PUM.hijack.system.hidden symptoms?

Solved
By SsapS
Oct 4, 2013
  1. Hello,

    I have been chasing down an issue that is possibly a rootkit or at least a type of process that can modify the MBR.

    I am using a program called BootIt Bare Metal that allows more then 4 primary windows partitions.
    Randomly, and not something easy to reproduce, the 1st track of the MBR gets modified disabling the ExtendedMBR that BIBM uses.

    That was my theory until now, after running Kaspersky Rescue Disk, TDSSKiller, which detected nothing. I just ran Malwarebytes and found on two different installs (and I'm continuing to scan)
    First install:
    PUM.hijack.system.hidden
    PUM.disabled.securityCenter (x3)
    Second install:
    Hijack.controlpanelstyle
    PUM.hijack.startmenu
    PUM.hijack.help

    So I figure if this is across multiple installs, it's probably being distributed by removable media. I honestly don't care about the removable media being infected and I will deal with that soon enough. The biggest issue is that these laptop's are going out to my customers and I really need them fixed ! :confused:

    My question to you however, does any of the associated infections with this malware manipulate MBR? I browsed a ton online for information about this lil bug, google ranking makes it a pain to find anything other then removal, which Malware-bytes seems to be doing ok with.

    Appreciate your time,
    SsapS
  2. SsapS

    SsapS Newcomer, in training Topic Starter Posts: 22

    Also, the Malwarebytes tool is MBAR

    I keep finding these in each installation, but this was new and promising:

    Registry Value "AppInit_Dlls" has been found, which may be caused by rootkit activity

    openen MBAR again, updated, tried to scan and got:

    Could not load DDA driver
    DDA driver was not installed which may be caused by rootkit activity. Do you want to reboot the computer to install DDA driver?

    Rebooted, scanned, got :


    PUM.Hijack.ConnectionControl
    PUM.rightClick.Disabled
    PUM.Disabled.SecurityCenter x3
  3. SsapS

    SsapS Newcomer, in training Topic Starter Posts: 22

    So I figure I may have just answered my own question. Does a rootkit manipulate the MBR? Of course it does that's what rootkit implies eh?

    edit: although...the error message does just say that registry "may be caused by rootkit activity"

    So I suppose I still could have the rootkit I just took out a small part of it...
  4. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  5. SsapS

    SsapS Newcomer, in training Topic Starter Posts: 22

    Malwarebytes Anti-Malware (Trial) 1.75.0.1300
    www.malwarebytes.org

    Database version: v2013.10.07.11

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Star :: STAR43715 [administrator]

    Protection: Enabled

    10/7/2013 2:48:12 PM
    MBAM-log-2013-10-07 (14-53-13).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 191915
    Time elapsed: 3 minute(s), 8 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|StarInsecure (PUP.HiddenStart.H) -> Data: %systemroot%\StarInsecure\hstart.exe /NOCONSOLE /WAIT %systemroot%\StarInsecure\StarInsecure.bat -> No action taken.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\WINDOWS\StarInsecure\hstart.exe (PUP.HiddenStart.H) -> No action taken.

    (end)

    -

    On threat deletion and restart I received a BSOD. I do have another copy of this partition, so I can get it up by tomorrow and follow the rest of the steps. The two detections are files used by Mercedes Benz software. Now if this was the reason my MBR keeps being re-written/modified, that would be great to know.
  6. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    If you're 100% sure those two files are safe it's fine with me.
    If you're not 100% sure, re-run MBAM, fix both issues and post new log.

    I still need DDS logs.
  7. SsapS

    SsapS Newcomer, in training Topic Starter Posts: 22

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/24/2007 10:56:50 PM
    System Uptime: 10/8/2013 11:11:20 AM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 03PH4G
    Processor: Intel(R) Core(TM) i3-2310M CPU @ 2.10GHz | CPU 1 | 2095/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 40 GiB total, 28.341 GiB free.
    D: is FIXED (NTFS) - 29 GiB total, 9.485 GiB free.
    E: is FIXED (NTFS) - 16 GiB total, 2.987 GiB free.
    F: is FIXED (NTFS) - 29 GiB total, 5.333 GiB free.
    G: is CDROM (CDFS)
    H: is FIXED (FAT32) - 119 GiB total, 115.065 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) HD Graphics Family
    Device ID: PCI\VEN_8086&DEV_0116&SUBSYS_049A1028&REV_09\3&11583659&0&10
    Manufacturer: Intel Corporation
    Name: Intel(R) HD Graphics Family
    PNP Device ID: PCI\VEN_8086&DEV_0116&SUBSYS_049A1028&REV_09\3&11583659&0&10
    Service: ialm
    .
    Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
    Description: IDT High Definition Audio CODEC
    Device ID: HDAUDIO\FUNC_01&VEN_111D&DEV_76E7&SUBSYS_1028049A&REV_1001\4&1559F42&0&0001
    Manufacturer: IDT
    Name: IDT High Definition Audio CODEC
    PNP Device ID: HDAUDIO\FUNC_01&VEN_111D&DEV_76E7&SUBSYS_1028049A&REV_1001\4&1559F42&0&0001
    Service: STHDA
    .
    Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
    Description: ST Micro Accelerometer
    Device ID: ACPI\SMO8800\1
    Manufacturer: ST Microelectronics
    Name: ST Micro Accelerometer
    PNP Device ID: ACPI\SMO8800\1
    Service: Acceler
    .
    ==== System Restore Points ===================
    .
    RP106: 8/21/2013 6:18:34 PM - Removed Symantec AntiVirus
    RP107: 9/19/2013 12:20:35 PM - System Checkpoint
    RP108: 10/7/2013 11:10:26 AM - Malwarebytes Anti-Rootkit Restore Point
    .
    ==== Installed Programs ======================
    .
    AccelerometerP11
    Acrobat Reader 7.0
    Adobe Reader 7.0.9
    Adobe Reader 9.1
    Adobe SVG Viewer 3.0
    Arbortext IsoView 7.0 M010
    AuthenTec Fingerprint Driver
    Autodesk WHIP! (Release 4.0-102)
    BWK Data forwarding Setup
    Document_Installer
    EWA net
    EWA_net_Admin
    EWA_net_Client_Applications
    EWA_net_Core
    EWA_net_EPC
    EWA_net_Server
    EWA_net_WIS
    EWA_net_WIS_CaseOnline_Importer
    HardwareAssistent
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows XP (KB961118)
    IDT Audio
    Intel(R) Graphics Media Accelerator Driver
    Java(TM) 6 Update 24
    Juniper Installer Service
    Juniper Networks, Inc. Setup Client Activex Control
    LiveUpdate 3.1 (Symantec Corporation)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    MoTelDiSPrep
    MSXML 4.0 SP2 (KB941833)
    MSXML 6.0 Parser
    Netwaiting
    O2Micro Flash Memory Card Windows Driver
    Online Update BG
    QuickTime
    SDconnect Toolkit
    SDconnect Toolkit 2.1.0.9
    SDexplorer
    SDnetAssist
    SDnetControl
    SDprinterConfig
    SDscan
    SDsecchange
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2722913)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2659262)
    Security Update for Windows XP (KB2676562)
    Security Update for Windows XP (KB2685939)
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2707511)
    Security Update for Windows XP (KB2709162)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982665)
    Setup_GTUtils
    Star Diagnosis
    StarAnalysis
    StarTransfer
    StarUtilities
    TeamViewer 8
    Update for Windows Internet Explorer 8 (KB2598845)
    Update for Windows XP (KB2467659)
    WebFldrs XP
    Windows Driver Package - ads-tec GmbH (AR5416) Net (11/17/2010 7.7.0.430)
    Windows Internet Explorer 8
    Windows Rights Management Client Backwards Compatibility SP2
    Windows Rights Management Client with Service Pack 2
    WIS net Standalone
    WLANSignalView
    XENTRY
    .
    ==== Event Viewer Messages From Past Week ========
    .
    10/8/2013 11:12:26 AM, error: Service Control Manager [7000] - The rimmptsk service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    10/7/2013 11:37:00 AM, error: NetBT [4319] - A duplicate name has been detected on the TCP network. The IP address of the machine that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
    10/7/2013 1:59:03 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: HWiNFO32
    10/7/2013 1:59:03 PM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    10/7/2013 1:59:03 PM, error: Service Control Manager [7000] - The Audio Service service failed to start due to the following error: The system cannot find the path specified.
    10/7/2013 1:58:57 PM, error: Print [23] - Printer Microsoft Office Document Image Writer failed to initialize because a suitable Microsoft Office Document Image Writer Driver driver could not be found.
    .
    ==== End Of File ===========================










