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [cdloader] "c:\documents and settings\administrator\application data\mjusbsp\cdloader2.exe" MAGICJACK
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [WinVNC] "c:\program files\realvnc\winvnc\WinVNC.exe" -servicehelper
    mRun: [NGClient] c:\program files\symantec\ghost\ngctw32.exe
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
    dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
    dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\datavi~1.lnk - c:\program files\common files\dataviz\DvzIncMsgr.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\efaxli~1.lnk - c:\program files\efax messenger plus 3.3\J2GDllCmd.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\efaxtr~1.lnk - c:\program files\efax messenger plus 3.3\J2GTray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    Trusted Zone: ccsend.com
    Trusted Zone: constantcontact.com
    Trusted Zone: ic.aiall
    Trusted Zone: icrossing.com
    Trusted Zone: icrossing.net
    Trusted Zone: projectorpsa.com
    Trusted Zone: proxicom.com
    Trusted Zone: prxm.corp
    Trusted Zone: zendesk.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
    DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/68.08/uploader2.cab
    DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.10.140/img/NetCamPlayerWeb11g.ocx
    DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264198550417
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264199414715
    DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://192.168.15.253:8080/bl_camera.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://compuwaremc.webex.com/client/T27L10NSP11EP5/webex/ieatgpc.cab
    Handler: ezstor - {6344A3A0-96A7-11D4-88CC-000000000000} - c:\windows\system32\viewers\ezspp.dll
    Notify: igfxcui - igfxsrvc.dll
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7ag21vps.default\
    FF - prefs.js: browser.startup.homepage -
    FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
    FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\7ag21vps.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\7ag21vps.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7ag21vps.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.order.1 - Search
    FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=

    ============= SERVICES / DRIVERS ===============

    R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [2004-8-26 6496]
    R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
    R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
    R2 NGClient;Symantec Ghost Win32 Client Agent;c:\program files\symantec\ghost\ngctw32.exe [2004-8-26 439448]
    R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
    R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-31 102448]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101202.002\naveng.sys [2010-12-2 86064]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101202.002\navex15.sys [2010-12-2 1371184]
    R3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [2010-11-20 196409]
    S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [2004-8-26 198720]
    S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [2004-8-26 198720]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-10 135664]
    S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    S3 DigimHID;DigimHID;c:\windows\system32\drivers\DigimHID.SYS [2007-2-5 5248]

    =============== Created Last 30 ================

    2010-12-02 18:18:57 -------- d-----w- C:\HouseBeautiful
    2010-12-01 03:43:29 388096 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2010-12-01 03:43:28 -------- d-----w- c:\program files\Trend Micro
    2010-12-01 02:01:59 -------- d-sha-r- C:\cmdcons
    2010-11-20 16:13:14 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
    2010-11-20 16:13:14 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
    2010-11-20 16:13:07 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
    2010-11-20 16:13:07 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
    2010-11-20 16:13:03 16384 ----a-w- c:\windows\system32\ipsink.ax
    2010-11-20 16:13:03 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
    2010-11-20 16:13:03 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
    2010-11-20 16:12:58 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
    2010-11-20 16:12:58 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
    2010-11-20 16:12:53 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
    2010-11-20 16:12:53 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
    2010-11-20 16:12:49 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
    2010-11-20 16:12:49 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
    2010-11-20 16:12:45 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
    2010-11-20 16:12:45 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
    2010-11-20 16:10:58 43008 ----a-w- c:\windows\system32\ksxbar.ax
    2010-11-14 02:08:55 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-11-13 23:57:30 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
    2010-11-13 23:57:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-13 23:57:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-11-13 23:57:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-13 23:57:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-13 19:25:52 0 ----a-w- c:\windows\Ppoluwenanojoway.bin
    2010-11-13 19:22:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\mJiBo02042
    2010-11-13 19:19:07 763904 ----a-w- c:\windows\system32\drivers\qevuue.sys
    2010-11-13 19:18:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\WSTB
    2010-11-12 09:14:31 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{2412747f-8dcd-4ee2-b6f4-2809c630c6e7}\mpengine.dll
    2010-11-03 05:28:28 -------- d-----w- c:\docume~1\admini~1\applic~1\Windows Search

    ==================== Find3M ====================

    2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-09-27 20:57:44 2826240 ----a-w- c:\windows\system32\GPhotos.scr
    2010-09-23 20:52:32 922112 ------w- c:\windows\system32\imapi2fs.dll
    2010-09-23 20:52:32 426496 ------w- c:\windows\system32\imapi2.dll
    2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

    ============= FINISH: 21:32:27.26 ===============
     
  19. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    ...and MBAM...
     
  20. pachi

    pachi TS Rookie Topic Starter Posts: 46

  21. pachi

    pachi TS Rookie Topic Starter Posts: 46

    MBAM fails while updating current file (today's file) when at 25 %. Blue screen
    with system32\drivers\qevuue.sys IRQ .... error.

    should I try again now?
     
  22. Broni

    Broni Malware Annihilator Posts: 47,156   +264

  23. pachi

    pachi TS Rookie Topic Starter Posts: 46

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5236

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/3/2010 7:06:37 AM
    mbam-log-2010-12-03 (07-06-37).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 568038
    Time elapsed: 57 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\drivers\qevuue.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
     
  24. pachi

    pachi TS Rookie Topic Starter Posts: 46

    MBAM LOG : Rootkit.agent still exists.

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5238

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/3/2010 9:18:57 AM
    mbam-log-2010-12-03 (09-18-57).txt

    Scan type: Quick scan
    Objects scanned: 483911
    Time elapsed: 8 minute(s), 41 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\drivers\qevuue.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
     
  25. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ==============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.