and more log files
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
c:\documents and settings\networkservice\application data\whitesmoketoolbar (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\networkservice\application data\whitesmoketoolbar\dtx.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\exeArgs.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\guid.dat (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\setupCfg.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
Third log file:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5594
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
1/24/2011 10:14:55 PM
mbam-log-2011-01-24 (22-14-55).txt
Scan type: Quick scan
Objects scanned: 143216
Time elapsed: 5 minute(s), 20 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\authorized user\application data\Sun\cetw.txt (Malware.Trace) -> Quarantined and deleted successfully.
Gmer log file:
GMER 1.0.15.15530 -
http://www.gmer.net
Rootkit quick scan 2011-01-24 22:27:47
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 ST3160828AS rev.8.04
Running: nkdx6u10.exe; Driver: C:\DOCUME~1\AUTHOR~1\LOCALS~1\Temp\awpoqfow.sys
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8671557B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8671557B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-4 8671557B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8671557B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8671557B
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device \Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskST3160828AS_____________________________8.04____#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- EOF - GMER 1.0.15 ----
DDS log files:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-12-12.02)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/8/2010 12:27:44 PM
System Uptime: 1/24/2011 10:36:56 PM (0 hours ago)
Motherboard: Dell Inc. | | 0HJ054
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 149 GiB total, 82.992 GiB free.
D: is CDROM ()
E: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: TI Technologies Inc.
Description: RADEON X300 SE 128MB HyperMemory Secondary
Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_06031002&REV_00\4&1603E009&0&0108
Manufacturer: ATI Technologies Inc.
Name: RADEON X300 SE 128MB HyperMemory Secondary
PNP Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_06031002&REV_00\4&1603E009&0&0108
Service: ati2mtag
==== System Restore Points ===================
RP286: 10/23/2010 2:21:36 PM - System Checkpoint
RP287: 10/24/2010 1:35:40 PM - Software Distribution Service 3.0
RP288: 10/25/2010 1:46:43 PM - System Checkpoint
RP289: 10/26/2010 3:22:37 PM - Software Distribution Service 3.0
RP290: 10/27/2010 3:44:29 PM - System Checkpoint
RP291: 10/28/2010 3:41:50 PM - Software Distribution Service 3.0
RP292: 10/29/2010 4:39:35 PM - System Checkpoint
RP293: 10/30/2010 12:54:38 PM - Software Distribution Service 3.0
RP294: 10/31/2010 2:29:24 PM - Software Distribution Service 3.0
RP295: 10/31/2010 2:50:40 PM - Software Distribution Service 3.0
RP296: 11/1/2010 4:16:24 PM - System Checkpoint
RP297: 11/2/2010 3:30:12 PM - Software Distribution Service 3.0
RP298: 11/3/2010 4:11:00 PM - System Checkpoint
RP299: 11/4/2010 5:38:30 PM - System Checkpoint
RP300: 11/5/2010 6:12:50 PM - System Checkpoint
RP301: 11/6/2010 12:02:08 PM - Software Distribution Service 3.0
RP302: 11/7/2010 11:35:05 AM - Software Distribution Service 3.0
RP303: 11/7/2010 3:22:41 PM - Software Distribution Service 3.0
RP304: 11/8/2010 3:44:28 PM - System Checkpoint
RP305: 11/8/2010 9:23:24 PM - Software Distribution Service 3.0
RP306: 11/9/2010 4:10:51 PM - Software Distribution Service 3.0
