Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2012.01.28.05
Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
Admin :: ADMIN-PC [administrator]
1/29/2012 1:06:02 AM
mbam-log-2012-01-29 (01-06-02).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 157801
Time elapsed: 2 minute(s), 55 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-29 12:22:47
Windows 6.1.7600 Harddisk0\DR0 -> \Device\00000057 WDC_WD50 rev.15.0
Running: g5jq1vfi.exe; Driver: C:\Users\Admin\AppData\Local\Temp\aglorpod.sys
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8284D579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82871F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
---- Devices - GMER 1.0.15 ----
Device \Driver\ACPI_HAL \Device\00000040 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp emltdi.sys (Mail Protection Driver./Quick Heal Technologies (P) Ltd.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by Admin at 12:24:21 on 2012-01-29
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2815.2277 [GMT 5.5:30]
.
AV: Guardian 12.00 *Enabled/Updated* {7EEA7DF5-117F-E8EF-F91E-8C3E8C27E621}
SP: Guardian 12.00 *Enabled/Updated* {C58B9C11-3745-E761-C3AE-B74CF7A0AC9C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\PROGRA~1\QUICKH~1\GUARDI~1\SAPISSVC.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\PROGRA~1\QUICKH~1\GUARDI~1\opssvc.exe
C:\PROGRA~1\QUICKH~1\GUARDI~1\quhlpsvc.exe
C:\PROGRA~1\QUICKH~1\GUARDI~1\scanwscs.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\PROGRA~1\QUICKH~1\GUARDI~1\EMLPROXY.EXE
C:\PROGRA~1\QUICKH~1\GUARDI~1\onlinent.exe
C:\PROGRA~1\QUICKH~1\GUARDI~1\UPSCHD.EXE
C:\PROGRA~1\QUICKH~1\GUARDI~1\scanmsg.exe
C:\Users\Admin\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: QHIEPro Class: {02d6b6b3-5d97-4ede-aac1-4d0be8fe9cd3} - c:\progra~1\quickh~1\guardi~1\qhiepro.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRun: [googletalk] c:\users\admin\appdata\roaming\google\google talk\googletalk.exe /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Quick Heal Core UI] c:\progra~1\quickh~1\guardi~1\strtupap.exe
mRun: [hpfsched] c:\windows\hpfsched.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: DhcpNameServer = 109.74.196.50 109.74.196.50
TCP: Interfaces\{90183383-34F0-44AA-BD0F-FC8714D4DA07} : DhcpNameServer = 109.74.196.50 109.74.196.50
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\zavkh523.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
R2 catflt;catflt;c:\windows\system32\drivers\catflt.sys [2012-1-27 109304]
R2 Core Mail Protection;Core Mail Protection;c:\progra~1\quickh~1\guardi~1\EMLPROXY.EXE [2012-1-27 30168]
R2 Core Scanning Server;Core Scanning Server;c:\progra~1\quickh~1\guardi~1\SAPISSVC.EXE [2012-1-27 58744]
R2 EMLSS;EMLSS;c:\windows\system32\drivers\EMLTDI.SYS [2012-1-27 29304]
R2 Online Protection System;Online Protection System;c:\progra~1\quickh~1\guardi~1\opssvc.exe [2012-1-27 19320]
R2 Quick Update Service;Quick Update Service;c:\progra~1\quickh~1\guardi~1\quhlpsvc.exe [2012-1-27 58744]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2012-1-27 2358656]
S0 mscank;mscank;c:\windows\system32\drivers\mscank.sys [2012-1-27 31808]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S4 ggc;ggc;c:\windows\system32\drivers\ggc.sys [2012-1-27 46456]
.
=============== Created Last 30 ================
.
2012-01-28 19:32:26 -------- d-----w- c:\users\admin\appdata\roaming\Malwarebytes
2012-01-28 19:32:20 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-28 19:32:20 -------- d-----w- c:\programdata\Malwarebytes
2012-01-28 19:32:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-28 01:31:47 -------- d-----w- c:\windows\Panther
2012-01-27 16:13:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-27 14:13:19 -------- d-----w- c:\users\admin\appdata\local\Mozilla
2012-01-27 13:57:24 -------- d-----w- c:\program files\HP DeskJet 610C Series
2012-01-27 13:03:46 31808 ----a-w- c:\windows\system32\drivers\mscank.sys
2012-01-27 13:03:37 29304 ----a-w- c:\windows\system32\drivers\EMLTDI.SYS
2012-01-27 13:03:26 109304 ----a-w- c:\windows\system32\drivers\catflt.sys
2012-01-27 13:03:25 -------- d-----w- c:\program files\Quick Heal
2012-01-27 13:02:16 -------- d-----w- c:\windows\system32\gprodat
2012-01-27 13:02:11 46456 ----a-w- c:\windows\system32\drivers\ggc.sys
2012-01-27 12:50:06 -------- d-----w- c:\users\admin\appdata\local\Adobe
2012-01-27 12:47:33 -------- d-----w- c:\windows\PCHEALTH
2012-01-27 12:45:36 -------- d-----w- c:\windows\system32\wbem\Performance
.
==================== Find3M ====================
.
.
