Active hacking attempts on my computer.

**my.computer** · 2011-07-21, 04:27

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Computer at 18:15:34 on 2011-07-20
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2046.1162 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Computer\Desktop\dds.com
C:\Windows\system32\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\computer\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\computer\appdata\roaming\mozilla\firefox\profiles\24mz2ulb.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-6-22 53816]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsle9659b4b;MpKsle9659b4b;c:\programdata\microsoft\microsoft antimalware\definition updates\{90b60bd4-cc40-48b6-b5bb-3570d355deb5}\MpKsle9659b4b.sys [2011-7-20 28752]
R1 RapportCerberus_26762;RapportCerberus_26762;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\26762\RapportCerberus_26762.sys [2011-6-13 57144]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-6-22 66360]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-6-22 158904]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-19 366640]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-6-22 870200]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-4-29 1153368]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-4-29 22712]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
R3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [2009-7-13 8192]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-4-29 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-29 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-4-29 1343400]
.
=============== Created Last 30 ================
.
2011-07-21 00:55:39 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{90b60bd4-cc40-48b6-b5bb-3570d355deb5}\MpKsle9659b4b.sys
2011-07-21 00:55:10 7074640 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{90b60bd4-cc40-48b6-b5bb-3570d355deb5}\mpengine.dll
2011-07-21 00:42:28 -------- d-----w- c:\users\computer\appdata\local\Adobe
2011-07-20 18:36:34 -------- d-sh--w- C:\$RECYCLE.BIN
2011-07-20 17:51:21 98816 ----a-w- c:\windows\sed.exe
2011-07-20 17:51:21 518144 ----a-w- c:\windows\SWREG.exe
2011-07-20 17:51:21 256000 ----a-w- c:\windows\PEV.exe
2011-07-20 17:51:21 208896 ----a-w- c:\windows\MBR.exe
2011-07-20 17:51:11 -------- d-----w- C:\Combo-Fix
2011-07-20 17:15:15 -------- d-----w- c:\users\computer\appdata\local\Apple
2011-07-20 17:14:44 -------- d-----w- c:\users\computer\appdata\local\Apple Computer
2011-07-20 02:22:45 -------- d-----w- c:\program files\ESET
2011-07-19 17:31:27 -------- d-----w- c:\program files\iPod
2011-07-19 17:31:26 -------- d-----w- c:\program files\iTunes
2011-07-16 00:26:06 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-07-16 00:26:05 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-07-16 00:26:05 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-07-16 00:26:04 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-07-16 00:26:04 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-07-16 00:26:03 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-07-16 00:21:41 2334208 ----a-w- c:\windows\system32\win32k.sys
2011-07-02 04:26:47 -------- d-----w- c:\windows\system32\appmgmt
2011-06-29 15:53:41 229224 ----a-w- c:\windows\system32\drivers\VMM.sys
2011-06-29 15:53:07 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-29 15:53:06 141104 ----a-w- c:\program files\internet explorer\sqmapi.dll
2011-06-29 15:53:03 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-29 15:49:46 293376 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-06-29 15:49:42 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-29 15:49:37 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-29 15:49:34 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-06-29 15:49:02 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-29 15:49:01 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-27 23:50:13 -------- d-----w- c:\users\computer\appdata\local\Diagnostics
2011-06-23 01:01:26 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
==================== Find3M ====================
.
2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-19 02:00:11 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-03 05:59:23 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-06-03 03:48:32 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-06-03 03:48:31 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-06-03 03:48:31 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-06-03 03:48:31 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-05-14 06:30:30 169984 ----a-w- c:\windows\system32\winsrv.dll
2011-05-14 06:23:24 271872 ----a-w- c:\windows\system32\conhost.exe
2011-05-04 11:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 04:34:43 1549312 ----a-w- c:\windows\system32\tquery.dll
2011-05-04 04:32:02 666624 ----a-w- c:\windows\system32\mssvp.dll
2011-05-04 04:32:01 337408 ----a-w- c:\windows\system32\mssph.dll
2011-05-04 04:32:01 197120 ----a-w- c:\windows\system32\mssphtb.dll
2011-05-04 04:32:01 1401344 ----a-w- c:\windows\system32\mssrch.dll
2011-05-04 04:32:00 59392 ----a-w- c:\windows\system32\msscntrs.dll
2011-05-04 04:28:31 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe
2011-05-04 04:28:31 427520 ----a-w- c:\windows\system32\SearchIndexer.exe
2011-05-04 04:28:31 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe
2011-05-03 16:08:00 4756216 ----a-w- c:\windows\system32\GameMon.des
2011-04-30 03:15:43 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-04-29 02:46:33 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-29 02:46:15 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-29 02:46:10 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-27 02:17:36 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-27 02:17:28 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-27 02:17:22 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 04:31:30 1290624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-04-25 02:18:03 338944 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 18:17:05.39 ===============

