rubbersoul
Posts: 17 +0
Hi folks,
Lately I've been having problems with laptop freezing and going very slow. I've done scans with MBAM and others and the one main infection was a Hijack.ControlPanelStyle, which I have deleted though keeps coming back.
I've had rootkit infections before and it seems similar to that though I'm not sure. Here are the following logs from MBAM quick and full, GMER DDS as requested.
Thanks for the help.
-----------------------------------------------------------------------------------------------------------------
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.05.13.01
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Josh :: JOHN-53EAF8E1E1 [administrator]
Protection: Disabled
13/05/2012 4:35:38 PM
mbam-log-2012-05-13 (16-35-38).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201987
Time elapsed: 6 minute(s), 16 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Data: 1 -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
----------------------------------------------------------------------------------
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.05.13.01
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Josh :: JOHN-53EAF8E1E1 [administrator]
Protection: Disabled
13/05/2012 4:44:18 PM
mbam-log-2012-05-13 (16-44-18).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 281158
Time elapsed: 1 hour(s), 47 minute(s), 2 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
------------------------------------------------------------------------------------------
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-05-13 18:36:23
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.LV01
Running: gmer.exe; Driver: C:\DOCUME~1\Josh\LOCALS~1\Temp\uwncrpod.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0x9D993D5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0x9D993BC5]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Emsisoft)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Emsisoft)
Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Emsisoft)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Emsisoft)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
---- EOF - GMER 1.0.15 ----
----------------------------------------------------------------------------------------------------------------
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.4.1
Run by Josh at 18:43:22 on 2012-05-13
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2940.2062 [GMT 10:00]
.
AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Online Armor\OAui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
BHO: {000123B4-9B42-4900-B3F7-F4B073EFC214} - No File
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [SageTV] "c:\program files\sagetv\sagetv\SageTV.exe" -startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ActiveMultiwallpaper] c:\program files\activemultiwallpaper\Changer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [@OnlineArmor GUI] "c:\program files\online armor\OAui.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: &Download by Orbit
IE: &Grab video by Orbit
IE: Do&wnload selected by Orbit
IE: Down&load all by Orbit
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: Interfaces\{6A219B28-2B81-4C7E-8765-52D2B0D554CC} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{AC7DDD6A-347A-4ACA-8A2B-5020D95DA085} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{C1DEBEAC-51BF-4066-8DF9-52DF20265F80} : NameServer = 8.26.56.26,156.154.70.22
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online~2\oaevent.dll
SecurityProviders: schannel.dll, digest.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\josh\application data\mozilla\firefox\profiles\rs3txhg9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40818.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iastor86;iastor86;c:\windows\system32\drivers\iastor86.sys [2010-4-4 327192]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-11-12 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-11-12 320856]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2011-12-30 103944]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2012-1-21 205864]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2012-1-21 40296]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2012-1-21 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2012-1-21 29464]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-11-23 130312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-11-12 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-11-12 44768]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2012-1-20 21992]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2012-1-21 207936]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2012-1-5 144008]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-11-30 112648]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2012-1-21 4363040]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2011-12-8 5888]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-4-29 22344]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-12-8 197224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-2-6 136176]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-29 654408]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-8 257696]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-11-4 1691480]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-12-4 117504]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-2-6 136176]
S3 SageTV;SageTV;"c:\program files\sagetv\sagetv\sagetvservice.exe" --> c:\program files\sagetv\sagetv\SageTVService.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\intel\intel(r) rapid storage technology\IAStorDataMgrSvc.exe [2011-12-8 13592]
.
=============== Created Last 30 ================
.
