TechSpot

System check virus/malware

By joe1
Jan 14, 2012
  1. Sorry I have not been able to keep up in the last week. I was away on business. I was working with Broni.
     
  2. joe1

    joe1 TS Rookie Topic Starter Posts: 19

    aswMBR log

    aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-07 16:51:40
    -----------------------------
    16:51:40.828 OS Version: Windows 5.1.2600 Service Pack 3
    16:51:40.828 Number of processors: 1 586 0x605
    16:51:40.828 ComputerName: OWNER-A6A0728C7 UserName: PC
    16:51:41.343 Initialize success
    16:57:03.281 AVAST engine defs: 12010701
    16:57:10.125 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
    16:57:10.125 Disk 0 Vendor: WDC_WD400BD-22LRA0 06.01D06 Size: 38166MB BusType: 3
    16:57:10.125 Disk 0 MBR read successfully
    16:57:10.125 Disk 0 MBR scan
    16:57:10.187 Disk 0 Windows XP default MBR code
    16:57:10.187 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38154 MB offset 63
    16:57:10.203 Disk 0 scanning sectors +78140160
    16:57:10.359 Disk 0 scanning C:\WINDOWS\system32\drivers
    16:57:26.937 Service scanning
    16:57:27.343 Service MpKsle4661d3d c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FD454D83-FEB7-49E5-B6A8-3C89E24AC99E}\MpKsle4661d3d.sys **LOCKED** 32
    16:57:27.968 Modules scanning
    16:57:43.015 Disk 0 trace - called modules:
    16:57:43.031 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
    16:57:43.375 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f72ab8]
    16:57:43.375 3 CLASSPNP.SYS[f778dfd7] -> nt!IofCallDriver -> \Device\00000066[0x86f769e8]
    16:57:43.375 5 ACPI.sys[f7704620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86f74d98]
    16:57:43.578 AVAST engine scan C:\WINDOWS
    16:58:01.640 AVAST engine scan C:\WINDOWS\system32
    17:03:50.703 AVAST engine scan C:\WINDOWS\system32\drivers
    17:04:14.218 AVAST engine scan C:\Documents and Settings\PC
    17:10:30.187 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\PC\Desktop\MBR.dat"
    17:10:30.296 The log file has been saved successfully to "C:\Documents and Settings\PC\Desktop\aswMBR.txt"
    17:11:54.125 AVAST engine scan C:\Documents and Settings\All Users
    17:12:32.312 Scan finished successfully
    17:14:20.046 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\PC\Desktop\MBR.dat"
    17:14:20.046 The log file has been saved successfully to "C:\Documents and Settings\PC\Desktop\aswMBR.txt"
     