More Details: Another program Called raport has reported many incidents of key-logging, Blocked cookie access belonging to the Trusteer Rapport program. Along with blocked IP adresses as shown :

"The following IP addresses were tagged as suspicious. When you access a protected website, Rapport checks the IP address against a list of known good addresses for this website. If the address is not found in the list, Rapport replaces it with a known good address for the website. There is no action you need to take."
Jul 20 2011 17:54 IP address 96.6.62.196 doesn't match Santander UK
Jul 20 2011 17:41 IP address 96.6.62.196 doesn't match Santander UK
Jul 20 2011 17:41 IP address 96.6.62.196 doesn't match Santander UK
Jul 19 2011 21:09 IP address 96.6.62.196 doesn't match Santander UK
Jul 15 2011 17:20 IP address 96.6.62.196 doesn't match Santander UK

It has also demonstrated this attempts to screen capture.

Jul 20 2011 17:42 AcroRd32.exe is permanently blocked from capturing sensitive data
Jul 19 2011 16:06 dwm.exe is permanently blocked from capturing sensitive data
Jul 19 2011 10:15 dwm.exe is permanently blocked from capturing sensitive data
Jul 15 2011 09:47 dwm.exe is permanently blocked from capturing sensitive data
Jul 14 2011 21:35 AcroRd32.exe is permanently blocked from capturing sensitive data

I have Malware Anit-Malware Bytes, Spybot S&D, And an updated Microsoft security essentials, all showing no threats. I have downloaded an EsetOnline scanner but haven't scanned it recently.

I do have a disk image of the system from when it was almost-new.

**Blade81** · 2011-07-27, 11:39

Hi

I think you missed Please do NOT run 'FIXES' (ComboFix etc) without being asked (ran ComboFix though it shouldn't be used without supervision) sticky.

Look for old c:\ComboFix.txt file and post back its contents. Post fresh dds logs too.

