TechSpot

Need help removing (rootkit?) infection. Logs posted

Inactive
By Cactuar
Oct 18, 2011
  1. My work computer has gotten infected, and I'm largely unable to use it for anything. The problems started abruptly about three days ago, though I'm not sure where I got the infection.

    It will sometimes take to freezing near constantly, with only about a second of being able to use the mouse before it re-freezes. Behavior like that often culminates in a BSOD. Even if it isn't doing either of those things, I'm having difficulty using the internet, and all search engines I've tried will not load any results but stop loading with a blank page displayed. I am unable to print anything in the office from this computer, since the problems started. I've since unplugged it from the office network, perhaps later than I ought to have, since I'm not sure whether problems like this could spread, and I suspect I'm in enough trouble as it is.

    There may be other indications that I've not found yet because I haven't been using it much at all since then. (I'm posting this from my personal laptop, which I've been taking to work since the issues started). The work computer didn't have anything but what came standard on it at first.

    Before I found this forum, as I was trying to solve the problem myself, I added AVG, MalwareBytes, and Webroot Secure(all transferred by flash, as downloading them with the infected computer isn't working out), and Webroot has detected/ostensibly removed what it informs me is a rootkit infection in a file called Wdf01000.sys many times, with no lasting effects. I also made a stab at doing it manually with no success.

    Logs follow.

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7969

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19154

    2011/10/18 11:58:15 ??
    mbam-log-2011-10-18 (11-57-50).txt

    Scan type: Quick scan
    Objects scanned: 226382
    Time elapsed: 11 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\teuser12\AppData\Local\Temp\jar_cache7615848301089221467.tmp (Trojan.Agent) -> No action taken.


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-10-18 12:19:07
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHZ2160BJ_G2 rev.0046001E
    Running: ky8tps99.exe; Driver: C:\Users\teuser12\AppData\Local\Temp\kfddqpoc.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 WRkrn.sys (Webroot SecureAnywhere/Webroot)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 WRkrn.sys (Webroot SecureAnywhere/Webroot)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:548] 8633816D
    Thread System [4:1216] 869F1B90

