cant even post
- Thread starter deuce1217
- Start date
- Status
ken545
Emeritus-Security Expert
:snwelcome:
Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Your infected with a ROOTKIT that prevents most security programs from running
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by chaadmin at 14:48:18.03 on Wed 05/18/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1210 [GMT -5:00]
.
AV: AVG Anti-Virus Network Edition *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\chaadmin\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;*.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - c:\program files\common files\g7ps\shared files\g7psdll\G7PS.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\chaadmin\applic~1\mozilla\firefox\profiles\p3v07jl6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\chaadmin\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [2011-2-16 22312]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-4-3 47640]
R3 HPPLSBULK;HPPLSBULK;c:\windows\system32\drivers\hpplsbulk.sys [2005-2-2 9344]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2008-8-11 12192]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg8\toolbar\toolbarbroker.exe --> c:\program files\avg\avg8\toolbar\ToolbarBroker.exe [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-05-16 19:24:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-06 19:02:43 -------- d-----w- c:\program files\iPod
2011-05-06 19:02:38 -------- d-----w- c:\program files\iTunes
2011-05-06 18:58:43 -------- d-----w- c:\program files\Bonjour
2011-05-05 22:13:58 -------- d-----w- c:\docume~1\chaadmin\applic~1\AVCWare
2011-05-05 22:13:07 -------- d-----w- c:\program files\AVCWare
2011-05-05 22:13:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVCWare
2011-05-04 16:23:18 0 ----a-w- c:\windows\Yhaxu.bin
2011-05-02 17:19:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-02 17:19:00 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-02 17:19:00 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-02 17:19:00 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-02 17:18:59 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-02 17:18:59 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-02 17:18:59 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-05-02 17:18:59 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
.
==================== Find3M ====================
.
2011-04-06 21:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380815AS rev.4.AAB -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A7886F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a78ea10]; MOV EAX, [0x8a78ea8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A7CEAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A7FA650]
\Driver\atapi[0x8A7D0A08] -> IRP_MJ_CREATE -> 0x8A7886F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A78853B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 14:50:26.58 ===============
Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Your infected with a ROOTKIT that prevents most security programs from running
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by chaadmin at 14:48:18.03 on Wed 05/18/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1210 [GMT -5:00]
.
AV: AVG Anti-Virus Network Edition *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\chaadmin\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;*.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - c:\program files\common files\g7ps\shared files\g7psdll\G7PS.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\chaadmin\applic~1\mozilla\firefox\profiles\p3v07jl6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\chaadmin\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [2011-2-16 22312]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-4-3 47640]
R3 HPPLSBULK;HPPLSBULK;c:\windows\system32\drivers\hpplsbulk.sys [2005-2-2 9344]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2008-8-11 12192]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg8\toolbar\toolbarbroker.exe --> c:\program files\avg\avg8\toolbar\ToolbarBroker.exe [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-05-16 19:24:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-06 19:02:43 -------- d-----w- c:\program files\iPod
2011-05-06 19:02:38 -------- d-----w- c:\program files\iTunes
2011-05-06 18:58:43 -------- d-----w- c:\program files\Bonjour
2011-05-05 22:13:58 -------- d-----w- c:\docume~1\chaadmin\applic~1\AVCWare
2011-05-05 22:13:07 -------- d-----w- c:\program files\AVCWare
2011-05-05 22:13:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVCWare
2011-05-04 16:23:18 0 ----a-w- c:\windows\Yhaxu.bin
2011-05-02 17:19:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-02 17:19:00 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-02 17:19:00 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-02 17:19:00 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-02 17:18:59 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-02 17:18:59 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-02 17:18:59 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-05-02 17:18:59 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
.
==================== Find3M ====================
.