**my.computer** · 2011-07-27, 20:21

Combofix

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Computer at 10:18:00 on 2011-07-27
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2046.1169 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Defense+ *Enabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
FW: COMODO Firewall *Enabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\COMODO\COMODO GeekBuddy\CLPS.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe
mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\users\computer\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1 192.168.0.1
TCP: Interfaces\{AB1A79BD-E2E3-4F7C-A4CC-57FDC7834751} : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{AB1A79BD-E2E3-4F7C-A4CC-57FDC7834751} : DhcpNameServer = 192.168.0.1 192.168.0.1
AppInit_DLLs: c:\windows\system32\guard32.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\computer\appdata\roaming\mozilla\firefox\profiles\24mz2ulb.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-6-22 53816]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-6-30 238960]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-6-30 37592]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl7100aae5;MpKsl7100aae5;c:\programdata\microsoft\microsoft antimalware\definition updates\{ceba329a-a064-4604-93e8-0d41ee04a40a}\MpKsl7100aae5.sys [2011-7-27 28752]
R1 RapportCerberus_26762;RapportCerberus_26762;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\26762\RapportCerberus_26762.sys [2011-6-13 57144]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-6-22 66360]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-6-22 158904]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo geekbuddy\CLPSLS.exe [2011-5-25 154424]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-6-22 870200]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-4-29 1153368]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
R3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [2009-7-13 8192]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-4-29 22712]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-4-29 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-29 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-4-29 1343400]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-19 366640]
.
=============== Created Last 30 ================
.
2011-07-27 17:06:47 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ceba329a-a064-4604-93e8-0d41ee04a40a}\MpKsl7100aae5.sys
2011-07-26 23:47:09 6881616 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ceba329a-a064-4604-93e8-0d41ee04a40a}\mpengine.dll
2011-07-21 22:39:42 -------- d--h--w- C:\VritualRoot
2011-07-21 22:32:12 -------- d-----w- c:\programdata\Comodo
2011-07-21 22:32:06 -------- d-----w- c:\program files\COMODO
2011-07-21 22:32:05 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-07-21 22:32:05 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-07-21 22:32:05 1060864 ----a-w- c:\windows\system32\mfc71.dll
2011-07-21 22:31:10 -------- d-----w- c:\programdata\Comodo Downloader
2011-07-21 04:05:25 271872 ----a-w- c:\windows\system32\conhost.exe
2011-07-21 04:05:24 169984 ----a-w- c:\windows\system32\winsrv.dll
2011-07-21 00:42:28 -------- d-----w- c:\users\computer\appdata\local\Adobe
2011-07-20 18:36:34 -------- d-sh--w- C:\$RECYCLE.BIN
2011-07-20 17:51:21 98816 ----a-w- c:\windows\sed.exe
2011-07-20 17:51:21 518144 ----a-w- c:\windows\SWREG.exe
2011-07-20 17:51:21 256000 ----a-w- c:\windows\PEV.exe
2011-07-20 17:51:21 208896 ----a-w- c:\windows\MBR.exe
2011-07-20 17:51:11 -------- d-----w- C:\Combo-Fix
2011-07-20 17:15:15 -------- d-----w- c:\users\computer\appdata\local\Apple
2011-07-20 17:14:44 -------- d-----w- c:\users\computer\appdata\local\Apple Computer
2011-07-20 02:22:45 -------- d-----w- c:\program files\ESET
2011-07-19 17:31:27 -------- d-----w- c:\program files\iPod
2011-07-19 17:31:26 -------- d-----w- c:\program files\iTunes
2011-07-16 00:26:06 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-07-16 00:26:05 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-07-16 00:26:05 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-07-16 00:26:04 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-07-16 00:26:04 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-07-16 00:26:03 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-07-16 00:21:41 2334208 ----a-w- c:\windows\system32\win32k.sys
2011-07-02 04:26:47 -------- d-----w- c:\windows\system32\appmgmt
2011-06-30 16:38:06 37592 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-06-30 16:38:04 238960 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-06-30 16:38:04 19088 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-06-30 16:37:26 285256 ----a-w- c:\windows\system32\guard32.dll
2011-06-29 15:53:41 229224 ----a-w- c:\windows\system32\drivers\VMM.sys
2011-06-29 15:53:07 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-29 15:53:06 141104 ----a-w- c:\program files\internet explorer\sqmapi.dll
2011-06-29 15:53:03 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-29 15:49:46 293376 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-06-29 15:49:42 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-29 15:49:37 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-29 15:49:34 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-06-29 15:49:02 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-29 15:49:01 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-27 23:50:13 -------- d-----w- c:\users\computer\appdata\local\Diagnostics
.
==================== Find3M ====================
.
2011-07-21 18:03:40 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-23 01:01:26 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-06-03 05:59:23 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-06-03 03:48:32 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-06-03 03:48:31 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-06-03 03:48:31 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-06-03 03:48:31 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-05-10 15:06:08 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 15:06:08 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-04 11:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 04:34:43 1549312 ----a-w- c:\windows\system32\tquery.dll
2011-05-04 04:32:02 666624 ----a-w- c:\windows\system32\mssvp.dll
2011-05-04 04:32:01 337408 ----a-w- c:\windows\system32\mssph.dll
2011-05-04 04:32:01 197120 ----a-w- c:\windows\system32\mssphtb.dll
2011-05-04 04:32:01 1401344 ----a-w- c:\windows\system32\mssrch.dll
2011-05-04 04:32:00 59392 ----a-w- c:\windows\system32\msscntrs.dll
2011-05-04 04:28:31 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe
2011-05-04 04:28:31 427520 ----a-w- c:\windows\system32\SearchIndexer.exe
2011-05-04 04:28:31 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe
2011-05-03 16:08:00 4756216 ----a-w- c:\windows\system32\GameMon.des
2011-04-30 03:15:43 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-04-29 02:46:33 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-29 02:46:15 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-29 02:46:10 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
.
============= FINISH: 10:20:18.74 ===============

