Jump to content
PC Matic Support Scams ×

sambora1984

Advanced Member
 View Profile  See their activity

  • Content Count

    1,198

  • Joined

  • Last visited

About sambora1984

  • Rank
    Have a Nice Day!
  • Birthday 05/19/1984

Contact Methods

Profile Information

  • Location
    Scotland

Previous Fields

  • Teams:
    PC Builders Club
  1. sambora1984
    Hi Conspire, Thanks for all your help trying to sort this one. I guess it won't do any harm to start the machine from fresh anyway...it will keep me busy for half a day! Thanks again, Sambora1984
  2. sambora1984
    Hi Conspire, Ok made sure it was the right file name this time sorry about that! Thanks ComboFix 11-05-23.02 - Ishbel 24/05/2011 19:58:26.4.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.982 [GMT 1:00] Running from: c:\documents and settings\Ishbel\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ishbel\Desktop\CFScript.txt FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . FILE :: "c:\windows\Explorermgr.exe" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\Explorermgr.exe . Infected copy of c:\windows\system32\kernel32.dll was found and disinfected Restored copy from - c:\windows\ERDNT\cache\kernel32.dll . . ((((((((((((((((((((((((( Files Created from 2011-04-24 to 2011-05-24 ))))))))))))))))))))))))))))))) . . 2011-05-07 17:01 . 2011-05-07 17:01 557577 ----a-r- c:\documents and settings\Ishbel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-05-07 17:01 . 2011-05-07 17:01 -------- d-----w- c:\program files\Trend Micro 2011-05-07 15:52 . 2011-05-24 19:06 -------- d-----w- c:\program files\ddbndqyl . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2004-08-04 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] 2010-08-23 14:01 2734688 ------w- c:\program files\ZoneAlarm\tbZon1.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{66F2E20D-0DA8-4C11-A9C8-DD8477B88ACD}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344] "PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112] "%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 241508] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600] "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-02 98304] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1917271] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588] NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-2-21 884840] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\ddbndqyl\ljsaqqic.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-10-01 21:47 87352 ----a-w- c:\windows\system32\LMIinit.dll . [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ljsaqqic.exe] path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ljsaqqic.exe backup=c:\windows\pss\ljsaqqic.exeStartup . [HKLM\~\startupfolder\C:^Documents and Settings^Ishbel^Start Menu^Programs^Startup^ljsaqqic.exe] path=c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe backup=c:\windows\pss\ljsaqqic.exeStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start] 2008-06-03 05:35 50528 -c--a-w- c:\progra~1\AOL9~1.1\aol.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] 2008-10-09 15:07 70440 ----a-r- c:\program files\Common Files\AOL\acs\AOLDial.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] 2003-08-19 12:47 188868 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE] 2003-06-28 15:10 1658965 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] 2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1223633514\ee\aolsoftware.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2004-10-13 23:04 450965 -c--a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2005-01-02 05:12 98304 -c----w- c:\program files\QuickTime\qttask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2005-01-02 05:08 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\1223633514\\ee\\aolsoftware.exe"= "c:\\Program Files\\AOL 9.1\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= . R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 11:02 57144] R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [05/01/2011 20:02 63160] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [05/01/2011 20:02 156344] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 14:35 26352] R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 14:35 493032] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [19/02/2008 20:24 17149] S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [08/07/2007 17:42 112384] S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?] . Contents of the 'Scheduled Tasks' folder . 