    ---- EOF - GMER 1.0.15 ----

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.19154 BrowserJavaVersion: 1.6.0_20
    Run by teuser12 at 12:20:59 on 2011-10-18
    Microsoftョ Windows Vista・Business 6.0.6002.2.1252.1.1033.18.2008.779 [GMT 9:00]
    .
    AV: Webroot SecureAnywhere *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Webroot SecureAnywhere *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Tablet\Pen\Pen_TouchService.exe
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\netsw\netservc.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Tablet\Pen\Pen_Tablet.exe
    C:\Program Files\AVG\AVG2012\avgnsx.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\Program Files\AVG\AVG2012\avgrsx.exe
    C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Tablet\Pen\Pen_Tablet.exe
    C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
    C:\Program Files\DispSw\DispSw.exe
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Apoint2K\ApMsgFwd.exe
    C:\Program Files\Apoint2K\Apvfb.exe
    C:\Program Files\Apoint2K\HidFind.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\system32\conime.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Webroot\WRSA.exe
    C:\Program Files\Webroot\WRSA.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.vill.tomari.hokkaido.jp/main.html
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [CAHeadless] c:\program files\adobe\elements organizer 8.0\caheadless\ElementsAutoAnalyzer.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [DispSw] c:\program files\dispsw\DispSw.exe
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
    mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    mRun: [WRSVC] "c:\program files\webroot\WRSA.exe" -ul
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    uPolicies-explorer: NoViewOnDrive = 0 (0x0)
    uPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
    uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
    uPolicies-system: NoDispAppearancePage = 0 (0x0)
    uPolicies-system: NoDispSettingsPage = 0 (0x0)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-explorer: NoViewOnDrive = 0 (0x0)
    mPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
    mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: HideFastUserSwitching = 1 (0x1)
    mPolicies-system: disablecad = 1 (0x1)
    mPolicies-system: NoDispAppearancePage = 0 (0x0)
    mPolicies-system: NoDispSettingsPage = 0 (0x0)
    dPolicies-explorer: NoViewOnDrive = 0 (0x0)
    dPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
    dPolicies-explorer: NoWindowsUpdate = 0 (0x0)
    dPolicies-system: NoDispAppearancePage = 0 (0x0)
    dPolicies-system: NoDispSettingsPage = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: Interfaces\{EB44EA71-9E9C-4C93-8352-D761F5F53BCE} : NameServer = 192.168.1.10
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\teuser12\appdata\roaming\mozilla\firefox\profiles\tr2co5s5.default\
    FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\tabletplugins\npwacom.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
    R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [2011-10-17 106312]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 229840]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
    R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-6 169312]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-9-12 5265248]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-17 366152]
    R2 MobileOptimizer;MobileOptimizer;c:\program files\netsw\NETSERVC.EXE [2009-11-30 61440]
    R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
    R2 TabletServicePen;TabletServicePen;c:\program files\tablet\pen\Pen_Tablet.exe [2011-9-29 4869488]
    R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2009-2-25 249424]
    R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2009-2-25 36432]
    R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\tablet\pen\Pen_TouchService.exe [2011-9-29 416112]
    R2 WRSVC;WRSVC;c:\program files\webroot\WRSA.exe [2011-10-17 599616]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]
    R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2008-9-3 223232]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-17 22216]
    R3 necbatt;Battery Filter Driver;c:\windows\system32\drivers\necbatt.sys [2008-10-27 9216]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-7 135664]
    S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2009-2-25 652552]
    S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2011-9-29 16240]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== File Associations ===============
    .
    JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
    .
    =============== Created Last 30 ================
    .
    2011-10-18 02:43:24 503864 ----a-w- c:\windows\system32\drivers\IblGBIPG.sys
    2011-10-18 02:04:40 503864 ----a-w- c:\windows\system32\drivers\BnLeaunI.sys
    2011-10-17 23:24:52 503864 ----a-w- c:\windows\system32\drivers\aCiZaTdV.sys
    2011-10-17 07:31:51 503864 ----a-w- c:\windows\system32\drivers\BLSQuUeH.sys
    2011-10-17 06:51:06 503864 ----a-w- c:\windows\system32\drivers\ZFqROvIw.sys
    2011-10-17 02:41:08 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
    2011-10-17 00:44:09 503864 ----a-w- c:\windows\system32\drivers\euSFqUEp.sys
    2011-10-17 00:11:48 140760 ----a-w- c:\windows\system32\WRusr.dll
    2011-10-17 00:11:47 106312 ----a-w- c:\windows\system32\drivers\WRkrn.sys
    2011-10-17 00:11:46 -------- d-----w- c:\program files\Webroot
    2011-10-17 00:11:45 -------- d-----w- c:\programdata\WRData