2011-04-06 21:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380815AS rev.4.AAB -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A7886F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a78ea10]; MOV EAX, [0x8a78ea8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A7CEAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A7FA650]
\Driver\atapi[0x8A7D0A08] -> IRP_MJ_CREATE -> 0x8A7886F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A78853B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 14:50:26.58 ===============
Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
Thanks Ken here is my log
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-23 11:35:00
-----------------------------
11:35:00.996 OS Version: Windows 5.1.2600 Service Pack 3
11:35:01.418 Number of processors: 2 586 0x409
11:35:01.809 ComputerName: CHA-OFFICE UserName: chaadmin
11:35:05.028 Initialize success
11:35:36.012 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
11:35:36.746 Disk 0 Vendor: ST380815AS 4.AAB Size: 76319MB BusType: 3
11:35:37.246 Device \Driver\atapi -> DriverStartIo 8a79553b
11:35:39.887 Disk 0 MBR read successfully
11:35:40.543 Disk 0 MBR scan
11:35:41.356 Disk 0 TDL4@MBR code has been found
11:35:41.856 Disk 0 Windows XP default MBR code found via API
11:35:42.512 Disk 0 MBR hidden
11:35:43.153 Disk 0 MBR [TDL4] **ROOTKIT**
11:35:43.918 Disk 0 trace - called modules:
11:35:44.496 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a7956f0]<<
11:35:45.934 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7e0ab8]
11:35:46.543 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8a7e7d78]
11:35:47.106 \Driver\atapi[0x8a838970] -> IRP_MJ_CREATE -> 0x8a7956f0
11:35:48.059 Scan finished successfully
11:38:07.637 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\chaadmin\Desktop\MBR.dat"
11:38:07.965 The log file has been saved successfully to "C:\Documents and Settings\chaadmin\Desktop\aswMBR.txt"
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-23 11:35:00
-----------------------------
11:35:00.996 OS Version: Windows 5.1.2600 Service Pack 3
11:35:01.418 Number of processors: 2 586 0x409
11:35:01.809 ComputerName: CHA-OFFICE UserName: chaadmin
11:35:05.028 Initialize success
11:35:36.012 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
11:35:36.746 Disk 0 Vendor: ST380815AS 4.AAB Size: 76319MB BusType: 3
11:35:37.246 Device \Driver\atapi -> DriverStartIo 8a79553b
11:35:39.887 Disk 0 MBR read successfully
11:35:40.543 Disk 0 MBR scan
11:35:41.356 Disk 0 TDL4@MBR code has been found
11:35:41.856 Disk 0 Windows XP default MBR code found via API
11:35:42.512 Disk 0 MBR hidden
11:35:43.153 Disk 0 MBR [TDL4] **ROOTKIT**
11:35:43.918 Disk 0 trace - called modules:
11:35:44.496 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a7956f0]<<
11:35:45.934 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7e0ab8]
11:35:46.543 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8a7e7d78]
11:35:47.106 \Driver\atapi[0x8a838970] -> IRP_MJ_CREATE -> 0x8a7956f0
11:35:48.059 Scan finished successfully
11:38:07.637 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\chaadmin\Desktop\MBR.dat"
11:38:07.965 The log file has been saved successfully to "C:\Documents and Settings\chaadmin\Desktop\aswMBR.txt"
ken545
Emeritus-Security Expert
This is what you need to do, Try the Fix for aswMBR first, if the Fix Button ( NOT FIX MBR ) is greyed out than run TDSSKiller
Re-Run aswMBR
Click Scan
On completion of the scan
Click the Fix Button
Save the log as before and post in your next reply
TDSSKiller if you need it
Please download TDSSKiller.zip
Re-Run aswMBR
Click Scan
On completion of the scan
Click the Fix Button
Save the log as before and post in your next reply
TDSSKiller if you need it
Please download TDSSKiller.zip
- Extract it to your desktop
- Double click TDSSKiller.exe
- Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
- Copy and paste the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)
new log
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-23 12:33:58
-----------------------------
12:33:58.203 OS Version: Windows 5.1.2600 Service Pack 3
12:33:58.203 Number of processors: 2 586 0x409
12:33:58.218 ComputerName: CHA-OFFICE UserName: chaadmin
12:33:59.203 Initialize success
12:34:03.906 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
12:34:03.984 Disk 0 Vendor: ST380815AS 4.AAB Size: 76319MB BusType: 3
12:34:06.109 Disk 0 MBR read successfully