2011-05-22 c:\windows\Tasks\WebReg Photosmart C4100 series.job - c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 16:45] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://b.casalemedia.com/V2/52928/68146/index.html?XX uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx TCP: {21000BEC-F93D-4E81-9CCA-BF6F00B866B4} = 192.168.0.1 FF - ProfilePath - c:\documents and settings\Ishbel\Application Data\Mozilla\Firefox\Profiles\n01olo1j.default\ FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: AOL Broadband Toolbar: {796503e4-19fe-48a3-82da-5c1fe0a13e3f} - %profile%\extensions\{796503e4-19fe-48a3-82da-5c1fe0a13e3f} FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd} FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-24 20:09 Windows 5.1.2600 Service Pack 3 NTFS . detected NTDLL code modification: ZwQueryDirectoryFile . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe 166256 bytes executable C:\ljsaqqic.exe 166256 bytes executable . scan completed successfully hidden files: 2 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(824) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'lsass.exe'(880) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'explorer.exe'(2960) c:\windows\system32\WININET.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\progra~1\WINDOW~1\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\LMIRfsClientNP.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ZoneLabs\vsmon.exe c:\program files\Common Files\AOL\ACS\AOLAcsd.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\windows\system32\HPZipm12.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Internet Explorer\iexplore.exe c:\windows\AGRSMMSG.exe c:\windows\ALCXMNTR.EXE c:\program files\LogMeIn\x86\LMIGuardian.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe . ************************************************************************** . Completion time: 2011-05-24 20:16:27 - machine was rebooted ComboFix-quarantined-files.txt 2011-05-24 19:16 ComboFix2.txt 2011-05-23 17:52 ComboFix3.txt 2011-05-20 21:12 ComboFix4.txt 2011-05-19 17:25 . Pre-Run: 51,658,248,192 bytes free Post-Run: 51,637,104,640 bytes free . - - End Of File - - 9EE09893BE94B16D0FC2CB02D23A3083
  3. sambora1984
    Hi again, here are the results from the latest run of ComboFix as requested... thanks ComboFix 11-05-18.04 - Ishbel 23/05/2011 18:31:28.3.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.946 [GMT 1:00] Running from: c:\documents and settings\Ishbel\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ishbel\Desktop\CFScriptv2.txt FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} * Created a new restore point . . ((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 ))))))))))))))))))))))))))))))) . . 2011-05-07 17:01 . 2011-05-07 17:01 557577 ----a-r- c:\documents and settings\Ishbel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-05-07 17:01 . 2011-05-07 17:01 -------- d-----w- c:\program files\Trend Micro 2011-05-07 16:09 . 2011-05-07 16:38 166256 ----a-w- c:\windows\Explorermgr.exe 2011-05-07 15:52 . 2011-05-20 20:38 -------- d-----w- c:\program files\ddbndqyl 2011-04-24 13:06 . 2011-05-19 17:12 -------- d-----w- c:\documents and settings\Administrator 2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP 2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\program files\SpywareBlaster . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2004-08-04 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] 2010-08-23 14:01 2734688 ------w- c:\program files\ZoneAlarm\tbZon1.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{66F2E20D-0DA8-4C11-A9C8-DD8477B88ACD}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344] "PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112] "%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 241508] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600] "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-02 98304] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1917271] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588] NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-2-21 884840] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\ddbndqyl\ljsaqqic.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-10-01 21:47 87352 ----a-w- c:\windows\system32\LMIinit.dll . [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ljsaqqic.exe] path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ljsaqqic.exe backup=c:\windows\pss\ljsaqqic.exeStartup . [HKLM\~\startupfolder\C:^Documents and Settings^Ishbel^Start Menu^Programs^Startup^ljsaqqic.exe] path=c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe backup=c:\windows\pss\ljsaqqic.exeStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start] 2008-06-03 05:35 50528 -c--a-w- c:\progra~1\AOL9~1.1\aol.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] 2008-10-09 15:07 70440 ----a-r- c:\program files\Common Files\AOL\acs\AOLDial.