System check virus/malware
- Thread starter joe1
- Start date
- Status
aswMBR log
aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-07 16:51:40
-----------------------------
16:51:40.828 OS Version: Windows 5.1.2600 Service Pack 3
16:51:40.828 Number of processors: 1 586 0x605
16:51:40.828 ComputerName: OWNER-A6A0728C7 UserName: PC
16:51:41.343 Initialize success
16:57:03.281 AVAST engine defs: 12010701
16:57:10.125 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
16:57:10.125 Disk 0 Vendor: WDC_WD400BD-22LRA0 06.01D06 Size: 38166MB BusType: 3
16:57:10.125 Disk 0 MBR read successfully
16:57:10.125 Disk 0 MBR scan
16:57:10.187 Disk 0 Windows XP default MBR code
16:57:10.187 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38154 MB offset 63
16:57:10.203 Disk 0 scanning sectors +78140160
16:57:10.359 Disk 0 scanning C:\WINDOWS\system32\drivers
16:57:26.937 Service scanning
16:57:27.343 Service MpKsle4661d3d c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FD454D83-FEB7-49E5-B6A8-3C89E24AC99E}\MpKsle4661d3d.sys **LOCKED** 32
16:57:27.968 Modules scanning
16:57:43.015 Disk 0 trace - called modules:
16:57:43.031 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
16:57:43.375 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f72ab8]
16:57:43.375 3 CLASSPNP.SYS[f778dfd7] -> nt!IofCallDriver -> \Device\00000066[0x86f769e8]
16:57:43.375 5 ACPI.sys[f7704620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86f74d98]
16:57:43.578 AVAST engine scan C:\WINDOWS
16:58:01.640 AVAST engine scan C:\WINDOWS\system32
17:03:50.703 AVAST engine scan C:\WINDOWS\system32\drivers
17:04:14.218 AVAST engine scan C:\Documents and Settings\PC
17:10:30.187 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\PC\Desktop\MBR.dat"
17:10:30.296 The log file has been saved successfully to "C:\Documents and Settings\PC\Desktop\aswMBR.txt"
17:11:54.125 AVAST engine scan C:\Documents and Settings\All Users
17:12:32.312 Scan finished successfully
17:14:20.046 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\PC\Desktop\MBR.dat"
17:14:20.046 The log file has been saved successfully to "C:\Documents and Settings\PC\Desktop\aswMBR.txt"
aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-07 16:51:40
-----------------------------
16:51:40.828 OS Version: Windows 5.1.2600 Service Pack 3
16:51:40.828 Number of processors: 1 586 0x605
16:51:40.828 ComputerName: OWNER-A6A0728C7 UserName: PC
16:51:41.343 Initialize success
16:57:03.281 AVAST engine defs: 12010701
16:57:10.125 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
16:57:10.125 Disk 0 Vendor: WDC_WD400BD-22LRA0 06.01D06 Size: 38166MB BusType: 3
16:57:10.125 Disk 0 MBR read successfully
16:57:10.125 Disk 0 MBR scan
16:57:10.187 Disk 0 Windows XP default MBR code
16:57:10.187 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38154 MB offset 63
16:57:10.203 Disk 0 scanning sectors +78140160
16:57:10.359 Disk 0 scanning C:\WINDOWS\system32\drivers
16:57:26.937 Service scanning
16:57:27.343 Service MpKsle4661d3d c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FD454D83-FEB7-49E5-B6A8-3C89E24AC99E}\MpKsle4661d3d.sys **LOCKED** 32
16:57:27.968 Modules scanning
16:57:43.015 Disk 0 trace - called modules:
16:57:43.031 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
16:57:43.375 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f72ab8]
16:57:43.375 3 CLASSPNP.SYS[f778dfd7] -> nt!IofCallDriver -> \Device\00000066[0x86f769e8]
16:57:43.375 5 ACPI.sys[f7704620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86f74d98]
16:57:43.578 AVAST engine scan C:\WINDOWS
16:58:01.640 AVAST engine scan C:\WINDOWS\system32
17:03:50.703 AVAST engine scan C:\WINDOWS\system32\drivers
17:04:14.218 AVAST engine scan C:\Documents and Settings\PC
17:10:30.187 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\PC\Desktop\MBR.dat"
17:10:30.296 The log file has been saved successfully to "C:\Documents and Settings\PC\Desktop\aswMBR.txt"
17:11:54.125 AVAST engine scan C:\Documents and Settings\All Users
17:12:32.312 Scan finished successfully
17:14:20.046 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\PC\Desktop\MBR.dat"
