Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org
Database version: v2012.10.12.08
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
admin :: PICKERS-MANAGER [administrator]
10/12/2012 11:08:16 PM
mbam-log-2012-10-12 (23-08-16).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 242797
Time elapsed: 27 minute(s), 32 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3AA42713-5C1E-48E2-B432-D8BF420DD31D} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 2
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (F:\RECYCLER\S-1-5-18\$7a63ae4b11cb9fc6b0235173aae086c4\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.
HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (F:\RECYCLER\S-1-5-21-515967899-1767777339-725345543-1003\$7a63ae4b11cb9fc6b0235173aae086c4\n.) Good: (shell32.dll) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 5
F:\RECYCLER\S-1-5-18\$7a63ae4b11cb9fc6b0235173aae086c4\n (Rootkit.0Access) -> Delete on reboot.
F:\RECYCLER\S-1-5-21-515967899-1767777339-725345543-1003\$7a63ae4b11cb9fc6b0235173aae086c4\n (Rootkit.0Access) -> Delete on reboot.
F:\RECYCLER\S-1-5-21-515967899-1767777339-725345543-1003(2)\$7a63ae4b11cb9fc6b0235173aae086c4\n (Rootkit.0Access) -> Quarantined and deleted successfully.
F:\WINDOWS\assembly\GAC\Desktop(2).ini (Trojan.0access) -> Quarantined and deleted successfully.
F:\WINDOWS\assembly\GAC\Desktop.ini (Rootkit.0access) -> Delete on reboot.
(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-13 02:41:55
Windows 5.1.2600 Service Pack 3
Running: 8g8w7iji.exe; Driver: F:\DOCUME~1\admin\LOCALS~1\Temp\afxdrkoc.sys
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000276094fe4 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000276094fe4
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000276094fe4 (not active ControlSet)
---- EOF - GMER 1.0.15 ----
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by admin at 10:04:47 on 2012-10-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1221 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\system32\spoolsv.exe
svchost.exe
F:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
F:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\system32\HPZipm12.exe
F:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
F:\WINDOWS\System32\svchost.exe -k imgsvc
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\msisear.exe
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
F:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
F:\Program Files\Google\Chrome\Application\chrome.exe
F:\Program Files\Google\Chrome\Application\chrome.exe
F:\Program Files\Google\Chrome\Application\chrome.exe
"F:\WINDOWS\System32\svchost.exe" -k LocalServiceDns
F:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ca.yahoo.com/?fr=fp-yie8
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://ca.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - f:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [Nyyfriydvo] "f:\documents and settings\admin\application data\neme\yzfog.exe"
mRun: [zBrowser Launcher] f:\program files\logitech\itouch\iTouch.exe
mRun: [MaxMenuMgr] "f:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [JMB36X Configure] f:\windows\system32\JMRaidTool.exe boot
mRun: [HDAudDeck] f:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [CarboniteSetupLite] "f:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
mRun: [BrStsWnd] f:\program files\brownie\BrstsWnd.exe Autorun
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ATICCC] "f:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [Intuit SyncManager] f:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Adobe ARM] "f:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "f:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [RIMBBLaunchAgent.exe] f:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [QuickTime Task] "f:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "f:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "f:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "f:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - f:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163261152796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164164878500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: Interfaces\{1FC109AC-9A4B-4D6F-B252-F015FDA5314A} : NameServer = 192.168.0.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - f:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - f:\program files\common files\intuit\intu-res.dll
Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - f:\program files\turbotax 2010\ic2010pp.dll
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - f:\program files\turbotax 2011\ic2011pp.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - f:\progra~1\window~4\MpShHook.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - f:\windows\system32\rundll32.exe f:\windows\system32\advpack.dll,launchinfsectionex f:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - f:\documents and settings\admin\application data\mozilla\firefox\profiles\sa6yerhj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - prefs.js: network.proxy.type - 0
FF - component: f:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: f:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: f:\documents and settings\admin\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: f:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: f:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: f:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: f:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: f:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: f:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: f:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: f:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: f:\program files\musicnotes\npmusicn.dll
FF - plugin: f:\program files\musicnotes\NPSibelius.dll
FF - plugin: f:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;f:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R2 FreeAgentGoNext Service;Seagate Service;f:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 W32Serv;Windows Search Scheduler;f:\windows\msisear.exe [2012-10-12 308224]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;f:\windows\system32\drivers\viahduaa.sys [2009-9-15 845184]
S1 cqgbqjuu;cqgbqjuu;\??\f:\windows\system32\drivers\cqgbqjuu.sys --> f:\windows\system32\drivers\cqgbqjuu.sys [?]
