My work computer has gotten infected, and I'm largely unable to use it for anything. The problems started abruptly about three days ago, though I'm not sure where I got the infection.
It will sometimes take to freezing near constantly, with only about a second of being able to use the mouse before it re-freezes. Behavior like that often culminates in a BSOD. Even if it isn't doing either of those things, I'm having difficulty using the internet, and all search engines I've tried will not load any results but stop loading with a blank page displayed. I am unable to print anything in the office from this computer, since the problems started. I've since unplugged it from the office network, perhaps later than I ought to have, since I'm not sure whether problems like this could spread, and I suspect I'm in enough trouble as it is.
There may be other indications that I've not found yet because I haven't been using it much at all since then. (I'm posting this from my personal laptop, which I've been taking to work since the issues started). The work computer didn't have anything but what came standard on it at first.
Before I found this forum, as I was trying to solve the problem myself, I added AVG, MalwareBytes, and Webroot Secure(all transferred by flash, as downloading them with the infected computer isn't working out), and Webroot has detected/ostensibly removed what it informs me is a rootkit infection in a file called Wdf01000.sys many times, with no lasting effects. I also made a stab at doing it manually with no success.
Logs follow.
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 7969
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19154
2011/10/18 11:58:15 ??
mbam-log-2011-10-18 (11-57-50).txt
Scan type: Quick scan
Objects scanned: 226382
Time elapsed: 11 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\teuser12\AppData\Local\Temp\jar_cache7615848301089221467.tmp (Trojan.Agent) -> No action taken.
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-10-18 12:19:07
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHZ2160BJ_G2 rev.0046001E
Running: ky8tps99.exe; Driver: C:\Users\teuser12\AppData\Local\Temp\kfddqpoc.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 WRkrn.sys (Webroot SecureAnywhere/Webroot)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 WRkrn.sys (Webroot SecureAnywhere/Webroot)
---- Threads - GMER 1.0.15 ----
Thread System [4:548] 8633816D
Thread System [4:1216] 869F1B90
---- EOF - GMER 1.0.15 ----
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19154 BrowserJavaVersion: 1.6.0_20
Run by teuser12 at 12:20:59 on 2011-10-18
Microsoftョ Windows Vista・Business 6.0.6002.2.1252.1.1033.18.2008.779 [GMT 9:00]
.
AV: Webroot SecureAnywhere *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Webroot SecureAnywhere *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Tablet\Pen\Pen_TouchService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\netsw\netservc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\Program Files\DispSw\DispSw.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apvfb.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\conime.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Webroot\WRSA.exe
C:\Program Files\Webroot\WRSA.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.vill.tomari.hokkaido.jp/main.html
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [CAHeadless] c:\program files\adobe\elements organizer 8.0\caheadless\ElementsAutoAnalyzer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [DispSw] c:\program files\dispsw\DispSw.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [WRSVC] "c:\program files\webroot\WRSA.exe" -ul
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
mPolicies-system: disablecad = 1 (0x1)
mPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
dPolicies-explorer: NoViewOnDrive = 0 (0x0)
dPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
dPolicies-explorer: NoWindowsUpdate = 0 (0x0)
dPolicies-system: NoDispAppearancePage = 0 (0x0)
dPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{EB44EA71-9E9C-4C93-8352-D761F5F53BCE} : NameServer = 192.168.1.10
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\teuser12\appdata\roaming\mozilla\firefox\profiles\tr2co5s5.default\
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [2011-10-17 106312]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 229840]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-6 169312]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-9-12 5265248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-17 366152]
R2 MobileOptimizer;MobileOptimizer;c:\program files\netsw\NETSERVC.EXE [2009-11-30 61440]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 TabletServicePen;TabletServicePen;c:\program files\tablet\pen\Pen_Tablet.exe [2011-9-29 4869488]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2009-2-25 249424]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2009-2-25 36432]
R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\tablet\pen\Pen_TouchService.exe [2011-9-29 416112]
R2 WRSVC;WRSVC;c:\program files\webroot\WRSA.exe [2011-10-17 599616]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2008-9-3 223232]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-17 22216]
R3 necbatt;Battery Filter Driver;c:\windows\system32\drivers\necbatt.sys [2008-10-27 9216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-7 135664]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2009-2-25 652552]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2011-9-29 16240]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
.
=============== Created Last 30 ================
.