17:14:20.046 The log file has been saved successfully to "C:\Documents and Settings\PC\Desktop\aswMBR.txt"
ComboFix log
ComboFix 12-01-13.05 - PC 01/14/2012 11:33:23.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.407 [GMT -6:00]
Running from: c:\documents and settings\PC\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\~WEB63MqHj9Kayd
c:\documents and settings\All Users\Application Data\~WEB63MqHj9Kaydr
c:\documents and settings\All Users\Application Data\WEB63MqHj9Kayd
c:\documents and settings\PC\Start Menu\Programs\System Check
c:\documents and settings\PC\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\PC\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\program files\somototoolbar\vmNTemplatex.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-12-14 to 2012-01-14 )))))))))))))))))))))))))))))))
.
.
2012-01-14 16:55 . 2012-01-14 16:55 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52855492-7AC0-4E6C-8569-AE5C4AAC1DD4}\MpKsleb7d917f.sys
2012-01-14 16:55 . 2012-01-14 16:55 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52855492-7AC0-4E6C-8569-AE5C4AAC1DD4}\offreg.dll
2012-01-14 16:54 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52855492-7AC0-4E6C-8569-AE5C4AAC1DD4}\mpengine.dll
2012-01-11 18:20 . 2012-01-11 18:20 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\PCHealth
2012-01-11 01:59 . 2011-11-18 12:35 60416 -c----w- c:\windows\system32\dllcache\packager.exe
2012-01-07 22:05 . 2012-01-07 22:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2012-01-02 15:52 . 2012-01-02 15:52 -------- d-----w- c:\documents and settings\PC\Application Data\Malwarebytes
2012-01-02 15:51 . 2012-01-02 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-02 15:51 . 2012-01-02 15:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-02 15:51 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-02 15:27 . 2012-01-02 15:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2012-01-02 11:11 . 2012-01-02 11:11 -------- d-----w- c:\windows\system32\N360_BACKUP
2012-01-02 07:24 . 2012-01-02 07:24 -------- d-----w- c:\program files\Windows Sidebar
2012-01-02 07:24 . 2012-01-02 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2012-01-02 05:40 . 2011-10-20 04:16 20312 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2012-01-02 05:17 . 2012-01-02 05:17 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2012-01-02 03:46 . 2012-01-02 05:26 -------- d-----w- c:\documents and settings\Administrator
2012-01-01 14:30 . 2012-01-01 14:30 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2009-11-20 00:45 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:29 . 2009-11-20 00:45 1868544 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2011-06-06 22:26 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-18 12:35 . 2009-11-20 00:45 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-04 19:19 . 2009-11-20 00:45 919552 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:19 . 2009-11-20 00:45 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:19 . 2009-11-20 00:45 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 15:28 . 2009-11-20 00:45 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2009-11-20 00:45 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2009-11-20 00:45 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2009-11-20 00:45 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-26 00:22 . 2009-08-04 11:47 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-25 13:34 . 2009-11-20 00:45 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:01 . 2009-11-20 00:45 385024 ----a-w- c:\windows\system32\html.iec
2011-10-18 11:13 . 2009-11-20 00:45 186880 ----a-w- c:\windows\system32\encdec.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-11-20 00:45 . 120CBFAC46EF674CC9169FB33998DDFE . 1526784 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
.
[-] 2009-11-20 . 6AE82FE2B77E79E2CD2819599CD75CFB . 557056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[-] 2009-11-20 . E7A939813423DCF45BAAA8FAC9BA744D . 637440 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
.