    2011-10-16 23:44:06 -------- d-----w- c:\users\teuser12\appdata\roaming\Malwarebytes
    2011-10-16 23:43:59 -------- d-----w- c:\programdata\Malwarebytes
    2011-10-16 23:43:55 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-16 23:43:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-14 06:09:03 -------- d-----w- c:\users\teuser12\appdata\local\Mozilla
    2011-10-14 04:59:55 -------- d--h--w- C:\$AVG
    2011-10-14 04:24:44 -------- d-----w- c:\users\teuser12\appdata\roaming\AVG2012
    2011-10-14 04:24:08 -------- d--h--w- c:\programdata\Common Files
    2011-10-14 04:22:56 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-10-14 04:22:56 -------- d-----w- c:\programdata\AVG2012
    2011-10-14 04:22:07 -------- d-----w- c:\program files\AVG
    2011-10-14 04:16:20 -------- d-----w- c:\programdata\MFAData
    2011-10-14 00:24:29 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-09-28 23:37:19 -------- d-----w- c:\programdata\AppData
    2011-09-28 23:36:02 -------- d-----w- c:\users\teuser12\appdata\roaming\WTablet
    2011-09-28 23:36:01 642928 ----a-w- c:\windows\system32\Pen_Touch_Tablet.dll
    2011-09-28 23:35:55 -------- d-----w- c:\program files\TabletPlugins
    2011-09-28 23:35:30 16240 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
    2011-09-28 23:34:55 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
    2011-09-28 23:33:26 14120 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
    2011-09-28 23:33:24 650096 ----a-w- c:\windows\system32\Pen_Tablet.dll
    2011-09-28 23:33:24 506736 ----a-w- c:\windows\system32\Wintab32.dll
    2011-09-28 23:33:20 -------- d-----w- c:\program files\Tablet
    2011-09-28 23:30:42 -------- d-----w- c:\programdata\Bamboo
    .
    ==================== Find3M ====================
    .
    2011-10-03 23:21:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-30 23:06:24 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-09-30 23:02:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-09-30 23:01:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-09-30 23:01:34 71680 ----a-w- c:\windows\system32\iesetup.dll
    2011-09-30 23:01:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2011-09-30 22:07:25 385024 ----a-w- c:\windows\system32\html.iec
    2011-09-30 21:29:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-09-30 21:28:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-09-12 21:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
    2011-08-25 16:15:04 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
    2011-08-25 16:14:01 563712 ----a-w- c:\windows\system32\oleaut32.dll
    2011-08-25 16:14:01 238080 ----a-w- c:\windows\system32\oleacc.dll
    2011-08-25 13:31:01 4096 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-07-29 16:01:34 293376 ----a-w- c:\windows\system32\psisdecd.dll
    2011-07-29 16:01:33 217088 ----a-w- c:\windows\system32\psisrndr.ax
    2011-07-29 16:00:14 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
    2011-07-29 16:00:05 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
    .
    ============= FINISH: 12:25:23.64 ===============
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll start you off, but depending on what I see in the logs, I may refer you to the IT for the Office Network.
    ------------------------------------------------
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    1. Wdf01000.sys is for the WDF Dynamic driver from Microsoft. It is a legitimate file. The Webroot describes this as a "suspecious file" and goes on to add: It is possible that your PC could be infected. The file name WDF01000.SYS is used by both safe and unsafe programs.
    ====================================
    2. You are running 2 antivirus programs:
    AV: Webroot SecureAnywhere *
    AV: AVG Anti-Virus Free Edition 2012
    Note: I'm going to have you run Combofox. It will not run with AVG on the system, so AVG will have to be removed temporarily. Directions are further down.
    ======================================
    3. You do not have to run Malwarebytes again because there is only 1 entry and it's in the Java cache. But if you run it again sometime, be sure to check the line to remove the entries it finds. You will clean the cache. This usually happens if there is outdated Java on the system: (JavaVersion: 1.6.0_20)
    ------------------------------------------
    4. Please update Java to v6u27: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
    -------------------------------------------
    5. To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    ==========================================
    7. Since this is a global board and most members don't add anything to their profile, this is set as your Start page:
    uStart Page = hxxp://www.vill.tomari.hokkaido.jp/main.html
    Did you set it? Do you know if it's a safe site. There is no English site for me to check. I do see signs of another language being on the system.
    ==================================
    8. There is another log from DDS. It's named Attach.txt. That is the name, not a direction so please paste it into your next reply.
    ==================================
    9.Please review these Policy Settings. Did you set them up?
    ========================================
    10.Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.
    =============================
    11.Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    12.Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ==================================
    Please give me answers and logs in next reply. So far I'm not seeing a rootkit.
     