12:34:06.187 Disk 0 MBR scan
12:34:06.281 Disk 0 Windows XP default MBR code
12:34:08.390 Disk 0 scanning sectors +156280320
12:34:08.500 Disk 0 scanning C:\WINDOWS\system32\drivers
12:34:15.296 Service scanning
12:34:21.812 Disk 0 trace - called modules:
12:34:21.921 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
12:34:22.015 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a795ab8]
12:34:22.109 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8a7b5b00]
12:34:22.203 Scan finished successfully
12:36:40.453 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\chaadmin\Desktop\MBR.dat"
12:36:40.578 The log file has been saved successfully to "C:\Documents and Settings\chaadmin\Desktop\aswMBR.txt"
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-23 12:43:34
-----------------------------
12:43:34.445 OS Version: Windows 5.1.2600 Service Pack 3
12:43:34.445 Number of processors: 2 586 0x409
12:43:34.445 ComputerName: CHA-OFFICE UserName: chaadmin
12:43:34.963 Initialize success
12:43:38.084 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
12:43:38.084 Disk 0 Vendor: ST380815AS 4.AAB Size: 76319MB BusType: 3
12:43:40.124 Disk 0 MBR read successfully
12:43:40.124 Disk 0 MBR scan
12:43:40.124 Disk 0 Windows XP default MBR code
12:43:42.132 Disk 0 scanning sectors +156280320
12:43:42.163 Disk 0 scanning C:\WINDOWS\system32\drivers
12:43:51.763 Service scanning
12:43:53.709 Disk 0 trace - called modules:
12:43:53.724 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
12:43:53.724 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7f9ab8]
12:43:53.724 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8a840b00]
12:43:53.724 Scan finished successfully
12:44:22.416 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\chaadmin\Desktop\MBR.dat"
12:44:22.463 The log file has been saved successfully to "C:\Documents and Settings\chaadmin\Desktop\aswMBR.txt"
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-23 12:33:58
-----------------------------
12:33:58.203 OS Version: Windows 5.1.2600 Service Pack 3
12:33:58.203 Number of processors: 2 586 0x409
12:33:58.218 ComputerName: CHA-OFFICE UserName: chaadmin
12:33:59.203 Initialize success
12:34:03.906 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
12:34:03.984 Disk 0 Vendor: ST380815AS 4.AAB Size: 76319MB BusType: 3
12:34:06.109 Disk 0 MBR read successfully
12:34:06.187 Disk 0 MBR scan
12:34:06.281 Disk 0 Windows XP default MBR code
12:34:08.390 Disk 0 scanning sectors +156280320
12:34:08.500 Disk 0 scanning C:\WINDOWS\system32\drivers
12:34:15.296 Service scanning
12:34:21.812 Disk 0 trace - called modules:
12:34:21.921 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
12:34:22.015 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a795ab8]
12:34:22.109 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8a7b5b00]
12:34:22.203 Scan finished successfully
12:36:40.453 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\chaadmin\Desktop\MBR.dat"
12:36:40.578 The log file has been saved successfully to "C:\Documents and Settings\chaadmin\Desktop\aswMBR.txt"
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-23 12:43:34
-----------------------------
12:43:34.445 OS Version: Windows 5.1.2600 Service Pack 3
12:43:34.445 Number of processors: 2 586 0x409
12:43:34.445 ComputerName: CHA-OFFICE UserName: chaadmin
12:43:34.963 Initialize success
12:43:38.084 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
12:43:38.084 Disk 0 Vendor: ST380815AS 4.AAB Size: 76319MB BusType: 3
12:43:40.124 Disk 0 MBR read successfully
12:43:40.124 Disk 0 MBR scan
12:43:40.124 Disk 0 Windows XP default MBR code
12:43:42.132 Disk 0 scanning sectors +156280320
12:43:42.163 Disk 0 scanning C:\WINDOWS\system32\drivers
12:43:51.763 Service scanning
12:43:53.709 Disk 0 trace - called modules:
12:43:53.724 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
12:43:53.724 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7f9ab8]
12:43:53.724 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8a840b00]
12:43:53.724 Scan finished successfully
12:44:22.416 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\chaadmin\Desktop\MBR.dat"
12:44:22.463 The log file has been saved successfully to "C:\Documents and Settings\chaadmin\Desktop\aswMBR.txt"
ken545
Emeritus-Security Expert
:bigthumb:
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- See this Link for programs that need to be disabled and instruction on how to disable them.