[-] 2009-11-20 . F8540FC5FDAD3C3A2E668ACB0BACCE59 . 1552384 . . [6.00.2900.5634] . . c:\windows\explorer.exe
.
[-] 2009-11-20 . BD4559DA4A1DFB15B5453ED7749D6D52 . 363008 . . [5.1.2600.5512] . . c:\windows\regedit.exe
.
[-] 2009-11-20 . 353294EF302509D05AC21CB6B8B60379 . 40448 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
[-] 2009-11-20 . 2790164DE2A0B551BEA90B753836ADBD . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VDrive"="c:\windows\VistaDriveIcon\VistaDrv.exe" [2008-01-02 132096]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-27 17567744]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-11-20 128512]
.
c:\documents and settings\PC\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*
isabled:Windows Remote Management
.
R1 MpKsleb7d917f;MpKsleb7d917f;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52855492-7AC0-4E6C-8569-AE5C4AAC1DD4}\MpKsleb7d917f.sys [1/14/2012 10:55 AM 29904]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/2/2012 9:51 AM 652872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/2/2012 9:51 AM 20464]
S1 MpKsl0b38ed1f;MpKsl0b38ed1f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91B874DE-91E6-41FF-9234-6BBE5BA99A64}\MpKsl0b38ed1f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91B874DE-91E6-41FF-9234-6BBE5BA99A64}\MpKsl0b38ed1f.sys [?]
S1 MpKsl5e325d77;MpKsl5e325d77;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B46AB33A-CBD6-4A11-BF2D-72C2E19B7EAA}\MpKsl5e325d77.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B46AB33A-CBD6-4A11-BF2D-72C2E19B7EAA}\MpKsl5e325d77.sys [?]
S1 MpKsl74758d61;MpKsl74758d61;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9BA023F-CE7D-4248-8C2B-8EE0DD4D1164}\MpKsl74758d61.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9BA023F-CE7D-4248-8C2B-8EE0DD4D1164}\MpKsl74758d61.sys [?]
S1 MpKsl7fe88fc4;MpKsl7fe88fc4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{32DEF126-F08F-4402-B4E7-8CD649A78DBB}\MpKsl7fe88fc4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{32DEF126-F08F-4402-B4E7-8CD649A78DBB}\MpKsl7fe88fc4.sys [?]
S1 MpKslb7e8359f;MpKslb7e8359f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{35FAE25C-0708-493F-BDC7-E2C5962C0C94}\MpKslb7e8359f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{35FAE25C-0708-493F-BDC7-E2C5962C0C94}\MpKslb7e8359f.sys [?]
S1 MpKslbb6b56ee;MpKslbb6b56ee;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91B874DE-91E6-41FF-9234-6BBE5BA99A64}\MpKslbb6b56ee.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91B874DE-91E6-41FF-9234-6BBE5BA99A64}\MpKslbb6b56ee.sys [?]
S1 MpKsldfd46d92;MpKsldfd46d92;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E0C3EEFD-ED79-48E7-92E5-2E20D419A2D9}\MpKsldfd46d92.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E0C3EEFD-ED79-48E7-92E5-2E20D419A2D9}\MpKsldfd46d92.sys [?]
S1 MpKslff719e9b;MpKslff719e9b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9AC08EE7-4F02-4881-A227-04E7924811B4}\MpKslff719e9b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9AC08EE7-4F02-4881-A227-04E7924811B4}\MpKslff719e9b.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 6:49 AM 227232]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/19/2009 6:45 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLEB7D917F
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-01-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-01-14 c:\windows\Tasks\User_Feed_Synchronization-{FBCB5476-CA84-434C-96C3-65A8F21BCE1E}.job
- c:\windows\system32\msfeedssync.exe [2009-11-20 00:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\PC\Application Data\Mozilla\Firefox\Profiles\9af9h8v2.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-14 11:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll
.
- - - - - - - > 'lsass.exe'(844)
c:\windows\system32\SETUPAPI.dll
.
Completion time: 2012-01-14 11:40:39
ComboFix-quarantined-files.txt 2012-01-14 17:40
.