  3. Cactuar

    Cactuar TS Rookie Topic Starter

    Changes in the system: Failed to start up all the way the first time I turned it on this morning. Regretfully I didn't write down the name of whatever file it said was corrupted. Chose to revert to "last settings that worked."

    1. Thanks, I'm not very well versed at all.

    4-5. Done.

    7. Yes, that's a safe page.

    8. I'll paste it in at the end of my reply.

    9. I don't believe I, personally, did... This computer was inherited as-is from my predecessor in this job, and even most of the stuff that I'm pretty sure didn't come with the computer, like Skype and VLC, were here already when I got it. I've not had it that long, and haven't made many changes/added many things, myself. It's worked like a dream before now, though.

    10-12. Done. Logs will follow. When I started it, I had already closed Webroot, but it still generated an error stating that it was active. I didn't know what else to do, since I'd exited the program, so I uninstalled it before I clicked 'OK' and let CF get started.

    Thank you again, I'm glad to hear that. As I said I'm not very knowledgeable about these things, so it's quite possible I've completely mis-evaluated the situation. :/ Perhaps it isn't any kind of infection at all. (Especially since it seems, to my in-expert eye that ComboFix has not found anything of note)

    I'd only thought it may have been because of the sudden onset of the problems and the fact that they coincided with AV getting alerted to something, but if it isn't, at least I'll be able to confirm that and move on to finding the right way to fix whatever the actual issue is.

    Logs...

    .
    DDS (Ver_2011-08-26.01)
    .
    .
    Motherboard: NEC | | KML90
    Processor: Intel(R) Celeron(R) CPU 900 @ 2.20GHz | Socket P uFCPGA | 2194/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 50 GiB total, 12.228 GiB free.
    D: is FIXED (NTFS) - 99 GiB total, 98.944 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    ??????????
    ???????????????(2.15.0841)
    オTorrent
    Acrobat.com
    Adobe AIR
    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Photoshop Elements 8.0
    Adobe Premiere Elements 8.0
    Adobe Premiere Elements 8.0 Templates
    Adobe Reader 9.4.1
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Software Update
    Audacity 1.3.11 (Unicode)
    AVG 2012
    Bamboo
    CutePDF Writer 2.8
    ECO????????
    EPSON LP-S9000 プリンタドライバ
    EPSON Printer Software
    Freeware PDF Unlocker
    GIMP 2.6.8
    Google Chrome
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Graphics Media Accelerator Driver
    Japanese Fonts Support For Adobe Reader 9
    Java Auto Updater
    Java(TM) 6 Update 20
    KONICA MINOLTA bizhub 501/421/361
    LAME v3.98.2 for Audacity
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Standard 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Sync Framework 2.0 Core Components (x86) ENU
    Microsoft Sync Framework 2.0 Provider Services (x86) ENU
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MobileOptimizer
    Mozilla Firefox 7.0.1 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NX PAD Driver
    One-Touch Start Button Settings(2.15.0921)
    One-Touch Start Button Settings(2.15.0922)
    OpenOffice.org 3.2
    QuickTime
    Realtek High Definition Audio Driver
    Roxio BackOnTrack
    Roxio Central Audio
    Roxio Central Copy
    Roxio Central Core
    Roxio Central Data
    Roxio Central Tools
    Roxio Creator LJB
    Roxio File Backup
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553074)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft Office Excel 2007 (KB2553073)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Skype・5.5
    SmartSound Quicktracks for Premiere Elements 8.0
    Trend Micro OfficeScan Client
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2596560)
    VLC media player 1.1.5
    Webroot SecureAnywhere
    WebTablet IE Plugin
    WebTablet Netscape Plugin
    Windows Driver Package - NEC (necbatt) Battery (10/27/2008 1.0.0.3)
    Windows Media Player Firefox Plugin
    WinDVD for NEC
    .
    ==== End Of File ===========================