    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702
    Run by Star at 11:15:56 on 2013-10-08
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3241.2811 [GMT -7:00]
    .
    .
    ============== Running Processes ================
    .
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxps://aftersales.I.daimler.com
    uDefault_Page_URL = hxxps://aftersales.I.daimler.com
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: WebCGMHlprObj Class: {56B38F40-4E70-11d4-A076-0080AD86BA2F} - c:\windows\system32\cgmopenbho.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [StarInsecure] c:\windows\starinsecure\hstart.exe /noconsole /wait c:\windows\starinsecure\StarInsecure.bat
    uRun: [SDprinterConfig] c:\programme\sdprinterconfig\SDprinterConfig.exe /init
    mRun: [HotFixInstaller] c:\programme\hotfixinst\hotfixinst.exe
    mRun: [LaunchComServer] "c:\program files\sdconnect toolkit\bin\TKTray.exe"
    mRun: [SDNC] c:\programme\sdnetcontrol\SDNC.exe
    mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [FreeFallProtection] c:\program files\stmicroelectronics\accelerometerp11\FF_Protection.exe
    mRun: [BWK] c:\programme\bwk\Startup.lnk
    mRun: [Brightness] c:\programme\temp\Brightness.lnk
    dRun: [CTFMON.EXE] c:\winnt\system32\ctfmon.exe
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Explorer: NoDrives = dword:0
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: daimler.com
    Trusted Zone: daimler.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    TCP: NameServer = 192.168.0.1 205.171.2.65
    TCP: Interfaces\{1710BAF9-63EA-466A-802B-8FACFAC57DAA} : DHCPNameServer = 192.168.0.1 205.171.2.65
    TCP: Interfaces\{1CFDA05D-9B30-4048-926E-9765644CE039} : DHCPNameServer = 192.168.0.1 205.171.2.65
    TCP: Interfaces\{25B05A5C-CA65-437F-9890-FC01F87D3A45} : DHCPNameServer = 202.96.128.166 202.96.134.133
    TCP: Interfaces\{EF053F6B-6113-4261-B905-06D24EF2AAD0} : DHCPNameServer = 192.168.0.1 205.171.2.65
    Notify: igfxcui - igfxdev.dll
    Notify: NavLogon - <no file>
    AppInit_DLLs= StarInsecure.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    mASetup: {B3CCFD16-E9F2-48D6-8D1D-8C0AF61DFC0E} - msiexec /I c:\changelanguage\userlanguage.msi addlocal=en internationalreg=1 /qn /l* c:\userdata\logs\system\UserLanguage_Star.log
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2010-9-2 17968]
    R2 EWA net DB Core;EWA net DB Core;c:\programme\ewa\database\transbase ewa\tbmux32.exe [2012-8-17 326616]
    R2 EWA net DB EPC;EWA net DB EPC;c:\programme\ewa\database\transbase epc\tbmux32.exe [2012-8-17 417792]
    R2 EWA net DB WIS;EWA net DB WIS;c:\programme\ewa\database\transbase wis\tbmux32.exe [2012-8-17 326616]
    R2 EWA net Server;EWA net Server;c:\programme\ewa\server\bin\tomcat.exe [2012-8-17 65536]
    R2 HWAssistentService;Hardware Assistent Service;c:\programme\hardwareassistent\HWAssistentService.exe [2012-8-16 7680]
    R2 JidaN;JidaN;c:\programme\temp\JidaN.sys [2012-8-16 30208]
    R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2012-3-6 198520]
    R2 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [2013-2-11 8192]
    R2 SDImpersonationService;Star Diagnosis Impersonation Service;c:\windows\zak\service.exe [2012-8-16 94208]
    R2 TeamViewer8;TeamViewer 8;c:\program files\teamviewer\version8\TeamViewer_Service.exe [2013-7-8 3463080]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2013-2-11 113664]
    R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2013-2-11 260864]
    R3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2013-2-11 41088]
    R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\o2mdrxp.sys [2013-2-11 61728]
    R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjxp.sys [2013-2-11 63976]
    S1 HWiNFO32;HWiNFO32/64 Kernel Driver;\??\c:\docume~1\star\locals~1\temp\mydrivers32.sys --> c:\docume~1\star\locals~1\temp\Mydrivers32.SYS [?]
    S3 Acceler;Accelerometer Service;c:\windows\system32\drivers\accelern.sys --> c:\windows\system32\drivers\Accelern.sys [?]
    S3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\drivers\digirlpt.sys [2013-2-11 42432]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2013-6-24 116224]
    S3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2007-7-24 6609920]
    S3 NETwNx32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [2012-7-11 6650752]
    S3 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys --> c:\windows\system32\drivers\vmci.sys [?]
    S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys --> c:\windows\system32\drivers\vmmouse.sys [?]
    S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys --> c:\windows\system32\drivers\vmx_svga.sys [?]
    S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys --> c:\windows\system32\drivers\vmxnet.sys [?]
    S4 oubgschedservice;Online Update BG Scheduling Service;c:\programme\onlineupdatebg\schedservicemain.exe [2012-8-16 208896]
    .
    =============== File Associations ===============
    .
    FileExt: .ini: Applications\WORDPAD.EXE="c:\program files\windows nt\accessories\WORDPAD.EXE" "%1" [UserChoice]
    .
    =============== Created Last 30 ================
    .
    2013-10-08 18:13:1132384-c--a-w-c:\windows\system32\dllcache\usbccgp.sys
    2013-10-08 18:13:1132384----a-w-c:\windows\system32\drivers\usbccgp.sys
    2013-10-07 18:05:05--------d-----w-c:\documents and settings\all users\application data\Malwarebytes
    2013-10-07 18:04:59--------d-----w-c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
    .
    ==================== Find3M ====================
    .
    2013-09-19 18:55:4917408----a-w-c:\windows\system32\rpcnetp.dll
    2013-09-19 18:55:2817408----a-w-c:\windows\system32\rpcnetp.exe
    .
    ============= FINISH: 11:16:41.87 ===============
  8. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    I don't see any AV program running.
    First step in our preliminaries calls for installing some AV program if you don't have any.
  9. SsapS

    SsapS Newcomer, in training Topic Starter Posts: 22

    Before when I ran MBAM I had AVG Business installed. Then it resulted in the BSOD and the restore partition was without it...My apologies. I will re-install AVG and create the reports again.
  10. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    When done....

    [​IMG] Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop.
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
  11. SsapS

    SsapS Newcomer, in training Topic Starter Posts: 22

    Revised dds logs

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702
    Run by Star at 11:22:04 on 2013-10-09
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3241.2742 [GMT -7:00]
    .
    AV: AVG Internet Security Business Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: AVG Firewall *Enabled*
    .
    ============== Running Processes ================
    .
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxps://aftersales.I.daimler.com
    uDefault_Page_URL = hxxps://aftersales.I.daimler.com
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg2012\avgssie.dll
    BHO: WebCGMHlprObj Class: {56B38F40-4E70-11d4-A076-0080AD86BA2F} - c:\windows\system32\cgmopenbho.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [StarInsecure] c:\windows\starinsecure\hstart.exe /noconsole /wait c:\windows\starinsecure\StarInsecure.bat
    uRun: [SDprinterConfig] c:\programme\sdprinterconfig\SDprinterConfig.exe /init
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe
    mRun: [HotFixInstaller] c:\programme\hotfixinst\hotfixinst.exe
    mRun: [LaunchComServer] "c:\program files\sdconnect toolkit\bin\TKTray.exe"
    mRun: [SDNC] c:\programme\sdnetcontrol\SDNC.exe
    mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [FreeFallProtection] c:\program files\stmicroelectronics\accelerometerp11\FF_Protection.exe
    mRun: [BWK] c:\programme\bwk\Startup.lnk
    mRun: [Brightness] c:\programme\temp\Brightness.lnk
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    dRun: [CTFMON.EXE] c:\winnt\system32\ctfmon.exe
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Explorer: NoDrives = dword:0
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: daimler.com
    Trusted Zone: daimler.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    TCP: NameServer = 192.168.0.1 205.171.2.65
    TCP: Interfaces\{1710BAF9-63EA-466A-802B-8FACFAC57DAA} : DHCPNameServer = 192.168.0.1 205.171.2.65
    TCP: Interfaces\{1CFDA05D-9B30-4048-926E-9765644CE039} : DHCPNameServer = 192.168.0.1 205.171.2.65
    TCP: Interfaces\{25B05A5C-CA65-437F-9890-FC01F87D3A45} : DHCPNameServer = 202.96.128.166 202.96.134.133
    TCP: Interfaces\{EF053F6B-6113-4261-B905-06D24EF2AAD0} : DHCPNameServer = 192.168.0.1 205.171.2.65
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
    Notify: igfxcui - igfxdev.dll
    Notify: NavLogon - <no file>
    AppInit_DLLs= StarInsecure.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    mASetup: {B3CCFD16-E9F2-48D6-8D1D-8C0AF61DFC0E} - msiexec /I c:\changelanguage\userlanguage.msi addlocal=en internationalreg=1 /qn /l* c:\userdata\logs\system\UserLanguage_Star.log
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
    R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2010-9-2 17968]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
    R2 avgfws;AVG Firewall;c:\program files\avg\avg2012\avgfws.exe [2011-10-24 2398512]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
    R2 EWA net DB Core;EWA net DB Core;c:\programme\ewa\database\transbase ewa\tbmux32.exe [2012-8-17 326616]
    R2 EWA net DB EPC;EWA net DB EPC;c:\programme\ewa\database\transbase epc\tbmux32.exe [2012-8-17 417792]
    R2 EWA net DB WIS;EWA net DB WIS;c:\programme\ewa\database\transbase wis\tbmux32.exe [2012-8-17 326616]
    R2 EWA net Server;EWA net Server;c:\programme\ewa\server\bin\tomcat.exe [2012-8-17 65536]
    R2 HWAssistentService;Hardware Assistent Service;c:\programme\hardwareassistent\HWAssistentService.exe [2012-8-16 7680]
    R2 JidaN;JidaN;c:\programme\temp\JidaN.sys [2012-8-16 30208]
    R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2012-3-6 198520]
    R2 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [2013-2-11 8192]
    R2 SDImpersonationService;Star Diagnosis Impersonation Service;c:\windows\zak\service.exe [2012-8-16 94208]
    R2 TeamViewer8;TeamViewer 8;c:\program files\teamviewer\version8\TeamViewer_Service.exe [2013-7-8 3463080]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2013-2-11 113664]
    R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2011-5-23 30944]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
    R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2013-2-11 260864]
    R3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2013-2-11 41088]
    R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\o2mdrxp.sys [2013-2-11 61728]
    R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjxp.sys [2013-2-11 63976]
    S1 HWiNFO32;HWiNFO32/64 Kernel Driver;\??\c:\docume~1\star\locals~1\temp\mydrivers32.sys --> c:\docume~1\star\locals~1\temp\Mydrivers32.SYS [?]
    S3 Acceler;Accelerometer Service;c:\windows\system32\drivers\accelern.sys --> c:\windows\system32\drivers\Accelern.sys [?]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2011-5-23 30944]
    S3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\drivers\digirlpt.sys [2013-2-11 42432]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2013-6-24 116224]
    S3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2007-7-24 6609920]
    S3 NETwNx32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [2012-7-11 6650752]
    S3 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys --> c:\windows\system32\drivers\vmci.sys [?]
    S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys --> c:\windows\system32\drivers\vmmouse.sys [?]
    S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys --> c:\windows\system32\drivers\vmx_svga.sys [?]
    S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys --> c:\windows\system32\drivers\vmxnet.sys [?]
    S4 oubgschedservice;Online Update BG Scheduling Service;c:\programme\onlineupdatebg\schedservicemain.exe [2012-8-16 208896]
    .
    =============== File Associations ===============
    .
    FileExt: .ini: Applications\WORDPAD.EXE="c:\program files\windows nt\accessories\WORDPAD.EXE" "%1" [UserChoice]
    .
    =============== Created Last 30 ================
    .
    2013-10-09 18:04:07--------d--h--w-C:\$AVG
    2013-10-09 17:47:02--------d-----w-c:\documents and settings\star\application data\AVG2012
    2013-10-09 17:46:36--------d--h--w-c:\documents and settings\all users\application data\Common Files
    2013-10-09 17:45:01--------d-----w-c:\windows\system32\drivers\AVG
    2013-10-09 17:45:01--------d-----w-c:\documents and settings\all users\application data\AVG2012
    2013-10-09 17:44:12--------d-----w-c:\program files\AVG
    2013-10-09 17:43:31--------d-----w-c:\documents and settings\all users\application data\MFAData
    2013-10-08 18:13:1132384-c--a-w-c:\windows\system32\dllcache\usbccgp.sys
    2013-10-08 18:13:1132384----a-w-c:\windows\system32\drivers\usbccgp.sys
    2013-10-07 18:05:05--------d-----w-c:\documents and settings\all users\application data\Malwarebytes
    2013-10-07 18:04:59--------d-----w-c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
    .
    ==================== Find3M ====================
    .
    2013-09-19 18:55:4917408----a-w-c:\windows\system32\rpcnetp.dll
    2013-09-19 18:55:2817408----a-w-c:\windows\system32\rpcnetp.exe
    .
    ============= FINISH: 11:23:42.32 ===============