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] 2003-08-19 12:47 188868 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE] 2003-06-28 15:10 1658965 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] 2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1223633514\ee\aolsoftware.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2004-10-13 23:04 450965 -c--a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2005-01-02 05:12 98304 -c----w- c:\program files\QuickTime\qttask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2005-01-02 05:08 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\1223633514\\ee\\aolsoftware.exe"= "c:\\Program Files\\AOL 9.1\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= . R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 11:02 57144] R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [05/01/2011 20:02 63160] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [05/01/2011 20:02 156344] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 14:35 26352] R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 14:35 493032] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [19/02/2008 20:24 17149] S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [08/07/2007 17:42 112384] S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?] . Contents of the 'Scheduled Tasks' folder . 2011-05-22 c:\windows\Tasks\WebReg Photosmart C4100 series.job - c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 16:45] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://b.casalemedia.com/V2/52928/68146/index.html?XX uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx TCP: {21000BEC-F93D-4E81-9CCA-BF6F00B866B4} = 192.168.0.1 FF - ProfilePath - c:\documents and settings\Ishbel\Application Data\Mozilla\Firefox\Profiles\n01olo1j.default\ FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: AOL Broadband Toolbar: {796503e4-19fe-48a3-82da-5c1fe0a13e3f} - %profile%\extensions\{796503e4-19fe-48a3-82da-5c1fe0a13e3f} FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd} FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-23 18:42 Windows 5.1.2600 Service Pack 3 NTFS . detected NTDLL code modification: ZwQueryDirectoryFile . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe 166256 bytes executable C:\ljsaqqic.exe 166256 bytes executable . scan completed successfully hidden files: 2 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(824) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'lsass.exe'(880) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'explorer.exe'(2796) c:\windows\system32\WININET.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\progra~1\WINDOW~1\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\LMIRfsClientNP.dll . Completion time: 2011-05-23 18:52:44 ComboFix-quarantined-files.txt 2011-05-23 17:52 ComboFix2.txt 2011-05-20 21:12 ComboFix3.txt 2011-05-19 17:25 . Pre-Run: 51,856,650,240 bytes free Post-Run: 51,864,117,248 bytes free . - - End Of File - - F1EA4BFB19781AC746624A6E3E39F02A
  4. sambora1984
    Hi, Couldn't download from link again but managed to send it via email from another machine! Thanks aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software Run date: 2011-05-22 16:03:45 ----------------------------- 16:03:45.109 OS Version: Windows 5.1.2600 Service Pack 3 16:03:45.109 Number of processors: 1 586 0x401 16:03:45.109 ComputerName: EMMA UserName: 16:03:46.375 Initialize success 16:04:14.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 16:04:14.515 Disk 0 Vendor: SAMSUNG_SP0802N TK200-04 Size: 76351MB BusType: 3 16:04:16.531 Disk 0 MBR read successfully 16:04:16.546 Disk 0 MBR scan 16:04:16.546 Disk 0 unknown MBR code 16:04:18.578 Disk 0 scanning sectors +156340800 16:04:18.593 Disk 0 scanning C:\WINDOWS\system32\drivers 16:04:24.515 Service scanning 16:04:25.703 Disk 0 trace - called modules: 16:04:25.718 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 16:04:25.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a58dab8] 16:04:25.781 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\0000006f[0x8a571130] 16:04:25.781 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a5b9d98] 16:04:25.781 Scan finished successfully 16:04:39.468 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ishbel\Desktop\MBR.dat" 16:04:39.484 The log file has been saved successfully to "C:\Documents and Settings\Ishbel\Desktop\aswMBR.txt"
  5. sambora1984