S1 cqhzefuw;cqhzefuw;\??\f:\windows\system32\drivers\cqhzefuw.sys --> f:\windows\system32\drivers\cqhzefuw.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1cabcbf41688628;Google Update Service (gupdate1cabcbf41688628);f:\program files\google\update\GoogleUpdate.exe [2010-3-5 133104]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;f:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-12 250808]
S3 gupdatem;Google Update Service (gupdatem);f:\program files\google\update\GoogleUpdate.exe [2010-3-5 133104]
S3 MozillaMaintenance;Mozilla Maintenance Service;f:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-27 114144]
S3 Netaapl;Apple Mobile Device Ethernet Service;f:\windows\system32\drivers\netaapl.sys [2010-11-18 18432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-10-13 08:04:30365056----a-w-f:\documents and settings\admin\bhxzbuegunpttzkdqsvtqwr.exe
2012-10-13 07:53:446980552----a-w-f:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{95602e44-6645-42b4-bae5-17e7a74216e4}\mpengine.dll
2012-10-13 03:06:53--------d-----w-f:\documents and settings\admin\application data\Malwarebytes
2012-10-13 03:06:29--------d-----w-f:\documents and settings\all users\application data\Malwarebytes
2012-10-13 03:06:2622856----a-w-f:\windows\system32\drivers\mbam.sys
2012-10-13 03:06:26--------d-----w-f:\program files\Malwarebytes' Anti-Malware
2012-10-13 02:45:26--------d-----w-f:\documents and settings\admin\application data\FixZeroAccess
2012-10-13 01:45:06--------d-----w-f:\program files\Microsoft Security Client
2012-10-12 20:26:09308224----a-w-f:\windows\msisear.exe
2012-10-12 19:04:20--------d-----w-f:\program files\Spybot - Search & Destroy
2012-10-12 19:04:19--------d-----w-f:\program files\SpeedyPC Software
2012-10-12 19:04:19--------d-----w-f:\documents and settings\all users\application data\SpeedyPC Software
2012-10-12 17:35:13--------d-----w-f:\windows\system32\wbem\repository\FS
2012-10-12 17:35:13--------d-----w-f:\windows\system32\wbem\Repository
2012-10-11 22:12:02--------d-sha-r-F:\cmdcons
2012-10-11 22:00:2398816----a-w-f:\windows\sed.exe
2012-10-11 22:00:23518144----a-w-f:\windows\SWREG.exe
2012-10-11 22:00:23256000----a-w-f:\windows\PEV.exe
2012-10-11 22:00:23208896----a-w-f:\windows\MBR.exe
2012-10-11 21:59:15--------d-----w-F:\ComboFix
2012-10-11 21:49:28256904----a-w-f:\windows\system32\drivers\tmcomm.sys
2012-10-11 21:37:43--------d-----w-f:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-09-20 14:25:21--------d-----w-f:\program files\iPod
2012-09-20 14:25:16--------d-----w-f:\program files\iTunes
2012-09-20 14:25:16--------d-----w-f:\documents and settings\all users\application data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-09-19 22:50:22--------d-----w-f:\documents and settings\admin\application data\Neme
2012-09-19 22:50:22--------d-----w-f:\documents and settings\admin\application data\Kukoam
2012-09-19 22:50:22--------d-----w-f:\documents and settings\admin\application data\Ekem
.
==================== Find3M ====================
.
2012-10-08 22:20:37696760----a-w-f:\windows\system32\FlashPlayerApp.exe
2012-10-08 22:20:3673656----a-w-f:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-31 02:03:50193552----a-w-f:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14:53916992----a-w-f:\windows\system32\wininet.dll
2012-08-28 15:14:5343520----a-w-f:\windows\system32\licmgr10.dll
2012-08-28 15:14:521469440------w-f:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15385024----a-w-f:\windows\system32\html.iec
2012-08-24 13:53:22177664----a-w-f:\windows\system32\wintrust.dll
2012-08-21 17:01:2226840----a-w-f:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 17:01:22106928----a-w-f:\windows\system32\GEARAspi.dll
2012-08-21 13:33:262148864----a-w-f:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:092027520----a-w-f:\windows\system32\ntkrnlpa.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Lexar___ rev.1100 -> Harddisk4\DR9 -> \Device\0000007a
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys USBSTOR.SYS hal.dll usbhub.sys USBPORT.SYS usbehci.sys
1 ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\Harddisk4\DR9[0x89CE9A38]
3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\00000083[0x89E239F8]
5 USBSTOR[0xBA3C0706] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\USBPDO-9[0x89CF13F0]
7 usbhub[0xB9636596] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\USBPDO-4[0x888AF030]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
error: Read The parameter is incorrect.
.