RP307: 11/10/2010 5:07:08 PM - System Checkpoint
RP308: 11/10/2010 10:16:57 PM - Software Distribution Service 3.0
RP309: 11/11/2010 8:32:57 PM - Software Distribution Service 3.0
RP310: 11/14/2010 4:42:37 AM - Software Distribution Service 3.0
RP311: 11/14/2010 2:46:18 PM - Software Distribution Service 3.0
RP312: 11/15/2010 3:04:17 PM - System Checkpoint
RP313: 11/16/2010 3:25:28 PM - Software Distribution Service 3.0
RP314: 11/17/2010 4:43:52 PM - System Checkpoint
RP315: 11/18/2010 10:24:08 AM - Software Distribution Service 3.0
RP316: 11/19/2010 3:21:08 PM - Software Distribution Service 3.0
RP317: 11/20/2010 4:41:51 PM - Software Distribution Service 3.0
RP318: 11/21/2010 3:20:18 PM - Software Distribution Service 3.0
RP319: 11/22/2010 6:19:15 PM - System Checkpoint
RP320: 11/23/2010 11:12:55 AM - Software Distribution Service 3.0
RP321: 11/24/2010 11:53:21 AM - System Checkpoint
RP322: 11/26/2010 8:03:16 AM - Software Distribution Service 3.0
RP323: 11/27/2010 10:01:50 AM - Software Distribution Service 3.0
RP324: 11/28/2010 10:04:49 AM - Software Distribution Service 3.0
RP325: 11/28/2010 3:30:37 PM - Software Distribution Service 3.0
RP326: 11/29/2010 6:25:18 PM - System Checkpoint
RP327: 11/30/2010 3:34:00 PM - Software Distribution Service 3.0
RP328: 12/1/2010 4:29:27 PM - System Checkpoint
RP329: 12/2/2010 4:09:45 PM - Software Distribution Service 3.0
RP330: 12/3/2010 5:11:10 PM - System Checkpoint
RP331: 12/4/2010 2:32:56 PM - Software Distribution Service 3.0
RP332: 12/5/2010 2:34:53 PM - System Checkpoint
RP333: 12/5/2010 3:14:15 PM - Software Distribution Service 3.0
RP334: 12/6/2010 4:46:39 PM - System Checkpoint
RP335: 12/7/2010 9:33:25 AM - Software Distribution Service 3.0
RP336: 12/8/2010 12:57:31 PM - Software Distribution Service 3.0
RP337: 12/8/2010 1:08:59 PM - Installed Connect Service
RP338: 12/9/2010 3:25:43 PM - Software Distribution Service 3.0
RP339: 12/10/2010 4:13:32 PM - System Checkpoint
RP340: 12/11/2010 11:10:11 AM - Software Distribution Service 3.0
RP341: 12/12/2010 12:05:38 PM - System Checkpoint
RP342: 12/12/2010 3:17:51 PM - Software Distribution Service 3.0
RP343: 12/13/2010 5:03:45 PM - System Checkpoint
RP344: 12/14/2010 3:30:41 PM - Software Distribution Service 3.0
RP345: 12/14/2010 11:16:45 PM - Software Distribution Service 3.0
RP346: 12/16/2010 1:20:02 PM - Software Distribution Service 3.0
RP347: 12/17/2010 2:24:15 PM - System Checkpoint
RP348: 12/28/2010 12:47:52 PM - Software Distribution Service 3.0
RP349: 12/29/2010 1:38:37 PM - System Checkpoint
RP350: 12/30/2010 11:34:55 AM - Software Distribution Service 3.0
RP351: 12/31/2010 1:06:51 PM - Software Distribution Service 3.0
RP352: 1/1/2011 2:09:44 PM - System Checkpoint
RP353: 1/2/2011 3:45:15 PM - Software Distribution Service 3.0
RP354: 1/3/2011 6:04:49 PM - System Checkpoint
RP355: 1/4/2011 9:16:20 AM - Software Distribution Service 3.0
RP356: 1/5/2011 10:41:50 AM - Software Distribution Service 3.0
RP357: 1/6/2011 2:18:40 PM - Software Distribution Service 3.0
RP358: 1/6/2011 10:54:45 PM - Software Distribution Service 3.0
RP359: 1/9/2011 5:00:16 PM - Software Distribution Service 3.0
RP360: 1/10/2011 7:04:27 PM - System Checkpoint
RP361: 1/11/2011 3:23:25 PM - Software Distribution Service 3.0
RP362: 1/11/2011 10:13:28 PM - Software Distribution Service 3.0
RP363: 1/13/2011 5:05:28 PM - Software Distribution Service 3.0
RP364: 1/14/2011 5:38:13 PM - System Checkpoint
RP365: 1/15/2011 9:46:24 AM - Software Distribution Service 3.0
RP366: 1/17/2011 11:23:38 AM - Software Distribution Service 3.0
RP367: 1/18/2011 3:30:18 PM - Software Distribution Service 3.0
RP368: 1/19/2011 3:43:34 PM - System Checkpoint
==== Installed Programs ======================