    Hi there, Scan doesn't appear to have found anything. Forgot to say I've had trouble open the first two links of the virus file scanners you posted and as well I couldn't access this TDSSKiller link (had to use previous download of the program)...is this a concern? Also noticed a system tray notification style box popped up yesterday saying malicious software was not completed removed...click here to resolve. I decided not to in case it was false although the first screen of it suggested it was a Microsoft thing...wasn't convinced by it though. Thanks 2011/05/21 18:42:14.0343 2828 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29 2011/05/21 18:42:15.0406 2828 ================================================================================ 2011/05/21 18:42:15.0406 2828 SystemInfo: 2011/05/21 18:42:15.0406 2828 2011/05/21 18:42:15.0406 2828 OS Version: 5.1.2600 ServicePack: 3.0 2011/05/21 18:42:15.0406 2828 Product type: Workstation 2011/05/21 18:42:15.0406 2828 ComputerName: EMMA 2011/05/21 18:42:15.0406 2828 UserName: Ishbel 2011/05/21 18:42:15.0406 2828 Windows directory: C:\WINDOWS 2011/05/21 18:42:15.0406 2828 System windows directory: C:\WINDOWS 2011/05/21 18:42:15.0406 2828 Processor architecture: Intel x86 2011/05/21 18:42:15.0406 2828 Number of processors: 1 2011/05/21 18:42:15.0406 2828 Page size: 0x1000 2011/05/21 18:42:15.0406 2828 Boot type: Normal boot 2011/05/21 18:42:15.0406 2828 ================================================================================ 2011/05/21 18:42:15.0687 2828 Initialize success 2011/05/21 18:42:22.0046 2764 ================================================================================ 2011/05/21 18:42:22.0046 2764 Scan started 2011/05/21 18:42:22.0046 2764 Mode: Manual; 2011/05/21 18:42:22.0046 2764 ================================================================================ 2011/05/21 18:42:23.0281 2764 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/05/21 18:42:23.0515 2764 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2011/05/21 18:42:23.0953 2764 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2011/05/21 18:42:24.0140 2764 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys 2011/05/21 18:42:24.0328 2764 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys 2011/05/21 18:42:24.0531 2764 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys 2011/05/21 18:42:25.0109 2764 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2011/05/21 18:42:25.0609 2764 AR5523 (92637b97f57c1669d521a54482c4579c) C:\WINDOWS\system32\DRIVERS\WG11TND5.sys 2011/05/21 18:42:25.0796 2764 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2011/05/21 18:42:26.0281 2764 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/05/21 18:42:26.0453 2764 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/05/21 18:42:26.0734 2764 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/05/21 18:42:26.0890 2764 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/05/21 18:42:27.0062 2764 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/05/21 18:42:27.0296 2764 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/05/21 18:42:27.0484 2764 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 2011/05/21 18:42:27.0718 2764 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/05/21 18:42:27.0859 2764 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/05/21 18:42:28.0046 2764 cdrbsdrv (351735695e9ead93de6af85d8beb1ca8) C:\WINDOWS\system32\drivers\cdrbsdrv.sys 2011/05/21 18:42:28.0218 2764 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/05/21 18:42:29.0015 2764 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/05/21 18:42:29.0234 2764 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2011/05/21 18:42:29.0453 2764 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2011/05/21 18:42:29.0640 2764 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/05/21 18:42:29.0812 2764 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2011/05/21 18:42:29.0984 2764 DNINDIS5 (d2ee54cdbced01d48f2b18642be79a98) C:\WINDOWS\system32\DNINDIS5.SYS 2011/05/21 18:42:30.0250 2764 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/05/21 18:42:30.0531 2764 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/05/21 18:42:30.0796 2764 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 2011/05/21 18:42:30.0968 2764 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2011/05/21 18:42:31.0140 2764 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 2011/05/21 18:42:31.0312 2764 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2011/05/21 18:42:31.0500 2764 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys 2011/05/21 18:42:31.0703 2764 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/05/21 18:42:31.0875 2764 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/05/21 18:42:32.0000 2764 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 2011/05/21 18:42:32.0125 2764 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/05/21 