    ComboFix 11-10-20.07 - teuser12 2011/10/21 9:11.1.1 - x86
    Microsoftョ Windows Vista・Business 6.0.6002.2.1252.1.1033.18.2008.991 [GMT 9:00]
    Running from: c:\users\teuser12\Desktop\ComboFix.exe
    AV: Webroot SecureAnywhere *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
    SP: Webroot SecureAnywhere *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-21 to 2011-10-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-20 00:41 . 2011-10-20 00:41 106312 ----a-w- c:\windows\system32\drivers\XpRGfeoJ.sys
    2011-10-20 00:40 . 2008-01-21 02:24 503864 ----a-w- c:\windows\system32\drivers\WmXoWyxM.sys
    2011-10-19 05:40 . 2011-10-19 05:40 -------- d-----w- c:\program files\Common Files\Java
    2011-10-18 23:29 . 2008-01-21 02:24 503864 ----a-w- c:\windows\system32\drivers\oCUFOSvY.sys
    2011-10-18 07:12 . 2008-01-21 02:24 503864 ----a-w- c:\windows\system32\drivers\qjtVOywI.sys
    2011-10-18 03:30 . 2008-01-21 02:24 503864 ----a-w- c:\windows\system32\drivers\oNENcjxF.sys
    2011-10-18 02:43 . 2008-01-21 02:24 503864 ----a-w- c:\windows\system32\drivers\IblGBIPG.sys
    2011-10-18 02:04 . 2008-01-21 02:24 503864 ----a-w- c:\windows\system32\drivers\BnLeaunI.sys
    2011-10-17 23:24 . 2008-01-21 02:24 503864 ----a-w- c:\windows\system32\drivers\aCiZaTdV.sys
    2011-10-17 07:31 . 2008-01-21 02:24 503864 ----a-w- c:\windows\system32\drivers\BLSQuUeH.sys
    2011-10-17 06:58 . 2011-10-17 06:58 -------- d-----w- c:\users\Administrator\AppData\Local\Mozilla
    2011-10-17 06:52 . 2011-10-17 06:52 -------- d-----w- c:\users\Administrator\AppData\Roaming\WTablet
    2011-10-17 06:51 . 2008-01-21 02:24 503864 ----a-w- c:\windows\system32\drivers\ZFqROvIw.sys
    2011-10-17 02:41 . 2011-10-18 03:33 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
    2011-10-17 00:44 . 2008-01-21 02:24 503864 ----a-w- c:\windows\system32\drivers\euSFqUEp.sys
    2011-10-16 23:44 . 2011-10-16 23:44 -------- d-----w- c:\users\teuser12\AppData\Roaming\Malwarebytes
    2011-10-16 23:43 . 2011-10-16 23:43 -------- d-----w- c:\programdata\Malwarebytes
    2011-10-16 23:43 . 2011-10-16 23:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-16 23:43 . 2011-08-31 08:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-14 06:09 . 2011-10-14 06:09 -------- d-----w- c:\users\teuser12\AppData\Local\Mozilla
    2011-10-14 04:59 . 2011-10-14 04:59 -------- d-----w- C:\$AVG
    2011-10-14 04:24 . 2011-10-14 04:24 -------- d--h--w- c:\programdata\Common Files
    2011-10-14 04:16 . 2011-10-19 05:53 -------- d-----w- c:\programdata\MFAData
    2011-10-14 00:24 . 2011-10-14 00:24 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-10-14 00:17 . 2011-10-14 04:13 -------- dc----w- c:\windows\system32\DRVSTORE
    2011-10-14 00:17 . 2011-10-14 04:13 -------- d-----w- c:\programdata\Lavasoft
    2011-09-28 23:36 . 2011-09-28 23:36 -------- d-----w- c:\users\teuser12\AppData\Roaming\WTablet
    2011-09-28 23:36 . 2010-10-21 00:38 642928 ----a-w- c:\windows\system32\Pen_Touch_Tablet.dll
    2011-09-28 23:35 . 2010-10-05 04:26 16240 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
    2011-09-28 23:34 . 2010-10-05 04:26 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
    2011-09-28 23:33 . 2010-10-05 04:26 14120 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
    2011-09-28 23:33 . 2010-10-21 00:38 506736 ----a-w- c:\windows\system32\Wintab32.dll
    2011-09-28 23:33 . 2010-10-21 00:38 650096 ----a-w- c:\windows\system32\Pen_Tablet.dll
    2011-09-28 23:33 . 2011-09-28 23:36 -------- d-----w- c:\program files\Tablet
    2011-09-28 23:30 . 2011-09-28 23:30 -------- d-----w- c:\programdata\Bamboo
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-19 05:39 . 2010-05-10 23:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-10-03 23:21 . 2011-09-04 23:19 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-29 06:53 . 2011-10-14 06:03 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "CAHeadless"="c:\program files\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe" [2009-09-05 615808]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-07-29 17361032]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DispSw"="c:\program files\DispSw\DispSw.exe" [2009-02-27 54592]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-11-30 6793760]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-11-30 200704]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-02-25 718120]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk&inst=NzctNzc3MDM1MDcyLVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ&prod=90&ver=2012.0.1831&mid=881d02e6282747d18ef8d144186399ab-c287950f409fe3c8c04ffcb26755c011da0a65ed" [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "HideFastUserSwitching"= 1 (0x1)
    "disablecad"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoDevMgrUpdate"= 0 (0x0)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoDevMgrUpdate"= 0 (0x0)