2012-05-09 15:19:27 -------- d-----w- c:\program files\CDisplay
2012-05-08 07:37:16 -------- d-----w- c:\documents and settings\josh\local settings\application data\Sun
2012-05-08 07:23:57 -------- d-----w- c:\windows\Performance
2012-05-08 07:23:37 -------- d-----w- c:\documents and settings\josh\local settings\application data\Microsoft Corporation
2012-05-08 07:22:08 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-05-08 07:09:58 -------- d-----w- c:\program files\Oracle
2012-05-08 07:07:51 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-08 07:05:07 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-08 06:46:37 -------- d-----w- c:\documents and settings\all users\application data\boost_interprocess
2012-05-08 05:52:25 -------- d-----w- c:\documents and settings\josh\application data\Ad-Aware Antivirus
2012-05-06 13:27:17 -------- d-----w- c:\documents and settings\josh\application data\Panda Security
2012-05-06 13:25:31 -------- d-----w- c:\program files\Panda Security
2012-05-06 13:25:31 -------- d-----w- c:\documents and settings\all users\application data\Panda Security
2012-05-06 13:23:09 -------- d-----w- C:\temp
2012-05-06 09:26:45 -------- d-----w- c:\documents and settings\all users\application data\Sophos
2012-05-06 08:59:17 73728 ----a-r- c:\documents and settings\josh\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-05-06 08:59:17 73728 ----a-r- c:\documents and settings\josh\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-05-06 08:59:17 73728 ----a-r- c:\documents and settings\josh\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\ARPPRODUCTICON.exe
2012-05-06 08:59:03 -------- d-----w- c:\program files\Sophos
2012-05-06 03:20:13 -------- d-----w- c:\program files\MP4 to AVI
2012-05-06 03:17:50 -------- d-----w- c:\program files\hpmonitor
2012-05-06 03:17:35 17280 ----a-w- c:\windows\system32\roboot.exe
2012-05-06 03:17:26 -------- d-----w- c:\documents and settings\josh\application data\systweak
2012-05-06 03:11:53 -------- d-----w- c:\windows\RegisteredPackages
2012-04-28 16:40:33 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-16 14:44:39 54784 ----a-w- c:\windows\system32\brinsstr.dll
2012-04-16 14:44:24 34816 ------w- c:\windows\system32\BrWiaNCp.dll
2012-04-16 14:44:23 61952 ------w- c:\windows\system32\BrNetSti.dll
2012-04-16 14:44:23 37376 ------w- c:\windows\system32\Brnsplg.dll
2012-04-16 14:44:23 18944 ------w- c:\windows\system32\BrnStiCp.cpl
2012-04-16 14:44:22 9728 ------w- c:\windows\system32\BrSti07a.dll
2012-04-16 14:44:13 163840 ------w- c:\windows\system32\NSSearch.dll
2012-04-16 14:44:13 106496 ------w- c:\windows\system32\BrMuSNMP.dll
2012-04-16 14:44:12 73728 ------w- c:\windows\system32\BRCrypt.dll
2012-04-16 14:44:12 61440 ------w- c:\windows\system32\BrMfNt.dll
2012-04-16 14:44:12 -------- d-----w- c:\program files\Brother
2012-04-16 14:44:11 131072 ------w- c:\windows\brunin03.dll
2012-04-16 14:43:32 -------- d-----w- c:\documents and settings\all users\application data\Brother
2012-04-16 10:27:36 -------- d-sh--w- c:\documents and settings\josh\IECompatCache
.
==================== Find3M ====================
.
2012-05-08 07:05:06 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 08:47:36 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-04 08:47:02 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-28 13:43:21 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 18:45:38.70 ===============
Lately I've been having problems with laptop freezing and going very slow. I've done scans with MBAM and others and the one main infection was a Hijack.ControlPanelStyle, which I have deleted though keeps coming back.
I've had rootkit infections before and it seems similar to that though I'm not sure. Here are the following logs from MBAM quick and full, GMER DDS as requested.
Thanks for the help.
-----------------------------------------------------------------------------------------------------------------
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.05.13.01
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Josh :: JOHN-53EAF8E1E1 [administrator]
Protection: Disabled
13/05/2012 4:35:38 PM
mbam-log-2012-05-13 (16-35-38).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201987
Time elapsed: 6 minute(s), 16 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Data: 1 -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
----------------------------------------------------------------------------------
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.05.13.01
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Josh :: JOHN-53EAF8E1E1 [administrator]
Protection: Disabled
13/05/2012 4:44:18 PM
mbam-log-2012-05-13 (16-44-18).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 281158
Time elapsed: 1 hour(s), 47 minute(s), 2 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
------------------------------------------------------------------------------------------
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-05-13 18:36:23
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.LV01
Running: gmer.exe; Driver: C:\DOCUME~1\Josh\LOCALS~1\Temp\uwncrpod.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0x9D993D5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0x9D993BC5]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Emsisoft)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Emsisoft)
Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Emsisoft)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Emsisoft)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
---- EOF - GMER 1.0.15 ----
----------------------------------------------------------------------------------------------------------------
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.4.1
Run by Josh at 18:43:22 on 2012-05-13
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2940.2062 [GMT 10:00]
.
AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Online Armor\OAui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
BHO: {000123B4-9B42-4900-B3F7-F4B073EFC214} - No File
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [SageTV] "c:\program files\sagetv\sagetv\SageTV.exe" -startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ActiveMultiwallpaper] c:\program files\activemultiwallpaper\Changer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [@OnlineArmor GUI] "c:\program files\online armor\OAui.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: &Download by Orbit
IE: &Grab video by Orbit
IE: Do&wnload selected by Orbit
IE: Down&load all by Orbit
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: Interfaces\{6A219B28-2B81-4C7E-8765-52D2B0D554CC} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{AC7DDD6A-347A-4ACA-8A2B-5020D95DA085} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{C1DEBEAC-51BF-4066-8DF9-52DF20265F80} : NameServer = 8.26.56.26,156.154.70.22
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online~2\oaevent.dll
SecurityProviders: schannel.dll, digest.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\josh\application data\mozilla\firefox\profiles\rs3txhg9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40818.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iastor86;iastor86;c:\windows\system32\drivers\iastor86.sys [2010-4-4 327192]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-11-12 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-11-12 320856]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2011-12-30 103944]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2012-1-21 205864]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2012-1-21 40296]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2012-1-21 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2012-1-21 29464]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-11-23 130312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-11-12 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-11-12 44768]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2012-1-20 21992]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2012-1-21 207936]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2012-1-5 144008]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-11-30 112648]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2012-1-21 4363040]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2011-12-8 5888]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-4-29 22344]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-12-8 197224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-2-6 136176]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-29 654408]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-8 257696]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-11-4 1691480]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-12-4 117504]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-2-6 136176]
S3 SageTV;SageTV;"c:\program files\sagetv\sagetv\sagetvservice.exe" --> c:\program files\sagetv\sagetv\SageTVService.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\intel\intel(r) rapid storage technology\IAStorDataMgrSvc.exe [2011-12-8 13592]
.
=============== Created Last 30 ================
.
2012-05-09 15:19:27 -------- d-----w- c:\program files\CDisplay
2012-05-08 07:37:16 -------- d-----w- c:\documents and settings\josh\local settings\application data\Sun
2012-05-08 07:23:57 -------- d-----w- c:\windows\Performance
2012-05-08 07:23:37 -------- d-----w- c:\documents and settings\josh\local settings\application data\Microsoft Corporation
2012-05-08 07:22:08 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-05-08 07:09:58 -------- d-----w- c:\program files\Oracle
2012-05-08 07:07:51 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-08 07:05:07 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-08 06:46:37 -------- d-----w- c:\documents and settings\all users\application data\boost_interprocess
2012-05-08 05:52:25 -------- d-----w- c:\documents and settings\josh\application data\Ad-Aware Antivirus
2012-05-06 13:27:17 -------- d-----w- c:\documents and settings\josh\application data\Panda Security
2012-05-06 13:25:31 -------- d-----w- c:\program files\Panda Security
2012-05-06 13:25:31 -------- d-----w- c:\documents and settings\all users\application data\Panda Security
2012-05-06 13:23:09 -------- d-----w- C:\temp
2012-05-06 09:26:45 -------- d-----w- c:\documents and settings\all users\application data\Sophos
2012-05-06 08:59:17 73728 ----a-r- c:\documents and settings\josh\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-05-06 08:59:17 73728 ----a-r- c:\documents and settings\josh\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-05-06 08:59:17 73728 ----a-r- c:\documents and settings\josh\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\ARPPRODUCTICON.exe
2012-05-06 08:59:03 -------- d-----w- c:\program files\Sophos
2012-05-06 03:20:13 -------- d-----w- c:\program files\MP4 to AVI
2012-05-06 03:17:50 -------- d-----w- c:\program files\hpmonitor
2012-05-06 03:17:35 17280 ----a-w- c:\windows\system32\roboot.exe
2012-05-06 03:17:26 -------- d-----w- c:\documents and settings\josh\application data\systweak
2012-05-06 03:11:53 -------- d-----w- c:\windows\RegisteredPackages
2012-04-28 16:40:33 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-16 14:44:39 54784 ----a-w- c:\windows\system32\brinsstr.dll
2012-04-16 14:44:24 34816 ------w- c:\windows\system32\BrWiaNCp.dll
2012-04-16 14:44:23 61952 ------w- c:\windows\system32\BrNetSti.dll
2012-04-16 14:44:23 37376 ------w- c:\windows\system32\Brnsplg.dll
2012-04-16 14:44:23 18944 ------w- c:\windows\system32\BrnStiCp.cpl
2012-04-16 14:44:22 9728 ------w- c:\windows\system32\BrSti07a.dll
2012-04-16 14:44:13 163840 ------w- c:\windows\system32\NSSearch.dll
2012-04-16 14:44:13 106496 ------w- c:\windows\system32\BrMuSNMP.dll
2012-04-16 14:44:12 73728 ------w- c:\windows\system32\BRCrypt.dll
2012-04-16 14:44:12 61440 ------w- c:\windows\system32\BrMfNt.dll
2012-04-16 14:44:12 -------- d-----w- c:\program files\Brother
2012-04-16 14:44:11 131072 ------w- c:\windows\brunin03.dll
2012-04-16 14:43:32 -------- d-----w- c:\documents and settings\all users\application data\Brother
2012-04-16 10:27:36 -------- d-sh--w- c:\documents and settings\josh\IECompatCache
.
==================== Find3M ====================
.
2012-05-08 07:05:06 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 08:47:36 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-04 08:47:02 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-28 13:43:21 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 18:45:38.70 ===============