============= FINISH: 10:11:34.48 ===============
www.malwarebytes.org
Database version: v2012.10.12.08
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
admin :: PICKERS-MANAGER [administrator]
10/12/2012 11:08:16 PM
mbam-log-2012-10-12 (23-08-16).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 242797
Time elapsed: 27 minute(s), 32 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3AA42713-5C1E-48E2-B432-D8BF420DD31D} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 2
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (F:\RECYCLER\S-1-5-18\$7a63ae4b11cb9fc6b0235173aae086c4\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.
HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (F:\RECYCLER\S-1-5-21-515967899-1767777339-725345543-1003\$7a63ae4b11cb9fc6b0235173aae086c4\n.) Good: (shell32.dll) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 5
F:\RECYCLER\S-1-5-18\$7a63ae4b11cb9fc6b0235173aae086c4\n (Rootkit.0Access) -> Delete on reboot.
F:\RECYCLER\S-1-5-21-515967899-1767777339-725345543-1003\$7a63ae4b11cb9fc6b0235173aae086c4\n (Rootkit.0Access) -> Delete on reboot.
F:\RECYCLER\S-1-5-21-515967899-1767777339-725345543-1003(2)\$7a63ae4b11cb9fc6b0235173aae086c4\n (Rootkit.0Access) -> Quarantined and deleted successfully.
F:\WINDOWS\assembly\GAC\Desktop(2).ini (Trojan.0access) -> Quarantined and deleted successfully.
F:\WINDOWS\assembly\GAC\Desktop.ini (Rootkit.0access) -> Delete on reboot.
(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-13 02:41:55
Windows 5.1.2600 Service Pack 3
Running: 8g8w7iji.exe; Driver: F:\DOCUME~1\admin\LOCALS~1\Temp\afxdrkoc.sys
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000276094fe4 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000276094fe4
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000276094fe4 (not active ControlSet)
---- EOF - GMER 1.0.15 ----
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by admin at 10:04:47 on 2012-10-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1221 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\system32\spoolsv.exe
svchost.exe
F:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
F:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\system32\HPZipm12.exe
F:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
F:\WINDOWS\System32\svchost.exe -k imgsvc
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\msisear.exe
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
F:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
F:\Program Files\Google\Chrome\Application\chrome.exe
F:\Program Files\Google\Chrome\Application\chrome.exe
F:\Program Files\Google\Chrome\Application\chrome.exe
"F:\WINDOWS\System32\svchost.exe" -k LocalServiceDns
F:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ca.yahoo.com/?fr=fp-yie8
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://ca.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - f:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [Nyyfriydvo] "f:\documents and settings\admin\application data\neme\yzfog.exe"
mRun: [zBrowser Launcher] f:\program files\logitech\itouch\iTouch.exe
mRun: [MaxMenuMgr] "f:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [JMB36X Configure] f:\windows\system32\JMRaidTool.exe boot
mRun: [HDAudDeck] f:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [CarboniteSetupLite] "f:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
mRun: [BrStsWnd] f:\program files\brownie\BrstsWnd.exe Autorun
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ATICCC] "f:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [Intuit SyncManager] f:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Adobe ARM] "f:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "f:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [RIMBBLaunchAgent.exe] f:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [QuickTime Task] "f:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "f:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "f:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "f:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - f:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163261152796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164164878500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: Interfaces\{1FC109AC-9A4B-4D6F-B252-F015FDA5314A} : NameServer = 192.168.0.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - f:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - f:\program files\common files\intuit\intu-res.dll
Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - f:\program files\turbotax 2010\ic2010pp.dll
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - f:\program files\turbotax 2011\ic2011pp.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - f:\progra~1\window~4\MpShHook.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - f:\windows\system32\rundll32.exe f:\windows\system32\advpack.dll,launchinfsectionex f:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - f:\documents and settings\admin\application data\mozilla\firefox\profiles\sa6yerhj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - prefs.js: network.proxy.type - 0
FF - component: f:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: f:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: f:\documents and settings\admin\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: f:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: f:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: f:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: f:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: f:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: f:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: f:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: f:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: f:\program files\musicnotes\npmusicn.dll
FF - plugin: f:\program files\musicnotes\NPSibelius.dll
FF - plugin: f:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;f:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R2 FreeAgentGoNext Service;Seagate Service;f:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 W32Serv;Windows Search Scheduler;f:\windows\msisear.exe [2012-10-12 308224]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;f:\windows\system32\drivers\viahduaa.sys [2009-9-15 845184]
S1 cqgbqjuu;cqgbqjuu;\??\f:\windows\system32\drivers\cqgbqjuu.sys --> f:\windows\system32\drivers\cqgbqjuu.sys [?]