- Remember to re-enable them when we're done.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
combofix log
ComboFix 11-05-22.02 - chaadmin 05/23/2011 13:20:00.19.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1549 [GMT -5:00]
Running from: c:\documents and settings\chaadmin\Desktop\Program Installs\ComboFix.exe
AV: AVG Anti-Virus Network Edition *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))
.
.
2011-05-18 22:54 . 2011-05-18 22:54 -------- d-----w- c:\documents and settings\chaadmin\Local Settings\Application Data\Cisco
2011-05-18 22:50 . 2011-05-18 22:55 -------- d-----w- c:\program files\Cisco
2011-05-18 22:50 . 2011-05-18 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco
2011-05-18 21:54 . 2011-05-18 21:54 -------- d-----w- c:\program files\ESET
2011-05-18 19:51 . 2011-05-18 19:51 -------- d-----w- c:\program files\ERUNT
2011-05-17 21:02 . 2011-05-20 00:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-05-17 21:02 . 2011-05-17 21:03 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-05-17 21:02 . 2011-05-17 21:02 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-05-17 21:01 . 2011-05-17 21:02 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-05-16 19:24 . 2011-05-16 19:24 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-11 16:32 . 2011-05-11 16:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2011-05-11 14:50 . 2011-05-11 14:50 -------- d-----w- c:\program files\Common Files\Java
2011-05-09 20:55 . 2011-05-09 20:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-05-06 19:02 . 2011-05-06 19:02 -------- d-----w- c:\program files\iPod
2011-05-06 19:02 . 2011-05-06 19:03 -------- d-----w- c:\program files\iTunes
2011-05-06 18:59 . 2011-05-06 18:59 -------- d-----w- c:\program files\Apple Software Update
2011-05-06 18:58 . 2011-05-06 18:58 -------- d-----w- c:\program files\Bonjour
2011-05-06 17:15 . 2011-05-06 17:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-05 22:13 . 2011-05-05 22:13 -------- d-----w- c:\documents and settings\chaadmin\Application Data\AVCWare
2011-05-05 22:13 . 2011-05-05 22:13 -------- d-----w- c:\program files\AVCWare
2011-05-05 22:13 . 2011-05-05 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVCWare
2011-05-04 16:23 . 2011-05-04 16:23 0 ----a-w- c:\windows\Yhaxu.bin
2011-05-02 17:19 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-02 17:19 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-02 17:19 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-02 17:19 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-02 17:18 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-02 17:18 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-02 17:18 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-02 17:18 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2009-03-31 23:08 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 05:56 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 04:17 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2010-03-31 17:48 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2004-08-04 05:56 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 05:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-04-14 16:26 . 2011-05-02 17:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-05-04_19.42.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 06:19 . 2007-11-07 06:19 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90kor.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 47104 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90jpn.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 59392 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90ita.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 60416 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90fra.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 59392 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90esp.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 59392 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90esn.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90enu.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 60928 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90deu.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 41984 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90cht.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 41472 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90chs.dll