    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/24/2007 10:56:50 PM
    System Uptime: 10/9/2013 11:00:00 AM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 03PH4G
    Processor: Intel(R) Core(TM) i3-2310M CPU @ 2.10GHz | CPU 1 | 2095/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 40 GiB total, 27.695 GiB free.
    D: is FIXED (NTFS) - 29 GiB total, 9.485 GiB free.
    E: is FIXED (NTFS) - 16 GiB total, 2.986 GiB free.
    F: is FIXED (NTFS) - 29 GiB total, 5.332 GiB free.
    G: is CDROM (CDFS)
    H: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) HD Graphics Family
    Device ID: PCI\VEN_8086&DEV_0116&SUBSYS_049A1028&REV_09\3&11583659&0&10
    Manufacturer: Intel Corporation
    Name: Intel(R) HD Graphics Family
    PNP Device ID: PCI\VEN_8086&DEV_0116&SUBSYS_049A1028&REV_09\3&11583659&0&10
    Service: ialm
    .
    Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
    Description: IDT High Definition Audio CODEC
    Device ID: HDAUDIO\FUNC_01&VEN_111D&DEV_76E7&SUBSYS_1028049A&REV_1001\4&1559F42&0&0001
    Manufacturer: IDT
    Name: IDT High Definition Audio CODEC
    PNP Device ID: HDAUDIO\FUNC_01&VEN_111D&DEV_76E7&SUBSYS_1028049A&REV_1001\4&1559F42&0&0001
    Service: STHDA
    .
    Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
    Description: ST Micro Accelerometer
    Device ID: ACPI\SMO8800\1
    Manufacturer: ST Microelectronics
    Name: ST Micro Accelerometer
    PNP Device ID: ACPI\SMO8800\1
    Service: Acceler
    .
    ==== System Restore Points ===================
    .
    RP106: 8/21/2013 6:18:34 PM - Removed Symantec AntiVirus
    RP107: 9/19/2013 12:20:35 PM - System Checkpoint
    RP108: 10/7/2013 11:10:26 AM - Malwarebytes Anti-Rootkit Restore Point
    RP109: 10/8/2013 1:54:06 PM - System Checkpoint
    RP110: 10/9/2013 10:44:08 AM - Installed AVG 2012
    RP111: 10/9/2013 10:44:36 AM - Installed AVG 2012
    .
    ==== Installed Programs ======================
    .
    AccelerometerP11
    Acrobat Reader 7.0
    Adobe Reader 7.0.9
    Adobe Reader 9.1
    Adobe SVG Viewer 3.0
    Arbortext IsoView 7.0 M010
    AuthenTec Fingerprint Driver
    Autodesk WHIP! (Release 4.0-102)
    AVG 2012
    BWK Data forwarding Setup
    Document_Installer
    EWA net
    EWA_net_Admin
    EWA_net_Client_Applications
    EWA_net_Core
    EWA_net_EPC
    EWA_net_Server
    EWA_net_WIS
    EWA_net_WIS_CaseOnline_Importer
    HardwareAssistent
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows XP (KB961118)
    IDT Audio
    Intel(R) Graphics Media Accelerator Driver
    Java(TM) 6 Update 24
    Juniper Installer Service
    Juniper Networks, Inc. Setup Client Activex Control
    LiveUpdate 3.1 (Symantec Corporation)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    MoTelDiSPrep
    MSXML 4.0 SP2 (KB941833)
    MSXML 6.0 Parser
    Netwaiting
    O2Micro Flash Memory Card Windows Driver
    Online Update BG
    QuickTime
    SDconnect Toolkit
    SDconnect Toolkit 2.1.0.9
    SDexplorer
    SDnetAssist
    SDnetControl
    SDprinterConfig
    SDscan
    SDsecchange
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2722913)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2659262)
    Security Update for Windows XP (KB2676562)
    Security Update for Windows XP (KB2685939)
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2707511)
    Security Update for Windows XP (KB2709162)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982665)
    Setup_GTUtils
    Star Diagnosis
    StarAnalysis
    StarTransfer
    StarUtilities
    TeamViewer 8
    Update for Windows Internet Explorer 8 (KB2598845)
    Update for Windows XP (KB2467659)
    WebFldrs XP
    Windows Driver Package - ads-tec GmbH (AR5416) Net (11/17/2010 7.7.0.430)
    Windows Internet Explorer 8
    Windows Rights Management Client Backwards Compatibility SP2
    Windows Rights Management Client with Service Pack 2
    WinRAR 4.20 (32-bit)
    WIS net Standalone
    WLANSignalView
    XENTRY
    .
    ==== Event Viewer Messages From Past Week ========
    .
    10/9/2013 9:46:35 AM, error: Service Control Manager [7000] - The Audio Service service failed to start due to the following error: The system cannot find the file specified.
    10/8/2013 11:12:26 AM, error: Service Control Manager [7000] - The rimmptsk service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    10/7/2013 11:37:00 AM, error: NetBT [4319] - A duplicate name has been detected on the TCP network. The IP address of the machine that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
    10/7/2013 11:35:06 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: HWiNFO32
    10/7/2013 11:35:00 AM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    10/7/2013 11:35:00 AM, error: Service Control Manager [7000] - The Audio Service service failed to start due to the following error: The system cannot find the path specified.
    10/7/2013 11:35:00 AM, error: Print [23] - Printer Microsoft Office Document Image Writer failed to initialize because a suitable Microsoft Office Document Image Writer Driver driver could not be found.
    .
    ==== End Of File ===========================
     
  12. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Cool :)
    Go on....
  13. SsapS

    SsapS Newcomer, in training Topic Starter Posts: 22

    Alright, Roguekiller never completed, 4 attempts, the third was renamed winlogon.exe the fourth was renamed winlogon.com.

    First log, first attempt

    RogueKiller V8.7.1 [Oct 3 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Star [Admin rights]
    Mode : Scan -- Date : 10/09/2013 11:47:36
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 9 ¤¤¤
    [RUN][SUSP PATH] HKLM\[...]\Run : Brightness (C:\Programme\Temp\Brightness.lnk [-]) -> FOUND
    [RUN][HJNAME] HKUS\.DEFAULT\[...]\Run : CTFMON.EXE (C:\WINNT\system32\ctfmon.exe [-]) -> FOUND
    [RUN][HJNAME] HKUS\S-1-5-18\[...]\Run : CTFMON.EXE (C:\WINNT\system32\ctfmon.exe [-]) -> FOUND
    [DNS][PUM] HKLM\[...]\CS002\[...]\{4FF25E7A-D593-4147-AE2B-69D735A10BCC} : NameServer (202.96.134.133,202.96.128.68) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 1 ¤¤¤
    [administrator][SUSP PATH] alc.lnk : C:\Documents and Settings\administrator\Start Menu\Programs\Startup\alc.lnk @C:\PROGRA~2\Temp\alc.exe [-][-] -> FOUND

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤
    [Inline] IAT @explorer.exe (CreateProcessW) : KERNEL32.dll -> HOOKED (C:\WINDOWS\system32\StarInsecure.dll @ 0x10010920)
    [Inline] EAT @explorer.exe (CreateProcessW) : kernel32.dll -> HOOKED (C:\WINDOWS\system32\StarInsecure.dll @ 0x10010920)
    [Inline] EAT @explorer.exe (CryptVerifySignatureA) : ADVAPI32.dll -> HOOKED (C:\WINDOWS\system32\StarInsecure.dll @ 0x10010910)
    [Inline] EAT @explorer.exe (??_7bad_cast@std@@6B@) : MSVCR90.dll -> HOOKED (Unknown @ 0xFFCA75FE)

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts




    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - ST750LX003-1AC154 +++++
    --- User ---
    [MBR] 1c7e5c9550f6f616c11c13f08e8e256a
    [BSP] 8f5214279902984f9ed9ce8108b09bab : MBR Code unknown
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 432373473 | Size: 40891 Mo
    1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 998054190 | Size: 76010 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) (Standard disk drives) - SanDisk Cruzer USB Device +++++
    --- User ---
    [MBR] a124dc1f32b91ceacb765c7a5ad6ec2e
    [BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
    Partition table:
    0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 15266 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[0]_S_10092013_114736.txt >>



    Second log


    RogueKiller V8.7.1 [Oct 3 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Star [Admin rights]
    Mode : Scan -- Date : 10/09/2013 12:52:49
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 9 ¤¤¤
    [RUN][SUSP PATH] HKLM\[...]\Run : Brightness (C:\Programme\Temp\Brightness.lnk [-]) -> FOUND
    [RUN][HJNAME] HKUS\.DEFAULT\[...]\Run : CTFMON.EXE (C:\WINNT\system32\ctfmon.exe [-]) -> FOUND
    [RUN][HJNAME] HKUS\S-1-5-18\[...]\Run : CTFMON.EXE (C:\WINNT\system32\ctfmon.exe [-]) -> FOUND
    [DNS][PUM] HKLM\[...]\CS002\[...]\{4FF25E7A-D593-4147-AE2B-69D735A10BCC} : NameServer (202.96.134.133,202.96.128.68) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 1 ¤¤¤
    [administrator][SUSP PATH] alc.lnk : C:\Documents and Settings\administrator\Start Menu\Programs\Startup\alc.lnk @C:\PROGRA~2\Temp\alc.exe [-][-] -> FOUND

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤
    [Inline] IAT @explorer.exe (CreateProcessW) : KERNEL32.dll -> HOOKED (C:\WINDOWS\system32\StarInsecure.dll @ 0x10010920)
    [Inline] EAT @explorer.exe (CreateProcessW) : kernel32.dll -> HOOKED (C:\WINDOWS\system32\StarInsecure.dll @ 0x10010920)
    [Inline] EAT @explorer.exe (CryptVerifySignatureA) : ADVAPI32.dll -> HOOKED (C:\WINDOWS\system32\StarInsecure.dll @ 0x10010910)
    [Inline] EAT @explorer.exe (??_7bad_cast@std@@6B@) : MSVCR90.dll -> HOOKED (Unknown @ 0xFFCA75FE)

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts




    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - ST750LX003-1AC154 +++++
    --- User ---
    [MBR] 1c7e5c9550f6f616c11c13f08e8e256a
    [BSP] 8f5214279902984f9ed9ce8108b09bab : MBR Code unknown
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 432373473 | Size: 40891 Mo
    1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 998054190 | Size: 76010 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[0]_S_10092013_125249.txt >>