============= FINISH: 12:24:57.24 ===============
www.malwarebytes.org
Database version: v2012.01.28.05
Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
Admin :: ADMIN-PC [administrator]
1/29/2012 1:06:02 AM
mbam-log-2012-01-29 (01-06-02).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 157801
Time elapsed: 2 minute(s), 55 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-29 12:22:47
Windows 6.1.7600 Harddisk0\DR0 -> \Device\00000057 WDC_WD50 rev.15.0
Running: g5jq1vfi.exe; Driver: C:\Users\Admin\AppData\Local\Temp\aglorpod.sys
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8284D579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82871F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
---- Devices - GMER 1.0.15 ----
Device \Driver\ACPI_HAL \Device\00000040 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp emltdi.sys (Mail Protection Driver./Quick Heal Technologies (P) Ltd.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by Admin at 12:24:21 on 2012-01-29
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2815.2277 [GMT 5.5:30]
.
AV: Guardian 12.00 *Enabled/Updated* {7EEA7DF5-117F-E8EF-F91E-8C3E8C27E621}
SP: Guardian 12.00 *Enabled/Updated* {C58B9C11-3745-E761-C3AE-B74CF7A0AC9C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\PROGRA~1\QUICKH~1\GUARDI~1\SAPISSVC.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\PROGRA~1\QUICKH~1\GUARDI~1\opssvc.exe
C:\PROGRA~1\QUICKH~1\GUARDI~1\quhlpsvc.exe
C:\PROGRA~1\QUICKH~1\GUARDI~1\scanwscs.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\PROGRA~1\QUICKH~1\GUARDI~1\EMLPROXY.EXE
C:\PROGRA~1\QUICKH~1\GUARDI~1\onlinent.exe
C:\PROGRA~1\QUICKH~1\GUARDI~1\UPSCHD.EXE
C:\PROGRA~1\QUICKH~1\GUARDI~1\scanmsg.exe
C:\Users\Admin\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: QHIEPro Class: {02d6b6b3-5d97-4ede-aac1-4d0be8fe9cd3} - c:\progra~1\quickh~1\guardi~1\qhiepro.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRun: [googletalk] c:\users\admin\appdata\roaming\google\google talk\googletalk.exe /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Quick Heal Core UI] c:\progra~1\quickh~1\guardi~1\strtupap.exe
mRun: [hpfsched] c:\windows\hpfsched.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: DhcpNameServer = 109.74.196.50 109.74.196.50
TCP: Interfaces\{90183383-34F0-44AA-BD0F-FC8714D4DA07} : DhcpNameServer = 109.74.196.50 109.74.196.50
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\zavkh523.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
R2 catflt;catflt;c:\windows\system32\drivers\catflt.sys [2012-1-27 109304]
R2 Core Mail Protection;Core Mail Protection;c:\progra~1\quickh~1\guardi~1\EMLPROXY.EXE [2012-1-27 30168]
R2 Core Scanning Server;Core Scanning Server;c:\progra~1\quickh~1\guardi~1\SAPISSVC.EXE [2012-1-27 58744]
R2 EMLSS;EMLSS;c:\windows\system32\drivers\EMLTDI.SYS [2012-1-27 29304]
R2 Online Protection System;Online Protection System;c:\progra~1\quickh~1\guardi~1\opssvc.exe [2012-1-27 19320]
R2 Quick Update Service;Quick Update Service;c:\progra~1\quickh~1\guardi~1\quhlpsvc.exe [2012-1-27 58744]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2012-1-27 2358656]
S0 mscank;mscank;c:\windows\system32\drivers\mscank.sys [2012-1-27 31808]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S4 ggc;ggc;c:\windows\system32\drivers\ggc.sys [2012-1-27 46456]
.
=============== Created Last 30 ================
.
2012-01-28 19:32:26 -------- d-----w- c:\users\admin\appdata\roaming\Malwarebytes
2012-01-28 19:32:20 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-28 19:32:20 -------- d-----w- c:\programdata\Malwarebytes
2012-01-28 19:32:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-28 01:31:47 -------- d-----w- c:\windows\Panther
2012-01-27 16:13:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-27 14:13:19 -------- d-----w- c:\users\admin\appdata\local\Mozilla
2012-01-27 13:57:24 -------- d-----w- c:\program files\HP DeskJet 610C Series
2012-01-27 13:03:46 31808 ----a-w- c:\windows\system32\drivers\mscank.sys
2012-01-27 13:03:37 29304 ----a-w- c:\windows\system32\drivers\EMLTDI.SYS
2012-01-27 13:03:26 109304 ----a-w- c:\windows\system32\drivers\catflt.sys
2012-01-27 13:03:25 -------- d-----w- c:\program files\Quick Heal
2012-01-27 13:02:16 -------- d-----w- c:\windows\system32\gprodat
2012-01-27 13:02:11 46456 ----a-w- c:\windows\system32\drivers\ggc.sys
2012-01-27 12:50:06 -------- d-----w- c:\users\admin\appdata\local\Adobe
2012-01-27 12:47:33 -------- d-----w- c:\windows\PCHEALTH
2012-01-27 12:45:36 -------- d-----w- c:\windows\system32\wbem\Performance
.
==================== Find3M ====================
.
.
============= FINISH: 12:24:57.24 ===============