Pre-Run: 11,006,865,408 bytes free
Post-Run: 11,366,260,736 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 3290295D51A1E1498A8D55D8C265BCE1
ComboFix 12-01-13.05 - PC 01/14/2012 11:33:23.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.407 [GMT -6:00]
Running from: c:\documents and settings\PC\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\~WEB63MqHj9Kayd
c:\documents and settings\All Users\Application Data\~WEB63MqHj9Kaydr
c:\documents and settings\All Users\Application Data\WEB63MqHj9Kayd
c:\documents and settings\PC\Start Menu\Programs\System Check
c:\documents and settings\PC\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\PC\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\program files\somototoolbar\vmNTemplatex.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-12-14 to 2012-01-14 )))))))))))))))))))))))))))))))
.
.
2012-01-14 16:55 . 2012-01-14 16:55 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52855492-7AC0-4E6C-8569-AE5C4AAC1DD4}\MpKsleb7d917f.sys
2012-01-14 16:55 . 2012-01-14 16:55 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52855492-7AC0-4E6C-8569-AE5C4AAC1DD4}\offreg.dll
2012-01-14 16:54 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52855492-7AC0-4E6C-8569-AE5C4AAC1DD4}\mpengine.dll
2012-01-11 18:20 . 2012-01-11 18:20 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\PCHealth
2012-01-11 01:59 . 2011-11-18 12:35 60416 -c----w- c:\windows\system32\dllcache\packager.exe
2012-01-07 22:05 . 2012-01-07 22:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2012-01-02 15:52 . 2012-01-02 15:52 -------- d-----w- c:\documents and settings\PC\Application Data\Malwarebytes
2012-01-02 15:51 . 2012-01-02 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-02 15:51 . 2012-01-02 15:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-02 15:51 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-02 15:27 . 2012-01-02 15:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2012-01-02 11:11 . 2012-01-02 11:11 -------- d-----w- c:\windows\system32\N360_BACKUP
2012-01-02 07:24 . 2012-01-02 07:24 -------- d-----w- c:\program files\Windows Sidebar
2012-01-02 07:24 . 2012-01-02 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2012-01-02 05:40 . 2011-10-20 04:16 20312 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2012-01-02 05:17 . 2012-01-02 05:17 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2012-01-02 03:46 . 2012-01-02 05:26 -------- d-----w- c:\documents and settings\Administrator
2012-01-01 14:30 . 2012-01-01 14:30 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2009-11-20 00:45 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:29 . 2009-11-20 00:45 1868544 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2011-06-06 22:26 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-18 12:35 . 2009-11-20 00:45 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-04 19:19 . 2009-11-20 00:45 919552 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:19 . 2009-11-20 00:45 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:19 . 2009-11-20 00:45 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 15:28 . 2009-11-20 00:45 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2009-11-20 00:45 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2009-11-20 00:45 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2009-11-20 00:45 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-26 00:22 . 2009-08-04 11:47 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-25 13:34 . 2009-11-20 00:45 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:01 . 2009-11-20 00:45 385024 ----a-w- c:\windows\system32\html.iec
2011-10-18 11:13 . 2009-11-20 00:45 186880 ----a-w- c:\windows\system32\encdec.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-11-20 00:45 . 120CBFAC46EF674CC9169FB33998DDFE . 1526784 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
.
[-] 2009-11-20 . 6AE82FE2B77E79E2CD2819599CD75CFB . 557056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[-] 2009-11-20 . E7A939813423DCF45BAAA8FAC9BA744D . 637440 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
.
[-] 2009-11-20 . F8540FC5FDAD3C3A2E668ACB0BACCE59 . 1552384 . . [6.00.2900.5634] . . c:\windows\explorer.exe
.
[-] 2009-11-20 . BD4559DA4A1DFB15B5453ED7749D6D52 . 363008 . . [5.1.2600.5512] . . c:\windows\regedit.exe
.
[-] 2009-11-20 . 353294EF302509D05AC21CB6B8B60379 . 40448 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
[-] 2009-11-20 . 2790164DE2A0B551BEA90B753836ADBD . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VDrive"="c:\windows\VistaDriveIcon\VistaDrv.exe" [2008-01-02 132096]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-27 17567744]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-11-20 128512]
.
c:\documents and settings\PC\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*
isabled:Windows Remote Management .