    Third log, with Roguekiller renamed to winlogon.exe


    RogueKiller V8.7.1 [Oct 3 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Star [Admin rights]
    Mode : Scan -- Date : 10/09/2013 13:02:08
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 9 ¤¤¤
    [RUN][SUSP PATH] HKLM\[...]\Run : Brightness (C:\Programme\Temp\Brightness.lnk [-]) -> FOUND
    [RUN][HJNAME] HKUS\.DEFAULT\[...]\Run : CTFMON.EXE (C:\WINNT\system32\ctfmon.exe [-]) -> FOUND
    [RUN][HJNAME] HKUS\S-1-5-18\[...]\Run : CTFMON.EXE (C:\WINNT\system32\ctfmon.exe [-]) -> FOUND
    [DNS][PUM] HKLM\[...]\CS002\[...]\{4FF25E7A-D593-4147-AE2B-69D735A10BCC} : NameServer (202.96.134.133,202.96.128.68) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 1 ¤¤¤
    [administrator][SUSP PATH] alc.lnk : C:\Documents and Settings\administrator\Start Menu\Programs\Startup\alc.lnk @C:\PROGRA~2\Temp\alc.exe [-][-] -> FOUND

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤
    [Inline] IAT @explorer.exe (CreateProcessW) : KERNEL32.dll -> HOOKED (C:\WINDOWS\system32\StarInsecure.dll @ 0x10010920)
    [Inline] EAT @explorer.exe (CreateProcessW) : kernel32.dll -> HOOKED (C:\WINDOWS\system32\StarInsecure.dll @ 0x10010920)
    [Inline] EAT @explorer.exe (CryptVerifySignatureA) : ADVAPI32.dll -> HOOKED (C:\WINDOWS\system32\StarInsecure.dll @ 0x10010910)
    [Inline] EAT @explorer.exe (??_7bad_cast@std@@6B@) : MSVCR90.dll -> HOOKED (Unknown @ 0xFFCA75FE)

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts




    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - ST750LX003-1AC154 +++++
    --- User ---
    [MBR] 1c7e5c9550f6f616c11c13f08e8e256a
    [BSP] 8f5214279902984f9ed9ce8108b09bab : MBR Code unknown
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 432373473 | Size: 40891 Mo
    1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 998054190 | Size: 76010 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[0]_S_10092013_130208.txt >>
    RKreport[0]_S_10092013_125249.txt



    Fourth log, with Roguekiller renamed to winlogon.com


    RogueKiller V8.7.1 [Oct 3 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Star [Admin rights]
    Mode : Scan -- Date : 10/09/2013 13:30:47
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 9 ¤¤¤
    [RUN][SUSP PATH] HKLM\[...]\Run : Brightness (C:\Programme\Temp\Brightness.lnk [-]) -> FOUND
    [RUN][HJNAME] HKUS\.DEFAULT\[...]\Run : CTFMON.EXE (C:\WINNT\system32\ctfmon.exe [-]) -> FOUND
    [RUN][HJNAME] HKUS\S-1-5-18\[...]\Run : CTFMON.EXE (C:\WINNT\system32\ctfmon.exe [-]) -> FOUND
    [DNS][PUM] HKLM\[...]\CS002\[...]\{4FF25E7A-D593-4147-AE2B-69D735A10BCC} : NameServer (202.96.134.133,202.96.128.68) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 1 ¤¤¤
    [administrator][SUSP PATH] alc.lnk : C:\Documents and Settings\administrator\Start Menu\Programs\Startup\alc.lnk @C:\PROGRA~2\Temp\alc.exe [-][-] -> FOUND

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤
    [Inline] IAT @explorer.exe (CreateProcessW) : KERNEL32.dll -> HOOKED (C:\WINDOWS\system32\StarInsecure.dll @ 0x10010920)
    [Inline] EAT @explorer.exe (CreateProcessW) : kernel32.dll -> HOOKED (C:\WINDOWS\system32\StarInsecure.dll @ 0x10010920)
    [Inline] EAT @explorer.exe (CryptVerifySignatureA) : ADVAPI32.dll -> HOOKED (C:\WINDOWS\system32\StarInsecure.dll @ 0x10010910)
    [Inline] EAT @explorer.exe (??_7bad_cast@std@@6B@) : MSVCR90.dll -> HOOKED (Unknown @ 0xFFCA75FE)

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts




    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - ST750LX003-1AC154 +++++
    --- User ---
    [MBR] 1c7e5c9550f6f616c11c13f08e8e256a
    [BSP] 8f5214279902984f9ed9ce8108b09bab : MBR Code unknown
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 432373473 | Size: 40891 Mo
    1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 998054190 | Size: 76010 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) (Standard disk drives) - SanDisk Cruzer USB Device +++++
    --- User ---
    [MBR] a124dc1f32b91ceacb765c7a5ad6ec2e
    [BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
    Partition table:
    0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 15266 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[0]_S_10092013_133047.txt >>
    RKreport[0]_S_10092013_125249.txt;RKreport[0]_S_10092013_130208.txt
  14. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Retry from safe mode.
  15. SsapS

    SsapS Newcomer, in training Topic Starter Posts: 22

    Upon starting MBAR.exe before getting to the UI, I receive the following error, I previously posted about it.

    Anywho:

    Probable rootkit activity detected
    "Registry value "AppInit_Dlls" has been found, which may be caused by rootkit activity.

    Note: Press "No" button if you're not sure. If the tool crashes or terminates unexpectedly during a system scan, restart the tool and press "Yes" should this message appear again.

    Do you want to remove this value and restart the tool?"

    To which I clicked yes.

    I did not get a DDA driver missing error like before however.

    Also, the xentry files are most likely false positives as they are pretty much keygens used to enter different operating modes for the software. But then again..I didn't previously remove them when MBAR detected them, but I have been using the same file for about a year before this issue arose.

    I then updated and scanned which took longer then usual, the scan advised me to restart and once again got a BSOD. So I mounted the partition in another windows and pulled the MBAR logs. It's odd though, I ran MBAR before I made this thread and it didn't kill the install. Anyways, after retrieving the logs from another windows install, I rebooted and something had written to the MBR and disabled Boot It Bare Metal. Anyways, the logs while I restore /attempt safe mode


    Malwarebytes Anti-Rootkit BETA 1.07.0.1005
    www.malwarebytes.org

    Database version: v2013.10.09.08

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Star :: STAR43715 [administrator]

    10/9/2013 1:49:34 PM
    mbar-log-2013-10-09 (13-49-34).txt

    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
    Scan options disabled:
    Kernel memory modifications detected. Deep Anti-Rootkit Scan engaged.
    Objects scanned: 194934
    Time elapsed: 39 minute(s), 35 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 1
    HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED\FOLDER\HIDDEN\SHOWALL|CheckedValue (PUM.Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Replace on reboot.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 4
    C:\Documents and Settings\Star\Desktop\Xentry Developer (1).exe (Spyware.Zbot.USBV) -> Delete on reboot.
    C:\Documents and Settings\Star\Local Settings\Temp\cvasds0.dll (Spyware.OnlineGames) -> Delete on reboot.
    C:\Documents and Settings\Star\Desktop\tools\3 Xentry\Xentry Developer New.exe (Spyware.Zbot.USBV) -> Delete on reboot.
    C:\Documents and Settings\Star\Desktop\winlogon.com (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.

    Physical Sectors Detected: 0
    (No malicious items detected)

    (end)


    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1005

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    Java version: 1.6.0_24

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 1.994000 GHz
    Memory total: 3711008768, free: 3208650752

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1005

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    Java version: 1.6.0_24

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 1.994000 GHz
    Memory total: 3711008768, free: 3224834048

    Downloaded database version: v2013.10.07.09
    Downloaded database version: v2013.09.30.01
    =======================================
    Initializing...
    DDA Driver installation error.
    =======================================


    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1005

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    Java version: 1.6.0_24

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 1.994000 GHz
    Memory total: 3711008768, free: 3250077696

    Initializing...
    =======================================
    ------------ Kernel report ------------
    10/07/2013 11:04:59
    ------------ Loaded modules -----------
    \WINDOWS\system32\ntkrnlpa.exe
    \WINDOWS\system32\hal.dll
    \WINDOWS\system32\KDCOM.DLL
    \WINDOWS\system32\BOOTVID.dll
    spif.sys
    \WINDOWS\System32\Drivers\WMILIB.SYS
    \WINDOWS\System32\Drivers\SCSIPORT.SYS
    ACPI.sys
    pci.sys
    ohci1394.sys
    \WINDOWS\system32\DRIVERS\1394BUS.SYS
    isapnp.sys
    compbatt.sys
    \WINDOWS\system32\DRIVERS\BATTC.SYS
    pciide.sys
    \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    intelide.sys
    pcmcia.sys
    MountMgr.sys
    ftdisk.sys
    ACPIEC.sys
    \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    PartMgr.sys
    VolSnap.sys
    atapi.sys
    iaStor.sys
    vmscsi.sys
    disk.sys
    \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    fltMgr.sys
    sr.sys
    KSecDD.sys
    Ntfs.sys
    NDIS.sys
    Mup.sys
    agp440.sys
    \SystemRoot\system32\DRIVERS\nic1394.sys
    \SystemRoot\system32\DRIVERS\igxpmp32.sys
    \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\NETwNx32.sys
    \SystemRoot\system32\DRIVERS\b57xp32.sys
    \SystemRoot\system32\DRIVERS\sdbus.sys
    \SystemRoot\system32\DRIVERS\rimmptsk.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\serial.sys
    \SystemRoot\system32\DRIVERS\serenum.sys
    \SystemRoot\system32\DRIVERS\imapi.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\redbook.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\audstub.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\psched.sys
    \SystemRoot\system32\DRIVERS\msgpc.sys
    \SystemRoot\system32\DRIVERS\ptilink.sys
    \SystemRoot\system32\DRIVERS\raspti.sys
    \SystemRoot\system32\DRIVERS\rdpdr.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\update.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\drivers\sthda.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\AESTAud.sys
    \SystemRoot\system32\drivers\IntcHdmi.sys
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\Drivers\mnmdd.SYS
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\rasacd.sys
    \SystemRoot\system32\DRIVERS\ipsec.sys
    \SystemRoot\system32\DRIVERS\tcpip.sys
    \SystemRoot\system32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\ipnat.sys
    \SystemRoot\System32\drivers\ws2ifsl.sys
    \SystemRoot\System32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\System32\Drivers\Fips.SYS
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\arp1394.sys
    \SystemRoot\System32\Drivers\Cdfs.SYS
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\watchdog.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\System32\drivers\dxgthk.sys
    \SystemRoot\System32\igxpgd32.dll
    \SystemRoot\System32\igxprd32.dll
    \SystemRoot\System32\igxpdv32.DLL
    \SystemRoot\System32\igxpdx32.DLL
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\wdmaud.sys
    \SystemRoot\system32\drivers\sysaudio.sys
    \SystemRoot\system32\DRIVERS\mrxdav.sys
    \??\C:\Programme\Temp\jidan.sys
    \SystemRoot\system32\DRIVERS\srv.sys
    \SystemRoot\System32\Drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \SystemRoot\system32\drivers\kmixer.sys
    \SystemRoot\System32\Drivers\Fastfat.SYS
    \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
    \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
    \WINDOWS\system32\ntdll.dll
    ----------- End -----------
    Done!
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR6
    Upper Device Object: 0xffffffff874ab798
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\000000a1\
    Lower Device Object: 0xffffffff878d4ea0
    Lower Device Driver Name: \Driver\USBSTOR\
    IRP handler 0 of \Driver\USBSTOR points to an unknown module
    Unhooking enabled.
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR6
    Upper Device Object: 0xffffffff874ab798
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\000000a1\
    Lower Device Object: 0xffffffff878d4ea0
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    Initialization returned 0x0
    Load Function returned 0x0
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff8b0b18c8
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xffffffff8a5fa028
    Lower Device Driver Name: \Driver\iaStor\
    Driver name found: iaStor
    Initialization returned 0x0
    Load Function returned 0x0
    <<<2>>>
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff8b0b18c8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff8b072020, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff8b0b18c8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff8a5fa028, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0xffffffffe10d2508, 0xffffffff8b0b18c8, 0xffffffff87493808
    Lower DeviceData: 0xffffffffe290f070, 0xffffffff8a5fa028, 0xffffffff87895f18
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    File user open failed: C:\WINDOWS\SYSTEM32\drivers\sptd.sys (0x00000020)
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 98B098B0