32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
AIO_Scan
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Print Creations
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Funhouse
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Photo Calendar
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AudibleManager
Bonjour
BufferChm
CCScore
Check Point VPN-1 SecuRemote/SecureClient NGX R60 HFA2
Combined Community Codec Pack 2009-09-09
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Copy
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative ZEN V Series (R2)
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DJ_AIO_ProductContext
DJ_AIO_Software
DJ_AIO_Software_min
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
eSupportQFolder
F4100
F4100_doccd
F4100_Help
fflink
Google Earth Plug-in
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB945060-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 9.0
HP Deskjet All-In-One Software 9.0
HP Imaging Device Functions 9.0
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Solution Center 9.0
HP Update
HPProductAssistant
HPSSupply
Intel(R) PRO Network Connections Drivers
iSEEK AnswerWorks English Runtime
iTunes
kgcbaby
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
Malwarebytes' Anti-Malware
MarketResearch
McAfee Security Scan Plus
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
netbrdg
OfotoXMI
Picasa 3
PSSWCORE
QuickTime
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SFR
SHASTA
SigmaTel Audio
skin0001
SKINXSDK
SolutionCenter
Spybot - Search & Destroy
staticcr
Status
Toolbox
TrayApp
TurboTax 2009
TurboTax 2009 wcaiper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
VideoToolkit01
VPRINTOL
WebFldrs XP
WebReg
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10 Hotfix - KB895316
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WIRELESS
Yahoo! BrowserPlus 2.9.8
Yontoo Layers Client 1.10.01
ZENcast Organizer
==== Event Viewer Messages From Past Week ========
1/24/2011 9:14:49 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
1/24/2011 9:14:49 PM, error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).
1/24/2011 9:14:48 PM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
1/24/2011 9:14:48 PM, error: Service Control Manager [7034] - The Check Point VPN-1 Securemote watchdog service terminated unexpectedly. It has done this 1 time(s).
1/24/2011 9:14:48 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
1/24/2011 9:14:48 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
1/24/2011 9:14:48 PM, error: Service Control Manager [7034] - The ArcSoft Connect Daemon service terminated unexpectedly. It has done this 1 time(s).
1/24/2011 9:14:48 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
1/24/2011 9:14:48 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/24/2011 8:21:09 PM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
1/24/2011 11:44:44 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.97.2.0 Update Source: Microsoft Update Server Update Stage: Search Source Path:
http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6502.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
1/24/2011 10:05:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
1/23/2011 2:15:25 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.97.2.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
1/23/2011 2:15:25 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/23/2011 10:15:56 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.97.2.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
1/22/2011 9:31:30 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\spoolsv.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.6024.