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDevMgrUpdate"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3129147724-2985013543-2573953104-1253\Scripts\Logon\0\0]
    "Script"=koumu.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3129147724-2985013543-2573953104-1254\Scripts\Logon\0\0]
    "Script"=koumu.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3129147724-2985013543-2573953104-1261\Scripts\Logon\0\0]
    "Script"=koumu.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2009-11-30 08:00 178712 ----a-w- c:\windows\System32\hkcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2009-11-30 08:00 150040 ----a-w- c:\windows\System32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
    2011-08-31 08:00 449608 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
    2009-02-25 05:25 718120 ----a-w- c:\program files\Trend Micro\OfficeScan Client\PccNTMon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
    2009-11-30 08:00 154136 ----a-w- c:\windows\System32\igfxpers.exe
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "CAHeadless"=c:\program files\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "NPSpeed"=c:\program files\NPSpeed\NPSpeed.exe
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2169251323-3254271878-3760846248-1000]
    "EnableNotificationsRef"=dword:00000003
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2169251323-3254271878-3760846248-500]
    "EnableNotificationsRef"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google ?????? ???? (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-07 135664]
    R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2010-10-20 249424]
    R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2010-10-20 36432]
    R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-07 135664]
    R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2009-02-25 652552]
    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2010-10-05 16240]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys [x]
    S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-05 169312]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
    S2 MobileOptimizer;MobileOptimizer;c:\program files\netsw\netservc.exe [2009-02-02 61440]
    S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
    S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2010-10-21 4869488]
    S2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [2010-10-21 416112]
    S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-11-30 223232]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
    S3 necbatt;Battery Filter Driver;c:\windows\system32\DRIVERS\necbatt.sys [2009-11-30 9216]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    getPlusHelper REG_MULTI_SZ getPlusHelper
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-07 06:56]
    .
    2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-07 06:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.vill.tomari.hokkaido.jp/main.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: Interfaces\{EB44EA71-9E9C-4C93-8352-D761F5F53BCE}: NameServer = 192.168.1.10
    FF - ProfilePath -
    .
    .
    ------- File Associations -------
    .
    JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-Wdf01000.sys
    MSConfigStartUp-WRSVC - c:\program files\Webroot\WRSA.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-21 09:18
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-10-21 09:23:29
    ComboFix-quarantined-files.txt 2011-10-21 00:23
    .
    Pre-Run: 12,796,665,856 bytes free
    Post-Run: 13,552,635,904 bytes free
    .
    - - End Of File - - 78BF4F68312A1904C1DD0BD5735E2952
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    We're going to have some problem because there is another language on the system and the scans can't read those entries. For instance:
    ??????????
    ???????????????(2.15.0841)
    オTorrent
    R2 gupdate;Google ?????? ???? (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-07 135664]
    ECO????????
    EPSON LP-S9000 プリンタドライバ
    =========================================
    There is also a group of files from 2008, none of which I can identify:
    And another group on 10/17-10/18/2011
    =================================
    There is also the matter of the large number of policy settings that you didn't set.
    ==========================================
    Since this is your work system, I'm going to point you to your choices:
    1. Let the IT at work go over the system.
    or
    2. Do a reformat/reinstall.
    Then only put the programs and settings needed, ones that you know what they do.

    Technically, it's possible I could remove these entries. But since I can't identify them and there are so many, I don't consider this to be acceptable.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.