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 16128 Numsec = 83746782
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Extended with LBA (0xf)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 83762910 Numsec = 155669850

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 750156374016 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-16127-1465129168-1465149168)...
    Done!
    Physical Sector Size: 512
    Drive: 1, DevicePointer: 0xffffffff874ab798, DeviceName: \Device\Harddisk1\DR6\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff87833660, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff874ab798, DeviceName: \Device\Harddisk1\DR6\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff878d4ea0, DeviceName: \Device\000000a1\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk1\DR6\, DriverName: \Driver\Disk\
    Upper DeviceData: 0xffffffffe11f2510, 0xffffffff874ab798, 0xffffffff879fa808
    Lower DeviceData: 0xffffffffe18bd9d8, 0xffffffff878d4ea0, 0xffffffff87499b50
    Drive 1
    Scanning MBR on drive 1...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 51E6CC38

    Partition information:

    Partition 0 type is Other (0xb)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 44 Numsec = 15679396

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 8029470208 bytes
    Sector size: 512 bytes

    Done!
    Infected: C:\Documents and Settings\Star\Desktop\tools\3 Xentry\Xentry Developer New.exe --> [Spyware.Zbot.USBV]
    Infected: HKCU\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|ConnectionsTab --> [PUM.Hijack.ConnectionControl]
    Infected: HKCU\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\RESTRICTIONS|NoBrowserContextMenu --> [PUM.RightClick.Disabled]
    Infected: HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify --> [PUM.Disabled.SecurityCenter]
    Infected: HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify --> [PUM.Disabled.SecurityCenter]
    Infected: HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify --> [PUM.Disabled.SecurityCenter]
    Scan finished
    Creating System Restore point...
    Cleaning up...
    Removal successful. No system shutdown is required.
    =======================================


    Removal queue found; removal started
    Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
    Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_16128_i.mbam...
    Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
    Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_1_i.mbam...
    Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_1_r.mbam...
    Removal finished
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1005

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    Java version: 1.6.0_24

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 1.995000 GHz
    Memory total: 3711008768, free: 3390869504

    =======================================
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1005

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    Java version: 1.6.0_24

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 1.995000 GHz
    Memory total: 3711008768, free: 3137171456

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1005

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    Java version: 1.6.0_24

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 1.995000 GHz
    Memory total: 3711008768, free: 3149508608

    Initializing...
    ======================
    DDA Driver installation error.
    =======================================


    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1005

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    Java version: 1.6.0_24

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 1.995000 GHz
    Memory total: 3711008768, free: 3236315136

    =======================================
    ------------ Kernel report ------------
    10/07/2013 11:40:26
    ------------ Loaded modules -----------
    \WINDOWS\system32\ntkrnlpa.exe
    \WINDOWS\system32\hal.dll
    \WINDOWS\system32\KDCOM.DLL
    \WINDOWS\system32\BOOTVID.dll
    spuf.sys
    \WINDOWS\System32\Drivers\WMILIB.SYS
    \WINDOWS\System32\Drivers\SCSIPORT.SYS
    ACPI.sys
    pci.sys
    ohci1394.sys
    \WINDOWS\system32\DRIVERS\1394BUS.SYS
    isapnp.sys
    compbatt.sys
    \WINDOWS\system32\DRIVERS\BATTC.SYS
    pciide.sys
    \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    intelide.sys
    pcmcia.sys
    MountMgr.sys
    ftdisk.sys
    ACPIEC.sys
    \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    PartMgr.sys
    VolSnap.sys
    atapi.sys
    iaStor.sys
    vmscsi.sys
    disk.sys
    \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    fltMgr.sys
    sr.sys
    KSecDD.sys
    Ntfs.sys
    NDIS.sys
    Mup.sys
    agp440.sys
    \SystemRoot\system32\DRIVERS\nic1394.sys
    \SystemRoot\system32\DRIVERS\igxpmp32.sys
    \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\NETwNx32.sys
    \SystemRoot\system32\DRIVERS\b57xp32.sys
    \SystemRoot\system32\DRIVERS\sdbus.sys
    \SystemRoot\system32\DRIVERS\rimmptsk.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\serial.sys
    \SystemRoot\system32\DRIVERS\serenum.sys
    \SystemRoot\system32\DRIVERS\imapi.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\redbook.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\audstub.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\psched.sys
    \SystemRoot\system32\DRIVERS\msgpc.sys
    \SystemRoot\system32\DRIVERS\ptilink.sys
    \SystemRoot\system32\DRIVERS\raspti.sys
    \SystemRoot\system32\DRIVERS\rdpdr.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\update.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\drivers\sthda.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\AESTAud.sys
    \SystemRoot\system32\drivers\IntcHdmi.sys
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\Drivers\mnmdd.SYS
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\rasacd.sys
    \SystemRoot\system32\DRIVERS\ipsec.sys
    \SystemRoot\system32\DRIVERS\tcpip.sys
    \SystemRoot\system32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\ipnat.sys
    \SystemRoot\System32\drivers\ws2ifsl.sys
    \SystemRoot\System32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\System32\Drivers\Fips.SYS
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\arp1394.sys
    \SystemRoot\System32\Drivers\Cdfs.SYS
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\watchdog.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\System32\drivers\dxgthk.sys
    \SystemRoot\System32\igxpgd32.dll
    \SystemRoot\System32\igxprd32.dll
    \SystemRoot\System32\igxpdv32.DLL
    \SystemRoot\System32\igxpdx32.DLL
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\wdmaud.sys
    \SystemRoot\system32\drivers\sysaudio.sys
    \SystemRoot\system32\DRIVERS\mrxdav.sys
    \??\C:\Programme\Temp\jidan.sys
    \SystemRoot\system32\DRIVERS\srv.sys
    \SystemRoot\System32\Drivers\HTTP.sys
    \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
    \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
    \WINDOWS\system32\ntdll.dll
    ----------- End -----------
    Done!
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff8b0c5030
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xffffffff8b071028
    Lower Device Driver Name: \Driver\iaStor\
    IRP handler 0 of \Driver\iaStor is hooked
    IRP handler 2 of \Driver\iaStor is hooked
    IRP handler 14 of \Driver\iaStor is hooked
    IRP handler 15 of \Driver\iaStor is hooked
    IRP handler 16 of \Driver\iaStor is hooked
    IRP handler 22 of \Driver\iaStor is hooked
    IRP handler 23 of \Driver\iaStor is hooked
    IRP handler 27 of \Driver\iaStor is hooked
    Unhooking enabled.
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff8b0c5030
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xffffffff8b071028
    Lower Device Driver Name: \Driver\iaStor\
    Driver name found: iaStor
    Initialization returned 0x0
    Load Function returned 0x0
    <<<2>>>
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff8b0c5030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff8b074b20, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff8b0c5030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff8b071028, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0xffffffffe1288348, 0xffffffff8b0c5030, 0xffffffff87861918
    Lower DeviceData: 0xffffffffe27f4090, 0xffffffff8b071028, 0xffffffff87548a68
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    File user open failed: C:\WINDOWS\SYSTEM32\drivers\sptd.sys (0x00000020)
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 98B098B0

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 16128 Numsec = 83746782
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Extended with LBA (0xf)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 83762910 Numsec = 155669850

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 750156374016 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-16127-1465129168-1465149168)...
    Done!
    Infected: C:\Documents and Settings\Star\Desktop\tools\3 Xentry\Xentry Developer New.exe --> [Spyware.Zbot.USBV]
    Scan finished
    =======================================


    Removal queue found; removal started
    Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
    Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_16128_i.mbam...
    Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
    Removal finished
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1005

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    Java version: 1.6.0_24

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 1.995000 GHz
    Memory total: 3711008768, free: 3390705664

    =======================================
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1005

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    Java version: 1.6.0_24

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 1.995000 GHz
    Memory total: 3711008768, free: 3212910592

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1005

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    Java version: 1.6.0_24

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 1.995000 GHz
    Memory total: 3711008768, free: 3199545344