**my.computer** · 2011-07-27, 20:24

ComboFix 11-07-20.02 - Computer 07/20/2011 11:27:13.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2046.1401 [GMT -7:00]
Running from: c:\users\Computer\Desktop\Combo-Fix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-20 to 2011-07-20 )))))))))))))))))))))))))))))))
.
.
2011-07-20 18:34 . 2011-07-20 18:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-20 18:18 . 2011-07-20 18:18 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{232561FC-3220-4F2C-81CB-0339428A47CA}\MpKslc8994783.sys
2011-07-20 18:08 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{232561FC-3220-4F2C-81CB-0339428A47CA}\mpengine.dll
2011-07-20 17:51 . 2011-07-20 18:05 -------- d-----w- C:\Combo-Fix
2011-07-20 17:15 . 2011-07-20 17:15 -------- d-----w- c:\users\Computer\AppData\Local\Apple
2011-07-20 17:14 . 2011-07-20 17:14 -------- d-----w- c:\users\Computer\AppData\Local\Apple Computer
2011-07-20 02:22 . 2011-07-20 02:22 -------- d-----w- c:\program files\ESET
2011-07-19 17:31 . 2011-07-19 17:31 -------- d-----w- c:\program files\iPod
2011-07-19 17:31 . 2011-07-19 17:32 -------- d-----w- c:\program files\iTunes
2011-07-19 17:24 . 2011-07-19 17:24 -------- d-----w- c:\program files\Apple Software Update
2011-07-16 00:26 . 2011-03-25 02:57 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-07-16 00:26 . 2011-03-25 02:58 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-07-16 00:26 . 2011-03-25 02:58 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-07-16 00:26 . 2011-03-25 02:57 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-07-16 00:26 . 2011-03-25 02:57 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-07-16 00:26 . 2011-03-25 02:58 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-07-16 00:21 . 2011-06-11 02:29 2334208 ----a-w- c:\windows\system32\win32k.sys
2011-07-02 21:34 . 2011-07-02 21:34 -------- d-----w- c:\users\Default\AppData\Roaming\Trusteer
2011-06-29 15:53 . 2011-06-29 15:53 229224 ----a-w- c:\windows\system32\drivers\VMM.sys
2011-06-29 15:53 . 2011-04-22 23:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-29 15:53 . 2011-04-25 15:29 141104 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-06-29 15:53 . 2011-04-22 23:35 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-29 15:49 . 2011-05-24 10:44 293376 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-06-29 15:49 . 2011-02-25 05:34 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-29 15:49 . 2011-05-03 04:30 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-29 15:49 . 2011-04-22 19:14 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-06-29 15:49 . 2011-04-09 06:02 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-29 15:49 . 2011-04-09 06:02 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-27 23:50 . 2011-06-27 23:50 -------- d-----w- c:\users\Computer\AppData\Local\Diagnostics
2011-06-23 01:01 . 2011-06-23 01:01 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-06-20 23:08 . 2011-06-20 23:08 -------- d-----w- c:\program files\Common Files\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-07 02:52 . 2011-04-30 02:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52 . 2011-04-30 02:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-19 02:00 . 2011-05-25 01:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-18 19:30 . 2011-06-18 19:26 164880 ---ha-w- c:\users\Computer\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
2011-06-07 15:55 . 2011-05-29 20:01 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-04 11:52 . 2011-05-26 00:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-03 16:08 . 2011-05-25 01:21 4756216 ----a-w- c:\windows\system32\GameMon.des