2011-10-18 02:43:24 503864 ----a-w- c:\windows\system32\drivers\IblGBIPG.sys
2011-10-18 02:04:40 503864 ----a-w- c:\windows\system32\drivers\BnLeaunI.sys
2011-10-17 23:24:52 503864 ----a-w- c:\windows\system32\drivers\aCiZaTdV.sys
2011-10-17 07:31:51 503864 ----a-w- c:\windows\system32\drivers\BLSQuUeH.sys
2011-10-17 06:51:06 503864 ----a-w- c:\windows\system32\drivers\ZFqROvIw.sys
2011-10-17 02:41:08 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-17 00:44:09 503864 ----a-w- c:\windows\system32\drivers\euSFqUEp.sys
2011-10-17 00:11:48 140760 ----a-w- c:\windows\system32\WRusr.dll
2011-10-17 00:11:47 106312 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2011-10-17 00:11:46 -------- d-----w- c:\program files\Webroot
2011-10-17 00:11:45 -------- d-----w- c:\programdata\WRData
2011-10-16 23:44:06 -------- d-----w- c:\users\teuser12\appdata\roaming\Malwarebytes
2011-10-16 23:43:59 -------- d-----w- c:\programdata\Malwarebytes
2011-10-16 23:43:55 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-16 23:43:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-14 06:09:03 -------- d-----w- c:\users\teuser12\appdata\local\Mozilla
2011-10-14 04:59:55 -------- d--h--w- C:\$AVG
2011-10-14 04:24:44 -------- d-----w- c:\users\teuser12\appdata\roaming\AVG2012
2011-10-14 04:24:08 -------- d--h--w- c:\programdata\Common Files
2011-10-14 04:22:56 -------- d-----w- c:\windows\system32\drivers\AVG
2011-10-14 04:22:56 -------- d-----w- c:\programdata\AVG2012
2011-10-14 04:22:07 -------- d-----w- c:\program files\AVG
2011-10-14 04:16:20 -------- d-----w- c:\programdata\MFAData
2011-10-14 00:24:29 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-28 23:37:19 -------- d-----w- c:\programdata\AppData
2011-09-28 23:36:02 -------- d-----w- c:\users\teuser12\appdata\roaming\WTablet
2011-09-28 23:36:01 642928 ----a-w- c:\windows\system32\Pen_Touch_Tablet.dll
2011-09-28 23:35:55 -------- d-----w- c:\program files\TabletPlugins
2011-09-28 23:35:30 16240 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2011-09-28 23:34:55 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2011-09-28 23:33:26 14120 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2011-09-28 23:33:24 650096 ----a-w- c:\windows\system32\Pen_Tablet.dll
2011-09-28 23:33:24 506736 ----a-w- c:\windows\system32\Wintab32.dll
2011-09-28 23:33:20 -------- d-----w- c:\program files\Tablet
2011-09-28 23:30:42 -------- d-----w- c:\programdata\Bamboo
.
==================== Find3M ====================
.
2011-10-03 23:21:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-30 23:06:24 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 23:01:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07:25 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-12 21:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-08-25 16:15:04 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-08-25 16:14:01 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-25 16:14:01 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-08-25 13:31:01 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-07-29 16:01:34 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-07-29 16:01:33 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-07-29 16:00:14 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-07-29 16:00:05 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
.
============= FINISH: 12:25:23.64 ===============
It will sometimes take to freezing near constantly, with only about a second of being able to use the mouse before it re-freezes. Behavior like that often culminates in a BSOD. Even if it isn't doing either of those things, I'm having difficulty using the internet, and all search engines I've tried will not load any results but stop loading with a blank page displayed. I am unable to print anything in the office from this computer, since the problems started. I've since unplugged it from the office network, perhaps later than I ought to have, since I'm not sure whether problems like this could spread, and I suspect I'm in enough trouble as it is.
There may be other indications that I've not found yet because I haven't been using it much at all since then. (I'm posting this from my personal laptop, which I've been taking to work since the issues started). The work computer didn't have anything but what came standard on it at first.
Before I found this forum, as I was trying to solve the problem myself, I added AVG, MalwareBytes, and Webroot Secure(all transferred by flash, as downloading them with the infected computer isn't working out), and Webroot has detected/ostensibly removed what it informs me is a rootkit infection in a file called Wdf01000.sys many times, with no lasting effects. I also made a stab at doing it manually with no success.
Logs follow.
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 7969
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19154
2011/10/18 11:58:15 ??
mbam-log-2011-10-18 (11-57-50).txt
Scan type: Quick scan
Objects scanned: 226382
Time elapsed: 11 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\teuser12\AppData\Local\Temp\jar_cache7615848301089221467.tmp (Trojan.Agent) -> No action taken.
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-10-18 12:19:07
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHZ2160BJ_G2 rev.0046001E
Running: ky8tps99.exe; Driver: C:\Users\teuser12\AppData\Local\Temp\kfddqpoc.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 WRkrn.sys (Webroot SecureAnywhere/Webroot)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 WRkrn.sys (Webroot SecureAnywhere/Webroot)
---- Threads - GMER 1.0.15 ----
Thread System [4:548] 8633816D
Thread System [4:1216] 869F1B90
---- EOF - GMER 1.0.15 ----
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19154 BrowserJavaVersion: 1.6.0_20
Run by teuser12 at 12:20:59 on 2011-10-18
Microsoftョ Windows Vista・Business 6.0.6002.2.1252.1.1033.18.2008.779 [GMT 9:00]
.