    =======================================
    Initializing...
    ------------ Kernel report ------------
    10/07/2013 13:21:23
    ------------ Loaded modules -----------
    \WINDOWS\system32\ntkrnlpa.exe
    \WINDOWS\system32\hal.dll
    \WINDOWS\system32\KDCOM.DLL
    \WINDOWS\system32\BOOTVID.dll
    spng.sys
    \WINDOWS\System32\Drivers\WMILIB.SYS
    \WINDOWS\System32\Drivers\SCSIPORT.SYS
    ACPI.sys
    pci.sys
    ohci1394.sys
    \WINDOWS\system32\DRIVERS\1394BUS.SYS
    isapnp.sys
    compbatt.sys
    \WINDOWS\system32\DRIVERS\BATTC.SYS
    pciide.sys
    \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    intelide.sys
    pcmcia.sys
    MountMgr.sys
    ftdisk.sys
    ACPIEC.sys
    \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    PartMgr.sys
    VolSnap.sys
    atapi.sys
    iaStor.sys
    vmscsi.sys
    disk.sys
    \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    fltMgr.sys
    sr.sys
    KSecDD.sys
    Ntfs.sys
    NDIS.sys
    Mup.sys
    agp440.sys
    \SystemRoot\system32\DRIVERS\nic1394.sys
    \SystemRoot\system32\DRIVERS\igxpmp32.sys
    \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\NETwNx32.sys
    \SystemRoot\system32\DRIVERS\b57xp32.sys
    \SystemRoot\system32\DRIVERS\sdbus.sys
    \SystemRoot\system32\DRIVERS\rimmptsk.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\serial.sys
    \SystemRoot\system32\DRIVERS\serenum.sys
    \SystemRoot\system32\DRIVERS\imapi.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\redbook.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\audstub.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\psched.sys
    \SystemRoot\system32\DRIVERS\msgpc.sys
    \SystemRoot\system32\DRIVERS\ptilink.sys
    \SystemRoot\system32\DRIVERS\raspti.sys
    \SystemRoot\system32\DRIVERS\rdpdr.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\update.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\drivers\sthda.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\AESTAud.sys
    \SystemRoot\system32\drivers\IntcHdmi.sys
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\Drivers\mnmdd.SYS
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\rasacd.sys
    \SystemRoot\system32\DRIVERS\ipsec.sys
    \SystemRoot\system32\DRIVERS\tcpip.sys
    \SystemRoot\system32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\ipnat.sys
    \SystemRoot\System32\drivers\ws2ifsl.sys
    \SystemRoot\System32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\System32\Drivers\Fips.SYS
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\arp1394.sys
    \SystemRoot\System32\Drivers\Cdfs.SYS
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\watchdog.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\System32\drivers\dxgthk.sys
    \SystemRoot\System32\igxpgd32.dll
    \SystemRoot\System32\igxprd32.dll
    \SystemRoot\System32\igxpdv32.DLL
    \SystemRoot\System32\igxpdx32.DLL
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\wdmaud.sys
    \SystemRoot\system32\drivers\sysaudio.sys
    \SystemRoot\system32\DRIVERS\mrxdav.sys
    \??\C:\Programme\Temp\jidan.sys
    \SystemRoot\system32\DRIVERS\srv.sys
    \SystemRoot\System32\Drivers\HTTP.sys
    \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
    \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
    \WINDOWS\system32\ntdll.dll
    ----------- End -----------
    Done!
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff8b0dd8c8
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xffffffff8b039028
    Lower Device Driver Name: \Driver\iaStor\
    IRP handler 0 of \Driver\iaStor is hooked
    IRP handler 2 of \Driver\iaStor is hooked
    IRP handler 14 of \Driver\iaStor is hooked
    IRP handler 15 of \Driver\iaStor is hooked
    IRP handler 16 of \Driver\iaStor is hooked
    IRP handler 22 of \Driver\iaStor is hooked
    IRP handler 23 of \Driver\iaStor is hooked
    IRP handler 27 of \Driver\iaStor is hooked
    Unhooking enabled.
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff8b0dd8c8
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xffffffff8b039028
    Lower Device Driver Name: \Driver\iaStor\
    Driver name found: iaStor
    Initialization returned 0x0
    Load Function returned 0x0
    <<<2>>>
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff8b0dd8c8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff8b0b8020, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff8b0dd8c8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff8b039028, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0xffffffffe1155418, 0xffffffff8b0dd8c8, 0xffffffff8b01f040
    Lower DeviceData: 0xffffffffe151a338, 0xffffffff8b039028, 0xffffffff89354580
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    File user open failed: C:\WINDOWS\SYSTEM32\drivers\sptd.sys (0x00000020)
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 98B098B0

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 16128 Numsec = 83746782
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Extended with LBA (0xf)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 83762910 Numsec = 155669850

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 750156374016 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-16127-1465129168-1465149168)...
    Done!
    Infected: C:\Documents and Settings\Star\Desktop\tools\3 Xentry\Xentry Developer New.exe --> [Spyware.Zbot.USBV]
    Scan finished
    =======================================


    Removal queue found; removal started
    Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
    Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_16128_i.mbam...
    Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
    Removal finished
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1005

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    Java version: 1.6.0_24

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 2.095000 GHz
    Memory total: 3398356992, free: 3111907328

    =======================================
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1005

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    Java version: 1.6.0_24

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 2.095000 GHz
    Memory total: 3398356992, free: 2588315648

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1005

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    Java version: 1.6.0_24

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED
    CPU speed: 2.095000 GHz
    Memory total: 3398356992, free: 2588917760

    Downloaded database version: v2013.10.07.10
    Downloaded database version: v2013.10.07.11
    Downloaded database version: v2013.10.07.12
    Downloaded database version: v2013.10.08.01
    Downloaded database version: v2013.10.08.02
    Downloaded database version: v2013.10.08.03
    Downloaded database version: v2013.10.08.04
    Downloaded database version: v2013.10.08.05
    Downloaded database version: v2013.10.08.06
    Downloaded database version: v2013.10.08.07
    Downloaded database version: v2013.10.08.08
    Downloaded database version: v2013.10.08.09
    Downloaded database version: v2013.10.09.01
    Downloaded database version: v2013.10.09.02
    Downloaded database version: v2013.10.09.03
    Downloaded database version: v2013.10.09.04
    Downloaded database version: v2013.10.09.05
    Downloaded database version: v2013.10.09.06
    Downloaded database version: v2013.10.09.07
    Downloaded database version: v2013.10.09.08
    Downloaded database version: v2013.10.08.02
    =======================================
    Initializing...
    ------------ Kernel report ------------
    10/09/2013 13:49:29
    ------------ Loaded modules -----------
    \WINDOWS\system32\ntkrnlpa.exe
    \WINDOWS\system32\hal.dll
    \WINDOWS\system32\KDCOM.DLL
    \WINDOWS\system32\BOOTVID.dll
    spbp.sys
    \WINDOWS\System32\Drivers\WMILIB.SYS
    \WINDOWS\System32\Drivers\SCSIPORT.SYS
    ACPI.sys
    pci.sys
    ohci1394.sys
    \WINDOWS\system32\DRIVERS\1394BUS.SYS
    isapnp.sys
    compbatt.sys
    \WINDOWS\system32\DRIVERS\BATTC.SYS
    pciide.sys
    \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    intelide.sys
    pcmcia.sys
    MountMgr.sys
    ftdisk.sys
    ACPIEC.sys
    \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    PartMgr.sys
    VolSnap.sys
    atapi.sys
    iaStor.sys
    vmscsi.sys
    disk.sys
    \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    fltMgr.sys
    sr.sys
    KSecDD.sys
    Ntfs.sys
    NDIS.sys
    Mup.sys
    avgrkx86.sys
    AVGIDSEH.Sys
    agp440.sys
    \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    \SystemRoot\system32\DRIVERS\HECI.sys
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\bcmwl5.sys
    \SystemRoot\system32\DRIVERS\nic1394.sys
    \SystemRoot\system32\DRIVERS\o2sdjxp.sys
    \SystemRoot\system32\DRIVERS\O2MDRxp.sys
    \SystemRoot\system32\DRIVERS\b57xp32.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\parport.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\imapi.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\redbook.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\avgfwdx.sys
    \SystemRoot\system32\DRIVERS\audstub.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\psched.sys
    \SystemRoot\system32\DRIVERS\msgpc.sys
    \SystemRoot\system32\DRIVERS\ptilink.sys
    \SystemRoot\system32\DRIVERS\raspti.sys
    \SystemRoot\system32\DRIVERS\rdpdr.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\update.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\AESTAud.sys
    \SystemRoot\system32\DRIVERS\IntcDAud.sys
    \SystemRoot\system32\DRIVERS\avgmfx86.sys
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\Drivers\mnmdd.SYS
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\rasacd.sys
    \SystemRoot\system32\DRIVERS\ipsec.sys
    \SystemRoot\system32\DRIVERS\tcpip.sys
    \SystemRoot\system32\DRIVERS\avgtdix.sys
    \SystemRoot\system32\DRIVERS\ipnat.sys
    \SystemRoot\system32\DRIVERS\netbt.sys
    \SystemRoot\System32\drivers\ws2ifsl.sys
    \SystemRoot\System32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\System32\Drivers\Fips.SYS
    \SystemRoot\system32\DRIVERS\avgldx86.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\arp1394.sys
    \SystemRoot\System32\Drivers\Fastfat.SYS
    \SystemRoot\System32\Drivers\Cdfs.SYS
    \SystemRoot\System32\Drivers\dump_atapi.sys
    \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\watchdog.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\System32\drivers\dxgthk.sys
    \SystemRoot\System32\framebuf.dll
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\DRIVERS\mrxdav.sys
    \SystemRoot\System32\Drivers\ParVdm.SYS
    \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
    \??\C:\Programme\Temp\jidan.sys
    \SystemRoot\system32\DRIVERS\srv.sys
    \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
    \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
    \SystemRoot\System32\Drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \??\C:\DOCUME~1\Star\LOCALS~1\Temp\mbr.sys
    \??\C:\WINDOWS\system32\TrueSight.sys
    \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
    \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
    \WINDOWS\system32\ntdll.dll
    ----------- End -----------
    Done!
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff8adb8ab8
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
    Lower Device Object: 0xffffffff8ada7d98
    Lower Device Driver Name: \Driver\atapi\
    IRP handler 0 of \Driver\atapi is hooked
    IRP handler 2 of \Driver\atapi is hooked
    IRP handler 14 of \Driver\atapi is hooked
    IRP handler 15 of \Driver\atapi is hooked
    IRP handler 22 of \Driver\atapi is hooked
    IRP handler 23 of \Driver\atapi is hooked
    IRP handler 27 of \Driver\atapi is hooked
    Unhooking enabled.
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff8adb8ab8
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
    Lower Device Object: 0xffffffff8ada7d98
    Lower Device Driver Name: \Driver\atapi\
    Driver name found: atapi
    Initialization returned 0x0
    Load Function returned 0x0
    <<<2>>>
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff8adb8ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff8ad068f0, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff8adb8ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff8ada7d98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0xffffffffe323b800, 0xffffffff8adb8ab8, 0xffffffff8a136800
    Lower DeviceData: 0xffffffffe35584e0, 0xffffffff8ada7d98, 0xffffffff8a0d1d08
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    File user open failed: C:\WINDOWS\SYSTEM32\drivers\sptd.sys (0x00000020)
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: B9D5B9D5

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 432373473 Numsec = 83746782
    Partition is not bootable