1/22/2011 8:56:45 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.97.2.0 Update Source: Microsoft Update Server Update Stage: Search Source Path:
http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6502.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
1/22/2011 10:25:22 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/22/2011 10:25:19 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/20/2011 6:26:50 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Search Source Path:
http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
1/20/2011 6:17:33 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.4209.0 Update Source: Microsoft Update Server Update Stage: Search Source Path:
http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
1/20/2011 6:17:30 PM, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wimpixo.E&threatid=2147638595 User: NT AUTHORITY\SYSTEM Name: Trojan:Win32/Wimpixo.E ID: 2147638595 Severity: Severe Category: Trojan Path: Action: Quarantine Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.95.4209.0, AS: 1.95.4209.0 Engine Version: 1.1.6402.0
1/20/2011 6:15:23 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.4209.0 Update Source: Microsoft Update Server Update Stage: Search Source Path:
http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
1/20/2011 6:09:27 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/20/2011 6:01:54 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
1/20/2011 3:40:52 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
1/20/2011 3:40:20 PM, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wimpixo.E&threatid=2147638595 User: NT AUTHORITY\SYSTEM Name: Trojan:Win32/Wimpixo.E ID: 2147638595 Severity: Severe Category: Trojan Path: Action: Quarantine Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.95.4209.0, AS: 1.95.4209.0 Engine Version: 1.1.6402.0
1/19/2011 6:13:27 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/19/2011 6:12:25 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/19/2011 5:16:01 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.4209.0 Update Source: Microsoft Update Server Update Stage: Search Source Path:
http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
1/19/2011 5:06:03 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {BA126AD1-2166-11D1-B1D0-00805FC1270E} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
1/18/2011 9:25:06 PM, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=VirTool:JS/Obfuscator.AG&threatid=2147641831 User: AUTHORIZ-55F50F\Authorized User Name: VirTool:JS/Obfuscator.AG ID: 2147641831 Severity: Severe Category: Tool Path: Action: Quarantine Error Code: 0x80070020 Error description: The process cannot access the file because it is being used by another process. Status: Signature Version: AV: 1.95.4209.0, AS: 1.95.4209.0 Engine Version: 1.1.6402.0
1/18/2011 3:19:38 PM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/17/2011 11:15:59 AM, error: Service Control Manager [7034] - The Check Point VPN-1 Securemote service service terminated unexpectedly. It has done this 1 time(s).
==== End Of File ===========================
DDS (Ver_10-12-12.02) - NTFSx86
Run by Authorized User at 22:41:33.40 on Mon 01/24/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.326 [GMT -8:00]
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\CheckPoint\SecureClient\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecureClient\bin\SR_Watchdog.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecureClient\bin\SR_GUI.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Authorized User\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=userinit.exe,
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265749295359
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {9C3EFB8A-DC20-484B-B905-5E337A988C5D} - hxxp://camera3.dunkirk.wnyric.org/LNetCam.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: ckpNotify - ckpNotify.dll
mASetup: {7789E8E1-682D-43C6-9666-6DF6CE63BF7F} - rundll32.exe "c:\documents and settings\authorized user\application data\sun\uvrqm75.dll", UnregisterDll
Hosts: 127.0.0.1
www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2008-6-18 2235760]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl79046bc5;MpKsl79046bc5;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{640fb5cb-1b92-4751-8780-f7bac192405f}\MpKsl79046bc5.sys [2011-1-24 28752]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2008-6-18 47504]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2008-6-18 121136]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2008-6-18 673872]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-21 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2011-01-25 06:37:51 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{640fb5cb-1b92-4751-8780-f7bac192405f}\MpKsl79046bc5.sys
2011-01-25 06:30:02 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{640fb5cb-1b92-4751-8780-f7bac192405f}\mpengine.dll
2011-01-25 05:41:53 -------- d-----w- c:\docume~1\author~1\applic~1\Malwarebytes
2011-01-25 05:40:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-25 05:40:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-25 05:40:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-25 05:40:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-25 04:27:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Chat Republic Games
2011-01-24 20:38:00 58880 ---ha-w- c:\windows\system32\bootysvr.dll
2011-01-21 02:24:52 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-20 04:31:58 0 ----a-w- c:\windows\Egogifa.bin
2011-01-20 04:31:57 -------- d-----w- c:\docume~1\author~1\locals~1\applic~1\{FB286541-DF68-47C4-98BC-C228C2ED15DF}
2011-01-20 04:31:11 -------- d-----w- c:\program files\Yontoo Layers Client
2011-01-20 04:31:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
2011-01-20 04:31:01 -------- d-----w- c:\windows\system32\%APPDATA%
==================== Find3M ====================
2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
http://www.gmer.net
Windows 5.1.2600 Disk: ST3160828AS rev.8.04 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-17
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86725735]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8672b990]; MOV EAX, [0x8672ba0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8678BAB8]
3 CLASSPNP[0xF7652FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8679A790]
\Driver\atapi[0x867DFF38] -> IRP_MJ_CREATE -> 0x86725735
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskST3160828AS_____________________________8.04____#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8672557B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 22:45:18.39 ===============