18:42:32.0328 2764 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2011/05/21 18:42:32.0671 2764 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys 2011/05/21 18:42:32.0843 2764 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 2011/05/21 18:42:33.0015 2764 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys 2011/05/21 18:42:33.0171 2764 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/05/21 18:42:33.0593 2764 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2011/05/21 18:42:33.0765 2764 ialm (d4405bd2b6e95efdc8e674ed4032874f) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 2011/05/21 18:42:33.0937 2764 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/05/21 18:42:34.0250 2764 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2011/05/21 18:42:34.0421 2764 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2011/05/21 18:42:34.0593 2764 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2011/05/21 18:42:34.0750 2764 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2011/05/21 18:42:34.0937 2764 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/05/21 18:42:35.0109 2764 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/05/21 18:42:35.0296 2764 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/05/21 18:42:35.0484 2764 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/05/21 18:42:35.0671 2764 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/05/21 18:42:35.0781 2764 ISWKL (2e41433579de4381f1b0f7b30b013ddc) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys 2011/05/21 18:42:35.0968 2764 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys 2011/05/21 18:42:36.0140 2764 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/05/21 18:42:36.0296 2764 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2011/05/21 18:42:36.0468 2764 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2011/05/21 18:42:36.0703 2764 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/05/21 18:42:36.0875 2764 lanusb (73f6efd2a2315af34f7872559686c471) C:\WINDOWS\system32\DRIVERS\glausb.sys 2011/05/21 18:42:37.0203 2764 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys 2011/05/21 18:42:37.0375 2764 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys 2011/05/21 18:42:37.0625 2764 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys 2011/05/21 18:42:37.0796 2764 LVUSBSta (64bc29c3a0388bfc580bb8b1346f7659) C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys 2011/05/21 18:42:38.0015 2764 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/05/21 18:42:38.0187 2764 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2011/05/21 18:42:38.0343 2764 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/05/21 18:42:38.0484 2764 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2011/05/21 18:42:38.0656 2764 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/05/21 18:42:38.0921 2764 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/05/21 18:42:39.0093 2764 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/05/21 18:42:39.0312 2764 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2011/05/21 18:42:39.0500 2764 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/05/21 18:42:39.0671 2764 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/05/21 18:42:39.0828 2764 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/05/21 18:42:40.0015 2764 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/05/21 18:42:40.0171 2764 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys 2011/05/21 18:42:40.0328 2764 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2011/05/21 18:42:40.0484 2764 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 2011/05/21 18:42:40.0671 2764 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2011/05/21 18:42:40.0843 2764 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 2011/05/21 18:42:41.0000 2764 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/05/21 18:42:41.0187 2764 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/05/21 18:42:41.0390 2764 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/05/21 18:42:41.0609 2764 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/05/21 18:42:41.0875 2764 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/05/21 18:42:42.0140 2764 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/05/21 18:42:42.0484 2764 NETMDUSB (986acdece933131288f1957dc359865f) C:\WINDOWS\system32\Drivers\NETMDUSB.sys 2011/05/21 18:42:42.0734 2764 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2011/05/21 18:42:43.0000 2764 nmwcd (696b37ea78f9d9767a2f18ba0304a51a) C:\WINDOWS\system32\drivers\nmwcd.sys 2011/05/21 18:42:43.0328 2764 nmwcdc (bbb6010fc01d9239d88fcdf133e03ff0) C:\WINDOWS\system32\drivers\nmwcdc.sys 