    Partition 1 type is Extended with LBA (0xf)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 998054190 Numsec = 155669850

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 750156374016 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-432373472-1465129168-1465149168)...
    Done!
    Error referencing handle to "\DosDevices\H:", status 0xc0000034
    Read File: File "c:\documents and settings\all users\application data\avg2012\chjw\3ce081a5e08165cc.dat:80988030-ad36-4427-9f74-a40dc51d4a04" is sparse (flags = 32768)
    Infected: C:\Documents and Settings\Star\Desktop\Xentry Developer (1).exe --> [Spyware.Zbot.USBV]
    Infected: C:\Documents and Settings\Star\Local Settings\Temp\cvasds0.dll --> [Spyware.OnlineGames]
    Infected: C:\Documents and Settings\Star\Desktop\tools\3 Xentry\Xentry Developer New.exe --> [Spyware.Zbot.USBV]
    Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED\FOLDER\HIDDEN\SHOWALL|CheckedValue --> [PUM.Hijack.System.Hidden]
    Infected: C:\Documents and Settings\Star\Desktop\winlogon.com --> [Heuristics.Reserved.Word.Exploit]
    Scan finished
    Creating System Restore point...
    Cleaning up...
    Removal scheduling successful. System shutdown needed.
    System shutdown occurred
    =======================================


    Removal queue found; removal started
    Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
    Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_432373473_i.mbam...
    Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
    Removal finished
  16. SsapS

    SsapS Newcomer, in training Topic Starter Posts: 22

    Safe mode allowed me to boot into the BSOD partition. Running roguekiller now
  17. SsapS

    SsapS Newcomer, in training Topic Starter Posts: 22

    RogueKiller V8.7.1 [Oct 3 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Safe mode
    User : Star [Admin rights]
    Mode : Remove -- Date : 10/09/2013 17:08:55
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 10 ¤¤¤
    [RUN][SUSP PATH] HKLM\[...]\Run : Brightness (C:\Programme\Temp\Brightness.lnk [-]) -> DELETED
    [RUN][HJNAME] HKUS\.DEFAULT\[...]\Run : CTFMON.EXE (C:\WINNT\system32\ctfmon.exe [-]) -> DELETED
    [RUN][HJNAME] HKUS\S-1-5-18\[...]\Run : CTFMON.EXE (C:\WINNT\system32\ctfmon.exe [-]) -> [0x2] The system cannot find the file specified.
    [RUN][SUSP PATH] HKLM\[...]\RunOnce : Malwarebytes Anti-Rootkit (cleanup) (rundll32.exe "C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\cleanup.dll",ProcessCleanupScript "C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)" [x][7][x][-]) -> DELETED
    [RUN][SUSP PATH] HKLM\[...]\RunOnce : (A0) (cmd /c "C:\Documents and Settings\Star\Desktop\mbar\mbar.exe" /rdv /s [7]) -> DELETED
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
    [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 1 ¤¤¤
    [administrator][SUSP PATH] alc.lnk : C:\Documents and Settings\administrator\Start Menu\Programs\Startup\alc.lnk @C:\PROGRA~2\Temp\alc.exe [-][-] -> DELETED

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED 0x2] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts




    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - ST750LX003-1AC154 +++++
    --- User ---
    [MBR] 1c7e5c9550f6f616c11c13f08e8e256a
    [BSP] 8f5214279902984f9ed9ce8108b09bab : MBR Code unknown
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 432373473 | Size: 40891 Mo
    1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 998054190 | Size: 76010 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) (Standard disk drives) - SanDisk Cruzer USB Device +++++
    --- User ---
    [MBR] a124dc1f32b91ceacb765c7a5ad6ec2e
    [BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
    Partition table:
    0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 15266 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[0]_D_10092013_170855.txt >>
    RKreport[0]_S_10092013_170752.txt
  18. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Good.

    [​IMG] Create new restore point before proceeding with the next step....
    How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

    [​IMG] Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
  19. SsapS

    SsapS Newcomer, in training Topic Starter Posts: 22

    Okay so today after rebooting and killing AVG with appkiller (was still in safe mode) I tried to enter the OS normally and it didnt BSOD on me but hung on login.

    Thought it was worth a mention...working through your instructions now in safe mode.
  20. SsapS

    SsapS Newcomer, in training Topic Starter Posts: 22

    May be worth mention, a program stopped responding when combofix first started its scan. rmbr.3xe --> ntdll.dll were in the error details.


    ComboFix 13-10-09.01 - Star 10/10/2013 15:35:44.2.4 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3241.2840 [GMT -7:00]
    Running from: c:\documents and settings\Star\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-09-10 to 2013-10-10 )))))))))))))))))))))))))))))))
    .
    .
    2013-10-09 20:48 . 2013-10-09 20:4848728----a-w-c:\windows\system32\drivers\mbamchameleon.sys
    2013-10-09 18:04 . 2013-10-09 18:04--------d-----w-C:\$AVG
    2013-10-09 17:46 . 2013-10-09 17:46--------d--h--w-c:\documents and settings\All Users\Application Data\Common Files
    2013-10-09 17:45 . 2013-10-10 20:15--------d-----w-c:\windows\system32\drivers\AVG
    2013-10-08 18:13 . 2008-04-22 21:0932384-c--a-w-c:\windows\system32\dllcache\usbccgp.sys
    2013-10-08 18:13 . 2008-04-22 21:0932384----a-w-c:\windows\system32\drivers\usbccgp.sys
    2013-10-07 18:05 . 2013-10-07 18:05--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
    2013-10-07 18:04 . 2013-10-09 21:32--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-09-19 18:55 . 2013-06-24 23:2817408----a-w-c:\windows\system32\rpcnetp.dlly
    2013-09-19 18:55 . 2013-06-24 23:2617408----a-w-c:\windows\system32\rpcnetp.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StarInsecure"="c:\windows\StarInsecure\hstart.exe" [2010-07-08 44040]
    "SDprinterConfig"="c:\programme\SDprinterConfig\SDprinterConfig.exe" [2012-05-10 188416]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HotFixInstaller"="c:\programme\hotfixinst\hotfixinst.exe" [2012-03-07 172032]
    "LaunchComServer"="c:\program files\SDconnect Toolkit\bin\TKTray.exe" [2011-11-02 233112]
    "SDNC"="c:\programme\SDNetControl\SDNC.exe" [2012-04-20 1781760]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2012-07-12 495708]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-08-16 77824]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2012-07-12 145432]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-07-12 136216]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-07-12 170008]
    "BWK"="c:\programme\BWK\Startup.lnk" [2012-08-16 1503]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecuteREG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-02-28 01:1035696----a-w-c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AESTFltr]
    2009-07-07 10:06737280------w-c:\windows\system32\AESTFltr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 12:0015360----a-w-c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WLAN_Info]
    2008-05-30 00:0369632----a-w-c:\programme\info_WLAN\info.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "DefWatch"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\TeamViewer\\Version8\\TeamViewer.exe"=
    "c:\\Program Files\\TeamViewer\\Version8\\TeamViewer_Service.exe"=
    .
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/17/2012 12:40 PM 721904]
    R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [9/2/2010 10:25 AM 17968]
    R3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2/11/2013 12:14 PM 41088]
    R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\o2mdrxp.sys [2/11/2013 12:07 PM 61728]
    R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjxp.sys [2/11/2013 12:07 PM 63976]
    S0 rjaty;rjaty;c:\windows\system32\drivers\imofugc.sys --> c:\windows\system32\drivers\imofugc.sys [?]
    S1 HWiNFO32;HWiNFO32/64 Kernel Driver;\??\c:\docume~1\Star\LOCALS~1\Temp\Mydrivers32.SYS --> c:\docume~1\Star\LOCALS~1\Temp\Mydrivers32.SYS [?]
    S2 EWA net DB Core;EWA net DB Core;c:\programme\ewa\database\TransBase EWA\tbmux32.exe [8/17/2012 2:12 PM 326616]
    S2 EWA net DB EPC;EWA net DB EPC;c:\programme\ewa\database\TransBase EPC\tbmux32.exe [8/17/2012 2:14 PM 417792]
    S2 EWA net DB WIS;EWA net DB WIS;c:\programme\ewa\database\TransBase WIS\tbmux32.exe [8/17/2012 2:16 PM 326616]
    S2 EWA net Server;EWA net Server;c:\programme\ewa\server\bin\tomcat.exe [8/17/2012 2:12 PM 65536]
    S2 HWAssistentService;Hardware Assistent Service;c:\programme\HardwareAssistent\HWAssistentService.exe [8/16/2012 3:23 AM 7680]
    S2 JidaN;JidaN;c:\programme\Temp\JidaN.sys [8/16/2012 3:23 AM 30208]
    S2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [3/6/2012 1:45 AM 198520]
    S2 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [2/11/2013 12:07 PM 8192]
    S2 SDImpersonationService;Star Diagnosis Impersonation Service;c:\windows\zak\service.exe [8/16/2012 3:03 AM 94208]
    S2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [7/8/2013 5:59 PM 3463080]
    S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys --> c:\windows\system32\DRIVERS\Accelern.sys [?]
    S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2/11/2013 12:03 PM 113664]
    S3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\drivers\digirlpt.sys [2/11/2013 3:03 PM 42432]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2/11/2013 12:05 PM 260864]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [6/24/2013 5:16 PM 116224]
    S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [10/9/2013 1:48 PM 48728]
    S3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [7/24/2007 11:27 PM 6609920]
    S3 NETwNx32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [7/11/2012 5:20 PM 6650752]
    S3 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys --> c:\windows\system32\DRIVERS\vmci.sys [?]
    S3 vmmouse;VMware Pointing Device;c:\windows\system32\DRIVERS\vmmouse.sys --> c:\windows\system32\DRIVERS\vmmouse.sys [?]
    S3 vmx_svga;vmx_svga;c:\windows\system32\DRIVERS\vmx_svga.sys --> c:\windows\system32\DRIVERS\vmx_svga.sys [?]
    S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\DRIVERS\vmxnet.sys --> c:\windows\system32\DRIVERS\vmxnet.sys [?]
    S4 oubgschedservice;Online Update BG Scheduling Service;c:\programme\OnlineUpdateBG\schedservicemain.exe [8/16/2012 3:32 AM 208896]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-10-10 c:\windows\Tasks\User_Feed_Synchronization-{DCCAB0E0-E10A-4CD2-83F1-30DB1E240CAC}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://aftersales.I.daimler.com
    Trusted Zone: daimler.com
    Trusted Zone: daimler.com\*.I
    Trusted Zone: dccac.net\www
    Trusted Zone: evobus.com\*
    Trusted Zone: mercedes-amg.com\*
    Trusted Zone: mercedes-benz-mobile.com\www
    Trusted Zone: mercedes-benz.com\ewa-brasil
    Trusted Zone: mercedes-benz.com\retailfactory
    Trusted Zone: mercedes-benz.com\retailfactory2
    Trusted Zone: servicecode.net\*
    Trusted Zone: startekinfo.com\www
    Trusted Zone: daimler.com
    Trusted Zone: daimler.com\*.I
    Trusted Zone: dccac.net\www
    Trusted Zone: mercedes-benz-mobile.com\www
    Trusted Zone: mercedes-benz.com\ewa-brasil
    Trusted Zone: mercedes-benz.com\retailfactory
    Trusted Zone: mercedes-benz.com\retailfactory2
    Trusted Zone: startekinfo.com\www
    TCP: DhcpNameServer = 192.168.0.1 205.171.2.65
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-10-10 15:38
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.EXE'(1904)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\msi.dll
    c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    .
    Completion time: 2013-10-10 15:39:30
    ComboFix-quarantined-files.txt 2013-10-10 22:39
    ComboFix2.txt 2013-10-10 21:10
    .
    Pre-Run: 30,049,660,928 bytes free
    Post-Run: 30,035,226,624 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - B549A9E6927887EDEC6119D25393E967
    6EC1941D54A89E1E2BE42C9D6E601E4E
  21. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\drivers\imofugc.sys
    