+ 2007-11-07 03:51 . 2007-11-07 03:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfcm90u.dll
+ 2007-11-07 03:51 . 2007-11-07 03:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfcm90.dll
+ 2011-05-23 17:42 . 2011-05-23 17:42 16384 c:\windows\temp\Perflib_Perfdata_5c4.dat
+ 2011-02-11 13:44 . 2011-02-11 13:44 28920 c:\windows\system32\vpnevents.dll
+ 2011-02-11 13:27 . 2011-02-11 13:27 19680 c:\windows\system32\drivers\vpnva.sys
+ 2011-05-06 18:59 . 2011-05-06 18:59 27136 c:\windows\Installer\{C41300B9-185D-475E-BFEC-39EF732F19B1}\AppleSoftwareUpdateIco.exe
+ 2011-05-18 22:55 . 2011-05-18 22:55 12390 c:\windows\Installer\{80B70B4B-C90C-4938-A956-76F5021DE412}\DART.exe
+ 2011-02-11 13:45 . 2011-02-11 13:45 8952 c:\windows\system32\vpncategories.dll
- 2009-06-10 16:20 . 2010-12-27 22:00 2644 c:\windows\system32\d3d9caps.dat
+ 2009-06-10 16:20 . 2011-05-20 19:23 2644 c:\windows\system32\d3d9caps.dat
+ 2007-11-07 06:19 . 2007-11-07 06:19 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_312cf0e9\atl90.dll
+ 2011-05-16 19:24 . 2011-05-16 19:24 239776 c:\windows\system32\Macromed\Flash\FlashUtil10q_Plugin.exe
+ 2011-05-11 14:49 . 2011-02-03 02:40 157472 c:\windows\system32\javaws.exe
- 2011-01-12 19:03 . 2010-11-13 00:53 157472 c:\windows\system32\javaws.exe
+ 2011-05-11 14:49 . 2011-02-03 02:40 145184 c:\windows\system32\javaw.exe
- 2011-01-12 19:03 . 2010-11-13 00:53 145184 c:\windows\system32\javaw.exe
+ 2011-05-11 14:49 . 2011-02-03 02:40 145184 c:\windows\system32\java.exe
- 2011-01-12 19:03 . 2010-11-13 00:53 145184 c:\windows\system32\java.exe
+ 2011-01-12 19:03 . 2011-02-03 02:40 472808 c:\windows\system32\deployJava1.dll
- 2011-01-12 19:03 . 2010-11-13 00:53 472808 c:\windows\system32\deployJava1.dll
+ 2011-05-11 14:50 . 2011-05-11 14:50 180224 c:\windows\Installer\dde88.msi
+ 2011-05-06 18:56 . 2011-05-06 18:56 811520 c:\windows\Installer\9d0145.msi
+ 2011-05-18 22:55 . 2011-05-18 22:55 398848 c:\windows\Installer\5a20e8.msi
+ 2011-05-18 22:51 . 2011-05-18 22:51 435712 c:\windows\Installer\5a20e3.msi
+ 2011-05-05 22:13 . 2011-05-05 22:13 228352 c:\windows\Installer\56e40c.msi
+ 2011-05-06 19:04 . 2011-05-17 21:02 380928 c:\windows\Installer\{F59A9E08-A6A4-4ACF-91F2-D0344956C30B}\iTunesIco.exe
+ 2011-05-18 19:51 . 2011-05-18 19:51 409600 c:\windows\ERDNT\5-18-2011\Users\00000002\UsrClass.dat
+ 2011-05-18 19:51 . 2005-10-20 17:02 163328 c:\windows\ERDNT\5-18-2011\ERDNT.EXE
+ 2007-11-07 06:19 . 2007-11-07 06:19 1162744 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfc90u.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 1156600 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfc90.dll
+ 2010-01-27 01:07 . 2011-05-16 19:24 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2011-04-14 14:46 . 2011-04-14 14:46 3854848 c:\windows\Installer\dde6f.msp
+ 2011-05-06 19:04 . 2011-05-06 19:04 6523904 c:\windows\Installer\9d0b71.msi
+ 2011-05-06 18:59 . 2011-05-06 18:59 1554944 c:\windows\Installer\9d0199.msi
+ 2011-05-06 18:58 . 2011-05-06 18:58 1984000 c:\windows\Installer\9d0168.msi
+ 2011-05-18 19:51 . 2011-05-18 19:51 9678848 c:\windows\ERDNT\5-18-2011\Users\00000001\NTUSER.DAT
+ 2011-03-13 01:02 . 2011-03-13 01:02 15139328 c:\windows\Installer\dde70.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
[BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^chaadmin^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\chaadmin\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 -c----w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-24 02:13 77824 -c--a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-24 02:17 118784 -c--a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 01:17 94208 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-27 06:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-08-11 18:41 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetSoft]
2009-04-20 17:56 31232 ----a-w- c:\combofix\iexplore.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-02-18 18:44 13680640 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-02-18 18:44 86016 -c--a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-02-18 18:44 1657376 -c--a-w- c:\windows\system32\nwiz.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Medisoft\\Bin\\MAPA.EXE"=
.