2011/05/21 18:42:43.0562 2764 nmwcdcj (4c3726467d67483f054c88f058e9c153) C:\WINDOWS\system32\drivers\nmwcdcj.sys 2011/05/21 18:42:43.0828 2764 nmwcdcm (4c3726467d67483f054c88f058e9c153) C:\WINDOWS\system32\drivers\nmwcdcm.sys 2011/05/21 18:42:44.0000 2764 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2011/05/21 18:42:44.0156 2764 NSNDIS5 (53f7546e8daefb3a0813f5e19c4613c9) C:\WINDOWS\system32\NSNDIS5.SYS 2011/05/21 18:42:44.0453 2764 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/05/21 18:42:44.0703 2764 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/05/21 18:42:44.0906 2764 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/05/21 18:42:45.0156 2764 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/05/21 18:42:45.0343 2764 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2011/05/21 18:42:45.0671 2764 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2011/05/21 18:42:45.0921 2764 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/05/21 18:42:46.0078 2764 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/05/21 18:42:46.0250 2764 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/05/21 18:42:46.0515 2764 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/05/21 18:42:46.0687 2764 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2011/05/21 18:42:47.0453 2764 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys 2011/05/21 18:42:47.0718 2764 PID_PEPI (84b9084692fe00df09f20e516d831c57) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS 2011/05/21 18:42:47.0984 2764 PPPoEWin (8ae03e978bc99f31ae31b183cd373951) C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS 2011/05/21 18:42:48.0140 2764 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/05/21 18:42:48.0343 2764 Ps2 (bffdb363485501a38f0bca83aec810db) C:\WINDOWS\system32\DRIVERS\PS2.sys 2011/05/21 18:42:48.0515 2764 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/05/21 18:42:48.0687 2764 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/05/21 18:42:49.0015 2764 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2011/05/21 18:42:49.0968 2764 RapportCerberus_25973 (3d80f6fb972cffab9a760892f9ab7232) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys 2011/05/21 18:42:50.0109 2764 RapportEI (2c1507b17cd25b3f5d3ddf530fd23bda) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys 2011/05/21 18:42:50.0171 2764 RapportPG (701e59b8e6ebff150dad0c4dba835932) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys 2011/05/21 18:42:50.0390 2764 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/05/21 18:42:50.0687 2764 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/05/21 18:42:50.0890 2764 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/05/21 18:42:51.0062 2764 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/05/21 18:42:51.0265 2764 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/05/21 18:42:51.0484 2764 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/05/21 18:42:51.0703 2764 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/05/21 18:42:51.0921 2764 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/05/21 18:42:52.0203 2764 RT73 (4f153709d0691c6de8c9a4c5e813907c) C:\WINDOWS\system32\DRIVERS\rt73.sys 2011/05/21 18:42:52.0406 2764 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS 2011/05/21 18:42:52.0640 2764 RTLWUSB (f564f1c5813b47a86903d42cd778311c) C:\WINDOWS\system32\DRIVERS\wg111v2.sys 2011/05/21 18:42:52.0906 2764 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/05/21 18:42:53.0109 2764 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2011/05/21 18:42:53.0312 2764 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 2011/05/21 18:42:53.0625 2764 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2011/05/21 18:42:54.0015 2764 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys 2011/05/21 18:42:54.0359 2764 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2011/05/21 18:42:54.0625 2764 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2011/05/21 18:42:54.0953 2764 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/05/21 18:42:55.0234 2764 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 2011/05/21 18:42:55.0437 2764 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/05/21 18:42:55.0687 2764 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2011/05/21 18:42:56.0640 2764 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/05/21 18:42:56.0859 2764 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/05/21 18:42:57.0062 2764 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/05/21 18:42:57.0218 2764 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/05/21 18:42:57.0390 2764 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/05/21 18:42:57.0859 