R1 MpKsleb7d917f;MpKsleb7d917f;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52855492-7AC0-4E6C-8569-AE5C4AAC1DD4}\MpKsleb7d917f.sys [1/14/2012 10:55 AM 29904]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/2/2012 9:51 AM 652872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/2/2012 9:51 AM 20464]
S1 MpKsl0b38ed1f;MpKsl0b38ed1f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91B874DE-91E6-41FF-9234-6BBE5BA99A64}\MpKsl0b38ed1f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91B874DE-91E6-41FF-9234-6BBE5BA99A64}\MpKsl0b38ed1f.sys [?]
S1 MpKsl5e325d77;MpKsl5e325d77;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B46AB33A-CBD6-4A11-BF2D-72C2E19B7EAA}\MpKsl5e325d77.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B46AB33A-CBD6-4A11-BF2D-72C2E19B7EAA}\MpKsl5e325d77.sys [?]
S1 MpKsl74758d61;MpKsl74758d61;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9BA023F-CE7D-4248-8C2B-8EE0DD4D1164}\MpKsl74758d61.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C9BA023F-CE7D-4248-8C2B-8EE0DD4D1164}\MpKsl74758d61.sys [?]
S1 MpKsl7fe88fc4;MpKsl7fe88fc4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{32DEF126-F08F-4402-B4E7-8CD649A78DBB}\MpKsl7fe88fc4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{32DEF126-F08F-4402-B4E7-8CD649A78DBB}\MpKsl7fe88fc4.sys [?]
S1 MpKslb7e8359f;MpKslb7e8359f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{35FAE25C-0708-493F-BDC7-E2C5962C0C94}\MpKslb7e8359f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{35FAE25C-0708-493F-BDC7-E2C5962C0C94}\MpKslb7e8359f.sys [?]
S1 MpKslbb6b56ee;MpKslbb6b56ee;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91B874DE-91E6-41FF-9234-6BBE5BA99A64}\MpKslbb6b56ee.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{91B874DE-91E6-41FF-9234-6BBE5BA99A64}\MpKslbb6b56ee.sys [?]
S1 MpKsldfd46d92;MpKsldfd46d92;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E0C3EEFD-ED79-48E7-92E5-2E20D419A2D9}\MpKsldfd46d92.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E0C3EEFD-ED79-48E7-92E5-2E20D419A2D9}\MpKsldfd46d92.sys [?]
S1 MpKslff719e9b;MpKslff719e9b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9AC08EE7-4F02-4881-A227-04E7924811B4}\MpKslff719e9b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9AC08EE7-4F02-4881-A227-04E7924811B4}\MpKslff719e9b.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 6:49 AM 227232]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/19/2009 6:45 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLEB7D917F
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-01-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-01-14 c:\windows\Tasks\User_Feed_Synchronization-{FBCB5476-CA84-434C-96C3-65A8F21BCE1E}.job
- c:\windows\system32\msfeedssync.exe [2009-11-20 00:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\PC\Application Data\Mozilla\Firefox\Profiles\9af9h8v2.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-14 11:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll
.
- - - - - - - > 'lsass.exe'(844)
c:\windows\system32\SETUPAPI.dll
.
Completion time: 2012-01-14 11:40:39
ComboFix-quarantined-files.txt 2012-01-14 17:40
.
Pre-Run: 11,006,865,408 bytes free
Post-Run: 11,366,260,736 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 3290295D51A1E1498A8D55D8C265BCE1
Bobbye
Posts: 16,313 +36
Please send Broni a PM to reopen your thread https://www.techspot.com/vb/topic175541.html.
He can have the logs here merged into the original thred. Please wait for instructions.
He can have the logs here merged into the original thred. Please wait for instructions.
- Status
Latest posts
-
Gigabyte confirms "Ryzen 9000" branding for AMD's upcoming Zen 5 CPUs- antiproduct replied