2011-04-30 03:15 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-04-30 02:56 . 2011-04-30 02:56 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-04-30 02:56 . 2011-04-30 02:56 161792 ----a-w- c:\windows\system32\msls31.dll
2011-04-30 02:56 . 2011-04-30 02:56 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-04-30 02:56 . 2011-04-30 02:56 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-04-30 02:56 . 2011-04-30 02:56 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-04-30 02:56 . 2011-04-30 02:56 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-04-30 02:56 . 2011-04-30 02:56 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-04-30 02:56 . 2011-04-30 02:56 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-04-30 02:56 . 2011-04-30 02:56 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-04-30 02:56 . 2011-04-30 02:56 367104 ----a-w- c:\windows\system32\html.iec
2011-04-30 02:56 . 2011-04-30 02:56 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-30 02:56 . 2011-04-30 02:56 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-30 02:56 . 2011-04-30 02:56 152064 ----a-w- c:\windows\system32\wextract.exe
2011-04-30 02:56 . 2011-04-30 02:56 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-04-30 02:56 . 2011-04-30 02:56 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-04-30 02:56 . 2011-04-30 02:56 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-30 02:56 . 2011-04-30 02:56 11776 ----a-w- c:\windows\system32\mshta.exe
2011-04-30 02:56 . 2011-04-30 02:56 101888 ----a-w- c:\windows\system32\admparse.dll
2011-04-30 02:56 . 2011-04-30 02:56 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-04-30 02:13 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-06-16 04:17 . 2011-07-02 04:31 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]
.
c:\users\Computer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 MpKsl5226b7f5;MpKsl5226b7f5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5DEBC353-3374-4E8C-B9F3-CE861A267D18}\MpKsl5226b7f5.sys [x]
R1 MpKsl6b4ad54e;MpKsl6b4ad54e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CAA1D684-A3DF-47E9-9C41-107891E0346E}\MpKsl6b4ad54e.sys [x]
R1 MpKsl8fc3ebe6;MpKsl8fc3ebe6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{15BBC93F-3A67-4770-B3AE-4B2615F57285}\MpKsl8fc3ebe6.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [x]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2011-05-03 4756216]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-30 1343400]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2011-06-23 53816]
S1 MpKslc8994783;MpKslc8994783;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{232561FC-3220-4F2C-81CB-0339428A47CA}\MpKslc8994783.sys [2011-07-20 28752]
S1 RapportCerberus_26762;RapportCerberus_26762;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\26762\RapportCerberus_26762.sys [2011-06-14 57144]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2011-06-23 66360]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2011-06-23 158904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-07 366640]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-06-23 870200]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-07 22712]
S3 qic157;qic157;c:\windows\system32\DRIVERS\qic157.sys [2009-07-13 8192]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLC8994783
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1 192.168.0.1
FF - ProfilePath - c:\users\Computer\AppData\Roaming\Mozilla\Firefox\Profiles\24mz2ulb.default\
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-07-20 11:38:17
ComboFix-quarantined-files.txt 2011-07-20 18:38
ComboFix2.txt 2011-07-20 18:05
.
Pre-Run: 205,865,074,688 bytes free
Post-Run: 205,805,924,352 bytes free
.
- - End Of File - - A1E550E659309B8CEC077E2FC87E8FAD

**Blade81** · 2011-07-27, 22:01

Hi,

Look for ComboFix2.txt file in c:\combofix or c:\qoobox folder and post back its contents.