AV: Webroot SecureAnywhere *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Webroot SecureAnywhere *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Tablet\Pen\Pen_TouchService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\netsw\netservc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\Program Files\DispSw\DispSw.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apvfb.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\conime.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Webroot\WRSA.exe
C:\Program Files\Webroot\WRSA.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.vill.tomari.hokkaido.jp/main.html
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [CAHeadless] c:\program files\adobe\elements organizer 8.0\caheadless\ElementsAutoAnalyzer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [DispSw] c:\program files\dispsw\DispSw.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [WRSVC] "c:\program files\webroot\WRSA.exe" -ul
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
mPolicies-system: disablecad = 1 (0x1)
mPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
dPolicies-explorer: NoViewOnDrive = 0 (0x0)
dPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
dPolicies-explorer: NoWindowsUpdate = 0 (0x0)
dPolicies-system: NoDispAppearancePage = 0 (0x0)
dPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{EB44EA71-9E9C-4C93-8352-D761F5F53BCE} : NameServer = 192.168.1.10
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\teuser12\appdata\roaming\mozilla\firefox\profiles\tr2co5s5.default\
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [2011-10-17 106312]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 229840]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-6 169312]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-9-12 5265248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-17 366152]
R2 MobileOptimizer;MobileOptimizer;c:\program files\netsw\NETSERVC.EXE [2009-11-30 61440]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 TabletServicePen;TabletServicePen;c:\program files\tablet\pen\Pen_Tablet.exe [2011-9-29 4869488]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2009-2-25 249424]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2009-2-25 36432]
R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\tablet\pen\Pen_TouchService.exe [2011-9-29 416112]
R2 WRSVC;WRSVC;c:\program files\webroot\WRSA.exe [2011-10-17 599616]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2008-9-3 223232]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-17 22216]
R3 necbatt;Battery Filter Driver;c:\windows\system32\drivers\necbatt.sys [2008-10-27 9216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-7 135664]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2009-2-25 652552]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2011-9-29 16240]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
.
=============== Created Last 30 ================
.
2011-10-18 02:43:24 503864 ----a-w- c:\windows\system32\drivers\IblGBIPG.sys
2011-10-18 02:04:40 503864 ----a-w- c:\windows\system32\drivers\BnLeaunI.sys
2011-10-17 23:24:52 503864 ----a-w- c:\windows\system32\drivers\aCiZaTdV.sys
2011-10-17 07:31:51 503864 ----a-w- c:\windows\system32\drivers\BLSQuUeH.sys
2011-10-17 06:51:06 503864 ----a-w- c:\windows\system32\drivers\ZFqROvIw.sys
2011-10-17 02:41:08 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-17 00:44:09 503864 ----a-w- c:\windows\system32\drivers\euSFqUEp.sys
2011-10-17 00:11:48 140760 ----a-w- c:\windows\system32\WRusr.dll
2011-10-17 00:11:47 106312 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2011-10-17 00:11:46 -------- d-----w- c:\program files\Webroot
2011-10-17 00:11:45 -------- d-----w- c:\programdata\WRData
2011-10-16 23:44:06 -------- d-----w- c:\users\teuser12\appdata\roaming\Malwarebytes
2011-10-16 23:43:59 -------- d-----w- c:\programdata\Malwarebytes
2011-10-16 23:43:55 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-16 23:43:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-14 06:09:03 -------- d-----w- c:\users\teuser12\appdata\local\Mozilla
2011-10-14 04:59:55 -------- d--h--w- C:\$AVG
2011-10-14 04:24:44 -------- d-----w- c:\users\teuser12\appdata\roaming\AVG2012
2011-10-14 04:24:08 -------- d--h--w- c:\programdata\Common Files
2011-10-14 04:22:56 -------- d-----w- c:\windows\system32\drivers\AVG
2011-10-14 04:22:56 -------- d-----w- c:\programdata\AVG2012
2011-10-14 04:22:07 -------- d-----w- c:\program files\AVG
2011-10-14 04:16:20 -------- d-----w- c:\programdata\MFAData
2011-10-14 00:24:29 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-28 23:37:19 -------- d-----w- c:\programdata\AppData
2011-09-28 23:36:02 -------- d-----w- c:\users\teuser12\appdata\roaming\WTablet
2011-09-28 23:36:01 642928 ----a-w- c:\windows\system32\Pen_Touch_Tablet.dll
2011-09-28 23:35:55 -------- d-----w- c:\program files\TabletPlugins
2011-09-28 23:35:30 16240 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2011-09-28 23:34:55 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2011-09-28 23:33:26 14120 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2011-09-28 23:33:24 650096 ----a-w- c:\windows\system32\Pen_Tablet.dll
2011-09-28 23:33:24 506736 ----a-w- c:\windows\system32\Wintab32.dll
2011-09-28 23:33:20 -------- d-----w- c:\program files\Tablet
2011-09-28 23:30:42 -------- d-----w- c:\programdata\Bamboo
.
==================== Find3M ====================
.
2011-10-03 23:21:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-30 23:06:24 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 23:01:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07:25 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-12 21:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-08-25 16:15:04 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-08-25 16:14:01 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-25 16:14:01 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-08-25 13:31:01 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-07-29 16:01:34 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-07-29 16:01:33 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-07-29 16:00:14 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-07-29 16:00:05 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
.
============= FINISH: 12:25:23.64 ===============