  3. joe1

    joe1 TS Rookie Topic Starter Posts: 19

    ComboFix log

    ComboFix 12-01-13.05 - PC 01/14/2012 11:33:23.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.407 [GMT -6:00]
    Running from: c:\documents and settings\PC\My Documents\Downloads\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\~WEB63MqHj9Kayd
    c:\documents and settings\All Users\Application Data\~WEB63MqHj9Kaydr
    c:\documents and settings\All Users\Application Data\WEB63MqHj9Kayd
    c:\documents and settings\PC\Start Menu\Programs\System Check
    c:\documents and settings\PC\Start Menu\Programs\System Check\System Check.lnk
    c:\documents and settings\PC\Start Menu\Programs\System Check\Uninstall System Check.lnk
    c:\program files\Mozilla Firefox\searchplugins\search.xml
    c:\program files\somototoolbar\vmNTemplatex.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-14 to 2012-01-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-14 16:55 . 2012-01-14 16:55 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52855492-7AC0-4E6C-8569-AE5C4AAC1DD4}\MpKsleb7d917f.sys
    2012-01-14 16:55 . 2012-01-14 16:55 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52855492-7AC0-4E6C-8569-AE5C4AAC1DD4}\offreg.dll
    2012-01-14 16:54 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52855492-7AC0-4E6C-8569-AE5C4AAC1DD4}\mpengine.dll
    2012-01-11 18:20 . 2012-01-11 18:20 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\PCHealth
    2012-01-11 01:59 . 2011-11-18 12:35 60416 -c----w- c:\windows\system32\dllcache\packager.exe
    2012-01-07 22:05 . 2012-01-07 22:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
    2012-01-02 15:52 . 2012-01-02 15:52 -------- d-----w- c:\documents and settings\PC\Application Data\Malwarebytes
    2012-01-02 15:51 . 2012-01-02 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-01-02 15:51 . 2012-01-02 15:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-02 15:51 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-02 15:27 . 2012-01-02 15:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
    2012-01-02 11:11 . 2012-01-02 11:11 -------- d-----w- c:\windows\system32\N360_BACKUP
    2012-01-02 07:24 . 2012-01-02 07:24 -------- d-----w- c:\program files\Windows Sidebar
    2012-01-02 07:24 . 2012-01-02 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2012-01-02 05:40 . 2011-10-20 04:16 20312 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
    2012-01-02 05:17 . 2012-01-02 05:17 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
    2012-01-02 03:46 . 2012-01-02 05:26 -------- d-----w- c:\documents and settings\Administrator
    2012-01-01 14:30 . 2012-01-01 14:30 -------- d-----w- c:\windows\system32\wbem\Repository
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-25 21:57 . 2009-11-20 00:45 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:29 . 2009-11-20 00:45 1868544 ----a-w- c:\windows\system32\win32k.sys
    2011-11-21 10:47 . 2011-06-06 22:26 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-11-18 12:35 . 2009-11-20 00:45 60416 ----a-w- c:\windows\system32\packager.exe
    2011-11-04 19:19 . 2009-11-20 00:45 919552 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:19 . 2009-11-20 00:45 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:19 . 2009-11-20 00:45 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-03 15:28 . 2009-11-20 00:45 386048 ----a-w- c:\windows\system32\qdvd.dll
    2011-11-03 15:28 . 2009-11-20 00:45 1292288 ----a-w- c:\windows\system32\quartz.dll
    2011-11-01 16:07 . 2009-11-20 00:45 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2009-11-20 00:45 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-26 00:22 . 2009-08-04 11:47 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-25 13:34 . 2009-11-20 00:45 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:01 . 2009-11-20 00:45 385024 ----a-w- c:\windows\system32\html.iec
    2011-10-18 11:13 . 2009-11-20 00:45 186880 ----a-w- c:\windows\system32\encdec.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-11-20 00:45 . 120CBFAC46EF674CC9169FB33998DDFE . 1526784 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
    .
    [-] 2009-11-20 . 6AE82FE2B77E79E2CD2819599CD75CFB . 557056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
    .
    [-] 2009-11-20 . E7A939813423DCF45BAAA8FAC9BA744D . 637440 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
    .
    [-] 2009-11-20 . F8540FC5FDAD3C3A2E668ACB0BACCE59 . 1552384 . . [6.00.2900.5634] . . c:\windows\explorer.exe
    .
    [-] 2009-11-20 . BD4559DA4A1DFB15B5453ED7749D6D52 . 363008 . . [5.1.2600.5512] . . c:\windows\regedit.exe
    .
    [-] 2009-11-20 . 353294EF302509D05AC21CB6B8B60379 . 40448 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
    .
    [-] 2009-11-20 . 2790164DE2A0B551BEA90B753836ADBD . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VDrive"="c:\windows\VistaDriveIcon\VistaDrv.exe" [2008-01-02 132096]
    "RTHDCPL"="RTHDCPL.EXE" [2009-03-27 17567744]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2009-11-20 128512]
    .
    c:\documents and settings\PC\Start Menu\Programs\Startup\
    OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)
    "NoSMHelp"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R1 MpKsleb7d917f;MpKsleb7d917f;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52855492-7AC0-4E6C-8569-AE5C4AAC1DD4}\MpKsleb7d917f.sys [1/14/2012 10:55 AM 29904]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/2/2012 9:51 AM 652872]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/2/2012 9:51 AM 20464]
    S1 MpKsl0b38ed1f;MpKsl0b38ed1f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91B874DE-91E6-41FF-9234-6BBE5BA99A64}\MpKsl0b38ed1f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91B874DE-91E6-41FF-9234-6BBE5BA99A64}\MpKsl0b38ed1f.sys [?]
    S1 MpKsl5e325d77;MpKsl5e325d77;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B46AB33A-CBD6-4A11-BF2D-72C2E19B7EAA}\MpKsl5e325d77.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B46AB33A-CBD6-4A11-BF2D-72C2E19B7EAA}\MpKsl5e325d77.sys [?]
    S1 MpKsl74758d61;MpKsl74758d61;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9BA023F-CE7D-4248-8C2B-8EE0DD4D1164}\MpKsl74758d61.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9BA023F-CE7D-4248-8C2B-8EE0DD4D1164}\MpKsl74758d61.sys [?]
    S1 MpKsl7fe88fc4;MpKsl7fe88fc4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{32DEF126-F08F-4402-B4E7-8CD649A78DBB}\MpKsl7fe88fc4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{32DEF126-F08F-4402-B4E7-8CD649A78DBB}\MpKsl7fe88fc4.sys [?]
    S1 MpKslb7e8359f;MpKslb7e8359f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{35FAE25C-0708-493F-BDC7-E2C5962C0C94}\MpKslb7e8359f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{35FAE25C-0708-493F-BDC7-E2C5962C0C94}\MpKslb7e8359f.sys [?]
    S1 MpKslbb6b56ee;MpKslbb6b56ee;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91B874DE-91E6-41FF-9234-6BBE5BA99A64}\MpKslbb6b56ee.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91B874DE-91E6-41FF-9234-6BBE5BA99A64}\MpKslbb6b56ee.sys [?]
    S1 MpKsldfd46d92;MpKsldfd46d92;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E0C3EEFD-ED79-48E7-92E5-2E20D419A2D9}\MpKsldfd46d92.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E0C3EEFD-ED79-48E7-92E5-2E20D419A2D9}\MpKsldfd46d92.sys [?]
    S1 MpKslff719e9b;MpKslff719e9b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9AC08EE7-4F02-4881-A227-04E7924811B4}\MpKslff719e9b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9AC08EE7-4F02-4881-A227-04E7924811B4}\MpKslff719e9b.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 6:49 AM 227232]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/19/2009 6:45 PM 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSLEB7D917F
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
    .
    2012-01-13 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
    .
    2012-01-14 c:\windows\Tasks\User_Feed_Synchronization-{FBCB5476-CA84-434C-96C3-65A8F21BCE1E}.job
    - c:\windows\system32\msfeedssync.exe [2009-11-20 00:45]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\PC\Application Data\Mozilla\Firefox\Profiles\9af9h8v2.default\
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-14 11:38
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(788)
    c:\windows\system32\SETUPAPI.dll
    c:\windows\system32\COMRes.dll
    c:\windows\system32\cscui.dll
    .
    - - - - - - - > 'lsass.exe'(844)
    c:\windows\system32\SETUPAPI.dll
    .
    Completion time: 2012-01-14 11:40:39
    ComboFix-quarantined-files.txt 2012-01-14 17:40
    .
    Pre-Run: 11,006,865,408 bytes free
    Post-Run: 11,366,260,736 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 3290295D51A1E1498A8D55D8C265BCE1
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...