**my.computer** · 2011-07-27, 22:06

ComboFix 11-07-20.02 - Computer 07/20/2011 10:53:46.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2046.1105 [GMT -7:00]
Running from: c:\users\Computer\Desktop\Combo-Fix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Computer\Desktop\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-20 to 2011-07-20 )))))))))))))))))))))))))))))))
.
.
2011-07-20 18:01 . 2011-07-20 18:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-20 17:15 . 2011-07-20 17:15 -------- d-----w- c:\users\Computer\AppData\Local\Apple
2011-07-20 17:14 . 2011-07-20 17:14 -------- d-----w- c:\users\Computer\AppData\Local\Apple Computer
2011-07-20 17:12 . 2011-07-20 17:12 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A066D19F-5CF7-4154-B83D-CCF84B27AF6A}\MpKslb7cde9e8.sys
2011-07-20 03:50 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A066D19F-5CF7-4154-B83D-CCF84B27AF6A}\mpengine.dll
2011-07-20 02:22 . 2011-07-20 02:22 -------- d-----w- c:\program files\ESET
2011-07-19 17:31 . 2011-07-19 17:31 -------- d-----w- c:\program files\iPod
2011-07-19 17:31 . 2011-07-19 17:32 -------- d-----w- c:\program files\iTunes
2011-07-19 17:24 . 2011-07-19 17:24 -------- d-----w- c:\program files\Apple Software Update
2011-07-16 00:26 . 2011-03-25 02:57 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-07-16 00:26 . 2011-03-25 02:58 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-07-16 00:26 . 2011-03-25 02:58 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-07-16 00:26 . 2011-03-25 02:57 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-07-16 00:26 . 2011-03-25 02:57 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-07-16 00:26 . 2011-03-25 02:58 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-07-16 00:21 . 2011-06-11 02:29 2334208 ----a-w- c:\windows\system32\win32k.sys
2011-07-02 21:34 . 2011-07-02 21:34 -------- d-----w- c:\users\Default\AppData\Roaming\Trusteer
2011-06-29 15:53 . 2011-06-29 15:53 229224 ----a-w- c:\windows\system32\drivers\VMM.sys
2011-06-29 15:53 . 2011-04-22 23:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-29 15:53 . 2011-04-25 15:29 141104 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-06-29 15:53 . 2011-04-22 23:35 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-29 15:49 . 2011-05-24 10:44 293376 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-06-29 15:49 . 2011-02-25 05:34 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-29 15:49 . 2011-05-03 04:30 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-29 15:49 . 2011-04-22 19:14 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-06-29 15:49 . 2011-04-09 06:02 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-29 15:49 . 2011-04-09 06:02 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-27 23:50 . 2011-06-27 23:50 -------- d-----w- c:\users\Computer\AppData\Local\Diagnostics
2011-06-23 01:01 . 2011-06-23 01:01 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-06-20 23:08 . 2011-06-20 23:08 -------- d-----w- c:\program files\Common Files\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-07 02:52 . 2011-04-30 02:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52 . 2011-04-30 02:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-19 02:00 . 2011-05-25 01:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-18 19:30 . 2011-06-18 19:26 164880 ---ha-w- c:\users\Computer\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
2011-06-07 15:55 . 2011-05-29 20:01 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-04 11:52 . 2011-05-26 00:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-03 16:08 . 2011-05-25 01:21 4756216 ----a-w- c:\windows\system32\GameMon.des
2011-04-30 03:15 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-04-30 02:56 . 2011-04-30 02:56 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-04-30 02:56 . 2011-04-30 02:56 161792 ----a-w- c:\windows\system32\msls31.dll