S1 cqhzefuw;cqhzefuw;\??\f:\windows\system32\drivers\cqhzefuw.sys --> f:\windows\system32\drivers\cqhzefuw.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1cabcbf41688628;Google Update Service (gupdate1cabcbf41688628);f:\program files\google\update\GoogleUpdate.exe [2010-3-5 133104]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;f:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-12 250808]
S3 gupdatem;Google Update Service (gupdatem);f:\program files\google\update\GoogleUpdate.exe [2010-3-5 133104]
S3 MozillaMaintenance;Mozilla Maintenance Service;f:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-27 114144]
S3 Netaapl;Apple Mobile Device Ethernet Service;f:\windows\system32\drivers\netaapl.sys [2010-11-18 18432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-10-13 08:04:30365056----a-w-f:\documents and settings\admin\bhxzbuegunpttzkdqsvtqwr.exe
2012-10-13 07:53:446980552----a-w-f:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{95602e44-6645-42b4-bae5-17e7a74216e4}\mpengine.dll
2012-10-13 03:06:53--------d-----w-f:\documents and settings\admin\application data\Malwarebytes
2012-10-13 03:06:29--------d-----w-f:\documents and settings\all users\application data\Malwarebytes
2012-10-13 03:06:2622856----a-w-f:\windows\system32\drivers\mbam.sys
2012-10-13 03:06:26--------d-----w-f:\program files\Malwarebytes' Anti-Malware
2012-10-13 02:45:26--------d-----w-f:\documents and settings\admin\application data\FixZeroAccess
2012-10-13 01:45:06--------d-----w-f:\program files\Microsoft Security Client
2012-10-12 20:26:09308224----a-w-f:\windows\msisear.exe
2012-10-12 19:04:20--------d-----w-f:\program files\Spybot - Search & Destroy
2012-10-12 19:04:19--------d-----w-f:\program files\SpeedyPC Software
2012-10-12 19:04:19--------d-----w-f:\documents and settings\all users\application data\SpeedyPC Software
2012-10-12 17:35:13--------d-----w-f:\windows\system32\wbem\repository\FS
2012-10-12 17:35:13--------d-----w-f:\windows\system32\wbem\Repository
2012-10-11 22:12:02--------d-sha-r-F:\cmdcons
2012-10-11 22:00:2398816----a-w-f:\windows\sed.exe
2012-10-11 22:00:23518144----a-w-f:\windows\SWREG.exe
2012-10-11 22:00:23256000----a-w-f:\windows\PEV.exe
2012-10-11 22:00:23208896----a-w-f:\windows\MBR.exe
2012-10-11 21:59:15--------d-----w-F:\ComboFix
2012-10-11 21:49:28256904----a-w-f:\windows\system32\drivers\tmcomm.sys
2012-10-11 21:37:43--------d-----w-f:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-09-20 14:25:21--------d-----w-f:\program files\iPod
2012-09-20 14:25:16--------d-----w-f:\program files\iTunes
2012-09-20 14:25:16--------d-----w-f:\documents and settings\all users\application data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-09-19 22:50:22--------d-----w-f:\documents and settings\admin\application data\Neme
2012-09-19 22:50:22--------d-----w-f:\documents and settings\admin\application data\Kukoam
2012-09-19 22:50:22--------d-----w-f:\documents and settings\admin\application data\Ekem
.
==================== Find3M ====================
.
2012-10-08 22:20:37696760----a-w-f:\windows\system32\FlashPlayerApp.exe
2012-10-08 22:20:3673656----a-w-f:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-31 02:03:50193552----a-w-f:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14:53916992----a-w-f:\windows\system32\wininet.dll
2012-08-28 15:14:5343520----a-w-f:\windows\system32\licmgr10.dll
2012-08-28 15:14:521469440------w-f:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15385024----a-w-f:\windows\system32\html.iec
2012-08-24 13:53:22177664----a-w-f:\windows\system32\wintrust.dll
2012-08-21 17:01:2226840----a-w-f:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 17:01:22106928----a-w-f:\windows\system32\GEARAspi.dll
2012-08-21 13:33:262148864----a-w-f:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:092027520----a-w-f:\windows\system32\ntkrnlpa.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Lexar___ rev.1100 -> Harddisk4\DR9 -> \Device\0000007a
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys USBSTOR.SYS hal.dll usbhub.sys USBPORT.SYS usbehci.sys
1 ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\Harddisk4\DR9[0x89CE9A38]
3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\00000083[0x89E239F8]
5 USBSTOR[0xBA3C0706] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\USBPDO-9[0x89CF13F0]
7 usbhub[0xB9636596] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\USBPDO-4[0x888AF030]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
error: Read The parameter is incorrect.
.
============= FINISH: 10:11:34.48 ===============