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [2/16/2011 4:03 PM 22312]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 1:41 PM 12856]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2/11/2011 8:41 AM 603896]
R3 HPPLSBULK;HPPLSBULK;c:\windows\system32\drivers\hpplsbulk.sys [2/2/2005 5:29 PM 9344]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [8/11/2008 1:40 PM 12192]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG8\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG8\Toolbar\ToolbarBroker.exe [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-940683282-2589845998-2305105441-1117Core.job
- c:\documents and settings\chaadmin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-18 20:03]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-940683282-2589845998-2305105441-1117UA.job
- c:\documents and settings\chaadmin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-18 20:03]
.
2011-05-23 c:\windows\Tasks\User_Feed_Synchronization-{B66BD46A-3331-4767-AFE7-C0EDB30A6FB7}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
FF - ProfilePath - c:\documents and settings\chaadmin\Application Data\Mozilla\Firefox\Profiles\p3v07jl6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-23 13:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(452)
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(1796)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2011-05-23 13:33:10
ComboFix-quarantined-files.txt 2011-05-23 18:32
ComboFix2.txt 2011-05-19 17:12
ComboFix3.txt 2011-05-18 17:57
ComboFix4.txt 2011-05-13 17:08
ComboFix5.txt 2011-05-23 18:15
.
Pre-Run: 11,680,219,136 bytes free
Post-Run: 12,361,932,800 bytes free
.
- - End Of File - - D8B68F09708B1853A9C286A985FF8ABC
ComboFix 11-05-22.02 - chaadmin 05/23/2011 13:20:00.19.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1549 [GMT -5:00]
Running from: c:\documents and settings\chaadmin\Desktop\Program Installs\ComboFix.exe
AV: AVG Anti-Virus Network Edition *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))
.
.
2011-05-18 22:54 . 2011-05-18 22:54 -------- d-----w- c:\documents and settings\chaadmin\Local Settings\Application Data\Cisco
2011-05-18 22:50 . 2011-05-18 22:55 -------- d-----w- c:\program files\Cisco
2011-05-18 22:50 . 2011-05-18 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco
2011-05-18 21:54 . 2011-05-18 21:54 -------- d-----w- c:\program files\ESET
2011-05-18 19:51 . 2011-05-18 19:51 -------- d-----w- c:\program files\ERUNT
2011-05-17 21:02 . 2011-05-20 00:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-05-17 21:02 . 2011-05-17 21:03 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-05-17 21:02 . 2011-05-17 21:02 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-05-17 21:01 . 2011-05-17 21:02 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-05-16 19:24 . 2011-05-16 19:24 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-11 16:32 . 2011-05-11 16:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2011-05-11 14:50 . 2011-05-11 14:50 -------- d-----w- c:\program files\Common Files\Java
2011-05-09 20:55 . 2011-05-09 20:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-05-06 19:02 . 2011-05-06 19:02 -------- d-----w- c:\program files\iPod
2011-05-06 19:02 . 2011-05-06 19:03 -------- d-----w- c:\program files\iTunes
2011-05-06 18:59 . 2011-05-06 18:59 -------- d-----w- c:\program files\Apple Software Update
2011-05-06 18:58 . 2011-05-06 18:58 -------- d-----w- c:\program files\Bonjour
2011-05-06 17:15 . 2011-05-06 17:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-05 22:13 . 2011-05-05 22:13 -------- d-----w- c:\documents and settings\chaadmin\Application Data\AVCWare
2011-05-05 22:13 . 2011-05-05 22:13 -------- d-----w- c:\program files\AVCWare
2011-05-05 22:13 . 2011-05-05 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVCWare
2011-05-04 16:23 . 2011-05-04 16:23 0 ----a-w- c:\windows\Yhaxu.bin
2011-05-02 17:19 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-02 17:19 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-02 17:19 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-02 17:19 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-02 17:18 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-02 17:18 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-02 17:18 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-02 17:18 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2009-03-31 23:08 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 05:56 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 04:17 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2010-03-31 17:48 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2004-08-04 05:56 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 05:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-04-14 16:26 . 2011-05-02 17:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-05-04_19.42.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 06:19 . 2007-11-07 06:19 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90kor.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 47104 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90jpn.