2011-04-30 02:56 . 2011-04-30 02:56 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-04-30 02:56 . 2011-04-30 02:56 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-04-30 02:56 . 2011-04-30 02:56 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-04-30 02:56 . 2011-04-30 02:56 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-04-30 02:56 . 2011-04-30 02:56 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-04-30 02:56 . 2011-04-30 02:56 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-04-30 02:56 . 2011-04-30 02:56 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-04-30 02:56 . 2011-04-30 02:56 367104 ----a-w- c:\windows\system32\html.iec
2011-04-30 02:56 . 2011-04-30 02:56 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-30 02:56 . 2011-04-30 02:56 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-30 02:56 . 2011-04-30 02:56 152064 ----a-w- c:\windows\system32\wextract.exe
2011-04-30 02:56 . 2011-04-30 02:56 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-04-30 02:56 . 2011-04-30 02:56 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-04-30 02:56 . 2011-04-30 02:56 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-30 02:56 . 2011-04-30 02:56 11776 ----a-w- c:\windows\system32\mshta.exe
2011-04-30 02:56 . 2011-04-30 02:56 101888 ----a-w- c:\windows\system32\admparse.dll
2011-04-30 02:56 . 2011-04-30 02:56 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-04-30 02:13 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-06-16 04:17 . 2011-07-02 04:31 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]
.
c:\users\Computer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 MpKsl5226b7f5;MpKsl5226b7f5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5DEBC353-3374-4E8C-B9F3-CE861A267D18}\MpKsl5226b7f5.sys [x]
R1 MpKsl6b4ad54e;MpKsl6b4ad54e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CAA1D684-A3DF-47E9-9C41-107891E0346E}\MpKsl6b4ad54e.sys [x]
R1 MpKsl8fc3ebe6;MpKsl8fc3ebe6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{15BBC93F-3A67-4770-B3AE-4B2615F57285}\MpKsl8fc3ebe6.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [x]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2011-05-03 4756216]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-30 1343400]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2011-06-23 53816]
S1 MpKslb7cde9e8;MpKslb7cde9e8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A066D19F-5CF7-4154-B83D-CCF84B27AF6A}\MpKslb7cde9e8.sys [2011-07-20 28752]
S1 RapportCerberus_26762;RapportCerberus_26762;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\26762\RapportCerberus_26762.sys [2011-06-14 57144]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2011-06-23 66360]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2011-06-23 158904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-07 366640]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-06-23 870200]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-07 22712]
S3 qic157;qic157;c:\windows\system32\DRIVERS\qic157.sys [2009-07-13 8192]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 16646382
*NewlyCreated* - MPKSLB7CDE9E8
*Deregistered* - 16646382
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1 192.168.0.1
FF - ProfilePath - c:\users\Computer\AppData\Roaming\Mozilla\Firefox\Profiles\24mz2ulb.default\
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-07-20 11:05:44
ComboFix-quarantined-files.txt 2011-07-20 18:05
.
Pre-Run: 206,172,999,680 bytes free
Post-Run: 205,830,492,160 bytes free
.
- - End Of File - - ECF49599BE95700157F4D6E568BD031C

**Blade81** · 2011-07-27, 23:36

Hi,

Let's do a scan with GMER.

Download GMER here by clicking download exe -button and then saving it your desktop:

Double-click .exe that you downloaded
Click rootkit-tab, uncheck files option and then click scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

**my.computer** · 2011-07-27, 23:45

do i need to disable any fire walls Av teatimer etc?

**my.computer** · 2011-07-28, 00:13

IT stopped there with no indication towards anything, but it i believe it was the end of the scan.

It's been attached as GMER.zip

**Blade81** · 2011-07-28, 10:38

Hi,

Of some reason it shows attached zip file with no contents. Could you repost the log, please?

Thread: Active hacking attempts on my computer.

Thread Tools

Display

Active hacking attempts on my computer.

IM not sure if the scan was completley complete TBH

Posting Permissions