    Folder::
    
    Driver::
    rjaty
    
    Registry::
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  22. SsapS

    SsapS Newcomer, in training Topic Starter Posts: 22

    ComboFix 13-10-09.01 - Star 10/10/2013 18:32:51.3.4 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3241.2608 [GMT -7:00]
    Running from: c:\documents and settings\Star\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Star\Desktop\CFScript.txt
    .
    FILE ::
    "c:\windows\system32\drivers\imofugc.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_rjaty
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-09-11 to 2013-10-11 )))))))))))))))))))))))))))))))
    .
    .
    2013-10-09 20:48 . 2013-10-09 20:4848728----a-w-c:\windows\system32\drivers\mbamchameleon.sys
    2013-10-09 18:04 . 2013-10-09 18:04--------d-----w-C:\$AVG
    2013-10-09 17:46 . 2013-10-09 17:46--------d--h--w-c:\documents and settings\All Users\Application Data\Common Files
    2013-10-09 17:45 . 2013-10-10 20:15--------d-----w-c:\windows\system32\drivers\AVG
    2013-10-08 18:13 . 2008-04-22 21:0932384-c--a-w-c:\windows\system32\dllcache\usbccgp.sys
    2013-10-08 18:13 . 2008-04-22 21:0932384----a-w-c:\windows\system32\drivers\usbccgp.sys
    2013-10-07 18:05 . 2013-10-07 18:05--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
    2013-10-07 18:04 . 2013-10-09 21:32--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-09-19 18:55 . 2013-06-24 23:2817408----a-w-c:\windows\system32\rpcnetp.dll
    2013-09-19 18:55 . 2013-06-24 23:2617408----a-w-c:\windows\system32\rpcnetp.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StarInsecure"="c:\windows\StarInsecure\hstart.exe" [2010-07-08 44040]
    "SDprinterConfig"="c:\programme\SDprinterConfig\SDprinterConfig.exe" [2012-05-10 188416]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HotFixInstaller"="c:\programme\hotfixinst\hotfixinst.exe" [2012-03-07 172032]
    "LaunchComServer"="c:\program files\SDconnect Toolkit\bin\TKTray.exe" [2011-11-02 233112]
    "SDNC"="c:\programme\SDNetControl\SDNC.exe" [2012-04-20 1781760]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2012-07-12 495708]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-08-16 77824]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2012-07-12 145432]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-07-12 136216]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-07-12 170008]
    "BWK"="c:\programme\BWK\Startup.lnk" [2012-08-16 1503]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecuteREG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-02-28 01:1035696----a-w-c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AESTFltr]
    2009-07-07 10:06737280------w-c:\windows\system32\AESTFltr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 12:0015360----a-w-c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WLAN_Info]
    2008-05-30 00:0369632----a-w-c:\programme\info_WLAN\info.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "DefWatch"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\TeamViewer\\Version8\\TeamViewer.exe"=
    "c:\\Program Files\\TeamViewer\\Version8\\TeamViewer_Service.exe"=
    .
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/17/2012 12:40 PM 721904]
    R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [9/2/2010 10:25 AM 17968]
    R2 EWA net DB Core;EWA net DB Core;c:\programme\ewa\database\TransBase EWA\tbmux32.exe [8/17/2012 2:12 PM 326616]
    R2 EWA net DB EPC;EWA net DB EPC;c:\programme\ewa\database\TransBase EPC\tbmux32.exe [8/17/2012 2:14 PM 417792]
    R2 EWA net DB WIS;EWA net DB WIS;c:\programme\ewa\database\TransBase WIS\tbmux32.exe [8/17/2012 2:16 PM 326616]
    R2 EWA net Server;EWA net Server;c:\programme\ewa\server\bin\tomcat.exe [8/17/2012 2:12 PM 65536]
    R2 HWAssistentService;Hardware Assistent Service;c:\programme\HardwareAssistent\HWAssistentService.exe [8/16/2012 3:23 AM 7680]
    R2 JidaN;JidaN;c:\programme\Temp\JidaN.sys [8/16/2012 3:23 AM 30208]
    R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [3/6/2012 1:45 AM 198520]
    R2 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [2/11/2013 12:07 PM 8192]
    R2 SDImpersonationService;Star Diagnosis Impersonation Service;c:\windows\zak\service.exe [8/16/2012 3:03 AM 94208]
    R2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [7/8/2013 5:59 PM 3463080]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2/11/2013 12:03 PM 113664]
    R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2/11/2013 12:05 PM 260864]
    R3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2/11/2013 12:14 PM 41088]
    R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\o2mdrxp.sys [2/11/2013 12:07 PM 61728]
    R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjxp.sys [2/11/2013 12:07 PM 63976]
    S1 HWiNFO32;HWiNFO32/64 Kernel Driver;\??\c:\docume~1\Star\LOCALS~1\Temp\Mydrivers32.SYS --> c:\docume~1\Star\LOCALS~1\Temp\Mydrivers32.SYS [?]
    S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys --> c:\windows\system32\DRIVERS\Accelern.sys [?]
    S3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\drivers\digirlpt.sys [2/11/2013 3:03 PM 42432]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [6/24/2013 5:16 PM 116224]
    S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [10/9/2013 1:48 PM 48728]
    S3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [7/24/2007 11:27 PM 6609920]
    S3 NETwNx32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [7/11/2012 5:20 PM 6650752]
    S3 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys --> c:\windows\system32\DRIVERS\vmci.sys [?]
    S3 vmmouse;VMware Pointing Device;c:\windows\system32\DRIVERS\vmmouse.sys --> c:\windows\system32\DRIVERS\vmmouse.sys [?]
    S3 vmx_svga;vmx_svga;c:\windows\system32\DRIVERS\vmx_svga.sys --> c:\windows\system32\DRIVERS\vmx_svga.sys [?]
    S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\DRIVERS\vmxnet.sys --> c:\windows\system32\DRIVERS\vmxnet.sys [?]
    S4 oubgschedservice;Online Update BG Scheduling Service;c:\programme\OnlineUpdateBG\schedservicemain.exe [8/16/2012 3:32 AM 208896]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-10-10 c:\windows\Tasks\User_Feed_Synchronization-{DCCAB0E0-E10A-4CD2-83F1-30DB1E240CAC}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://aftersales.I.daimler.com
    Trusted Zone: daimler.com
    Trusted Zone: daimler.com\*.I
    Trusted Zone: dccac.net\www
    Trusted Zone: evobus.com\*
    Trusted Zone: mercedes-amg.com\*
    Trusted Zone: mercedes-benz-mobile.com\www
    Trusted Zone: mercedes-benz.com\ewa-brasil
    Trusted Zone: mercedes-benz.com\retailfactory
    Trusted Zone: mercedes-benz.com\retailfactory2
    Trusted Zone: servicecode.net\*
    Trusted Zone: startekinfo.com\www
    Trusted Zone: daimler.com
    Trusted Zone: daimler.com\*.I
    Trusted Zone: dccac.net\www
    Trusted Zone: mercedes-benz-mobile.com\www
    Trusted Zone: mercedes-benz.com\ewa-brasil
    Trusted Zone: mercedes-benz.com\retailfactory
    Trusted Zone: mercedes-benz.com\retailfactory2
    Trusted Zone: startekinfo.com\www
    TCP: DhcpNameServer = 192.168.0.1 205.171.2.65
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-10-10 18:37
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.EXE'(404)
    c:\windows\system32\WININET.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2013-10-10 18:38:59 - machine was rebooted
    ComboFix-quarantined-files.txt 2013-10-11 01:38
    ComboFix2.txt 2013-10-10 22:39
    ComboFix3.txt 2013-10-10 21:10
    .
    Pre-Run: 30,033,031,168 bytes free
    Post-Run: 29,998,891,008 bytes free
    .
    - - End Of File - - 2792870C03E60275E978FC55F974AE2C
    6EC1941D54A89E1E2BE42C9D6E601E4E
  23. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Good :)

    [​IMG] Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Scan button.
    • When the scan has finished click on Clean button.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.

    [​IMG] Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  24. SsapS

    SsapS Newcomer, in training Topic Starter Posts: 22

    AdwCleaner, I scanned --> clean --> reboot and didn't get a log in C:\ or popup. I re-scanned and didn't clean and made the report.

    # AdwCleaner v3.007 - Report created 11/10/2013 at 13:11:53
    # Updated 09/10/2013 by Xplode
    # Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
    # Username : Star - STAR43715
    # Running from : C:\Documents and Settings\Star\Desktop\adwcleaner.exe
    # Option : Scan

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****


    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****


    ***** [ Browsers ] *****

    -\\ Internet Explorer v8.0.6001.18702


    *************************

    AdwCleaner[R0].txt - [1252 octets] - [11/10/2013 13:05:41]
    AdwCleaner[R1].txt - [571 octets] - [11/10/2013 13:11:53]
    AdwCleaner[S0].txt - [1325 octets] - [11/10/2013 13:07:46]

    ########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [690 octets] ##########
  25. SsapS

    SsapS Newcomer, in training Topic Starter Posts: 22

    JRT logs

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 6.0.4 (10.06.2013:1)
    OS: Microsoft Windows XP x86
    Ran by Star on Fri 10/11/2013 at 13:14:10.51
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values

    Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
    Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



    ~~~ Registry Keys

    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{16EE8E95-5864-49BC-B2A4-D2073991BBDE}



    ~~~ Files



    ~~~ Folders





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Fri 10/11/2013 at 13:17:04.04
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.