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 59392 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90ita.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 60416 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90fra.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 59392 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90esp.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 59392 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90esn.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90enu.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 60928 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90deu.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 41984 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90cht.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 41472 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90chs.dll
+ 2007-11-07 03:51 . 2007-11-07 03:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfcm90u.dll
+ 2007-11-07 03:51 . 2007-11-07 03:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfcm90.dll
+ 2011-05-23 17:42 . 2011-05-23 17:42 16384 c:\windows\temp\Perflib_Perfdata_5c4.dat
+ 2011-02-11 13:44 . 2011-02-11 13:44 28920 c:\windows\system32\vpnevents.dll
+ 2011-02-11 13:27 . 2011-02-11 13:27 19680 c:\windows\system32\drivers\vpnva.sys
+ 2011-05-06 18:59 . 2011-05-06 18:59 27136 c:\windows\Installer\{C41300B9-185D-475E-BFEC-39EF732F19B1}\AppleSoftwareUpdateIco.exe
+ 2011-05-18 22:55 . 2011-05-18 22:55 12390 c:\windows\Installer\{80B70B4B-C90C-4938-A956-76F5021DE412}\DART.exe
+ 2011-02-11 13:45 . 2011-02-11 13:45 8952 c:\windows\system32\vpncategories.dll
- 2009-06-10 16:20 . 2010-12-27 22:00 2644 c:\windows\system32\d3d9caps.dat
+ 2009-06-10 16:20 . 2011-05-20 19:23 2644 c:\windows\system32\d3d9caps.dat
+ 2007-11-07 06:19 . 2007-11-07 06:19 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_312cf0e9\atl90.dll
+ 2011-05-16 19:24 . 2011-05-16 19:24 239776 c:\windows\system32\Macromed\Flash\FlashUtil10q_Plugin.exe
+ 2011-05-11 14:49 . 2011-02-03 02:40 157472 c:\windows\system32\javaws.exe
- 2011-01-12 19:03 . 2010-11-13 00:53 157472 c:\windows\system32\javaws.exe
+ 2011-05-11 14:49 . 2011-02-03 02:40 145184 c:\windows\system32\javaw.exe
- 2011-01-12 19:03 . 2010-11-13 00:53 145184 c:\windows\system32\javaw.exe
+ 2011-05-11 14:49 . 2011-02-03 02:40 145184 c:\windows\system32\java.exe
- 2011-01-12 19:03 . 2010-11-13 00:53 145184 c:\windows\system32\java.exe
+ 2011-01-12 19:03 . 2011-02-03 02:40 472808 c:\windows\system32\deployJava1.dll
- 2011-01-12 19:03 . 2010-11-13 00:53 472808 c:\windows\system32\deployJava1.dll
+ 2011-05-11 14:50 . 2011-05-11 14:50 180224 c:\windows\Installer\dde88.msi
+ 2011-05-06 18:56 . 2011-05-06 18:56 811520 c:\windows\Installer\9d0145.msi
+ 2011-05-18 22:55 . 2011-05-18 22:55 398848 c:\windows\Installer\5a20e8.msi
+ 2011-05-18 22:51 . 2011-05-18 22:51 435712 c:\windows\Installer\5a20e3.msi
+ 2011-05-05 22:13 . 2011-05-05 22:13 228352 c:\windows\Installer\56e40c.msi
+ 2011-05-06 19:04 . 2011-05-17 21:02 380928 c:\windows\Installer\{F59A9E08-A6A4-4ACF-91F2-D0344956C30B}\iTunesIco.exe
+ 2011-05-18 19:51 . 2011-05-18 19:51 409600 c:\windows\ERDNT\5-18-2011\Users\00000002\UsrClass.dat
+ 2011-05-18 19:51 . 2005-10-20 17:02 163328 c:\windows\ERDNT\5-18-2011\ERDNT.EXE
+ 2007-11-07 06:19 . 2007-11-07 06:19 1162744 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfc90u.dll
+ 2007-11-07 06:19 . 2007-11-07 06:19 1156600 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfc90.dll
+ 2010-01-27 01:07 . 2011-05-16 19:24 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2011-04-14 14:46 . 2011-04-14 14:46 3854848 c:\windows\Installer\dde6f.msp
+ 2011-05-06 19:04 . 2011-05-06 19:04 6523904 c:\windows\Installer\9d0b71.msi
+ 2011-05-06 18:59 . 2011-05-06 18:59 1554944 c:\windows\Installer\9d0199.msi
+ 2011-05-06 18:58 . 2011-05-06 18:58 1984000 c:\windows\Installer\9d0168.msi
+ 2011-05-18 19:51 . 2011-05-18 19:51 9678848 c:\windows\ERDNT\5-18-2011\Users\00000001\NTUSER.DAT
+ 2011-03-13 01:02 . 2011-03-13 01:02 15139328 c:\windows\Installer\dde70.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
[BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^chaadmin^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\chaadmin\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 -c----w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-24 02:13 77824 -c--a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-24 02:17 118784 -c--a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 01:17 94208 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-27 06:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-08-11 18:41 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetSoft]
2009-04-20 17:56 31232 ----a-w- c:\combofix\iexplore.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-02-18 18:44 13680640 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-02-18 18:44 86016 -c--a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-02-18 18:44 1657376 -c--a-w- c:\windows\system32\nwiz.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Medisoft\\Bin\\MAPA.EXE"=
.
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [2/16/2011 4:03 PM 22312]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 1:41 PM 12856]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2/11/2011 8:41 AM 603896]
R3 HPPLSBULK;HPPLSBULK;c:\windows\system32\drivers\hpplsbulk.sys [2/2/2005 5:29 PM 9344]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [8/11/2008 1:40 PM 12192]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG8\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG8\Toolbar\ToolbarBroker.exe [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-940683282-2589845998-2305105441-1117Core.job
- c:\documents and settings\chaadmin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-18 20:03]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-940683282-2589845998-2305105441-1117UA.job
- c:\documents and settings\chaadmin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-18 20:03]
.
2011-05-23 c:\windows\Tasks\User_Feed_Synchronization-{B66BD46A-3331-4767-AFE7-C0EDB30A6FB7}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
FF - ProfilePath - c:\documents and settings\chaadmin\Application Data\Mozilla\Firefox\Profiles\p3v07jl6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-23 13:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(452)
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(1796)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2011-05-23 13:33:10
ComboFix-quarantined-files.txt 2011-05-23 18:32
ComboFix2.txt 2011-05-19 17:12
ComboFix3.txt 2011-05-18 17:57
ComboFix4.txt 2011-05-13 17:08
ComboFix5.txt 2011-05-23 18:15
.
Pre-Run: 11,680,219,136 bytes free
Post-Run: 12,361,932,800 bytes free
.
- - End Of File - - D8B68F09708B1853A9C286A985FF8ABC
ken545
Emeritus-Security Expert
Hi,
Please understand, I work at a large Orthopedic Neurosurgeons office in Connecticut , running these programs and scans can sometimes reveal sensitive company data. HIPPA can really cause problems with your posts. I would hate to be responsible if company info was revealed.
I wish you would have read BEFORE YOU POST and been up front with me
If your still experiencing problems than you need to take your computer to a shop and have it fixed
This thread is now closed
Please understand, I work at a large Orthopedic Neurosurgeons office in Connecticut , running these programs and scans can sometimes reveal sensitive company data. HIPPA can really cause problems with your posts. I would hate to be responsible if company info was revealed.
I wish you would have read BEFORE YOU POST and been up front with me
Company computers Safer
The malware removal forum is set up to help those in need of assistance with their personal computers. This service is free and provided by volunteer analysts.
When the infection is on a server/company/business machine or in the workplace.
The intention of this forum is not to replace a company's IT department or a private business specialist, helpers cannot anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.
Other considerations:
To prevent possible loss or corruption of company information, please inform your IT Professional or Supervisor when a workplace computer has been infected. If you are a corporation, small business or institution and neither are available please consider calling in a local technician who can see the machine/network in person.
- Company information may show in the logs.
- More than one machine could be at stake, possibly even the server.
- If sensitive material has been compromised by an infection, the company could be held liable.
It's not that we don't want to help, but there are too many issues that could arise from a networked company machine that malware forum volunteers are not experienced in dealing with.
Thank you for your understanding.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Corporate, Government, Small Business or Institutional
Spybot S&D Corporate-Small Business Editions
Please contact our office support so they may provide direct assistance for your needs.
Thank you.
If your still experiencing problems than you need to take your computer to a shop and have it fixed
This thread is now closed
- Status