2764 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2011/05/21 18:42:58.0125 2764 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2011/05/21 18:42:58.0343 2764 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys 2011/05/21 18:42:58.0640 2764 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2011/05/21 18:42:58.0781 2764 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/05/21 18:42:58.0968 2764 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/05/21 18:42:59.0125 2764 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2011/05/21 18:42:59.0281 2764 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2011/05/21 18:42:59.0437 2764 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/05/21 18:42:59.0640 2764 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/05/21 18:42:59.0781 2764 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys 2011/05/21 18:42:59.0953 2764 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2011/05/21 18:43:00.0125 2764 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2011/05/21 18:43:00.0296 2764 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/05/21 18:43:00.0421 2764 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys 2011/05/21 18:43:00.0765 2764 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/05/21 18:43:00.0937 2764 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys 2011/05/21 18:43:01.0125 2764 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 2011/05/21 18:43:01.0390 2764 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/05/21 18:43:01.0765 2764 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys 2011/05/21 18:43:01.0921 2764 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys 2011/05/21 18:43:02.0109 2764 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 2011/05/21 18:43:02.0281 2764 WudfPf (50eb9e21963b4f06fd010d007d54351b) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2011/05/21 18:43:02.0453 2764 WudfRd (6e209664bdea8a15b5e8e480d6c607c2) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 2011/05/21 18:43:02.0703 2764 ZY202_XP (bd6354de4d081de96c79bdb53f55ca82) C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys 2011/05/21 18:43:03.0015 2764 ================================================================================ 2011/05/21 18:43:03.0015 2764 Scan finished 2011/05/21 18:43:03.0015 2764 ================================================================================
  6. sambora1984
    Hello, Here are the results of the virscan and combofix as requested...couldn't get either of the first two links to run so used virscan. thanks VirSCAN.org Scanned Report : Scanned time : 2011/05/20 21:12:35 (BST) Scanner results: 5% Scanner(s) (2/37) found malware! File Name : null0.19106781029606734.exe File Size : 100958 byte File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : b0fa2f95250378c192b479f045e59164 SHA1 : 333ac1b30d4cd1a8ed695e7f745546d71188fe3e Online report : http://file.virscan.org/report/6017fcf6650af3a768b4ca503a29e783.html Scanner Engine Ver Sig Ver Sig Date Time Scan result a-squared 5.1.0.2 20110521040419 2011-05-21 0.08 - AhnLab V3 2011.05.21.00 2011.05.21 2011-05-21 0.08 - AntiVir 8.2.4.242 7.11.8.85 2011-05-20 0.29 - Antiy 2.0.18 20110205.7694535 2011-02-05 0.12 Trojan/Win32.SpyEyes.gqv[sPY] Arcavir 2011 201105080215 2011-05-08 0.04 - Authentium 5.1.1 201105201654 2011-05-20 1.42 - AVAST! 4.7.4 110520-1 2011-05-20 0.01 - AVG 8.5.850 271.1.1/3649 2011-05-20 0.25 - BitDefender 7.90123.7367409 7.37525 2011-05-21 5.88 - ClamAV 0.96.5 13097 2011-05-20 0.02 - Comodo 4.0 8774 2011-05-20 0.08 - CP Secure 1.3.0.5 2011.05.21 2011-05-21 3.40 - Dr.Web 5.0.2.3300 2011.05.21 2011-05-21 11.94 - F-Prot 4.4.4.56 20110520 2011-05-20 1.41 Possible W32/Heuristic-MU2!Eldorado (damaged, not disinfectable) F-Secure 7.02.73807 2011.05.20.05 2011-05-20 3.34 - Fortinet 4.2.257 13.246 2011-05-20 0.08 - GData 22.397/22.112 20110520 2011-05-20 0.08 - ViRobot 20110520 2011.05.20 2011-05-20 0.08 - Ikarus T3.1.32.20.0 2011.05.20.78434 2011-05-20 4.73 - JiangMin 13.0.900 2011.05.20 2011-05-20 0.08 - Kaspersky 5.5.10 2011.05.20 2011-05-20 0.10 - KingSoft 2009.2.5.15 2011.5.20.18 2011-05-20 0.09 - McAfee 5400.1158 6340 2011-05-08 9.18 - Microsoft 1.6903 2011.05.20 2011-05-20 0.08 - NOD32 3.0.21 6138 2011-05-20 0.03 - Norman 6.07.08 6.07.00 2011-05-20 14.02 - Panda 9.05.01 2011.05.19 2011-05-19 0.16 - Trend Micro 9.200-1012 8.168.15 2011-05-20 0.02 - Quick Heal 11.00 2011.05.20 2011-05-20 0.12 - Rising 20.0 23.58.04.03 2011-05-20 0.14 - Sophos 3.19.1 4.65 2011-05-21 3.76 - Sunbelt 3.9.2493.2 9337 2011-05-20 0.12 - Symantec 1.3.0.24 20110519.002 2011-05-19 0.08 - nProtect 20110519.01 3454403 2011-05-19 0.12 - The Hacker 6.7.0.1 v00176 2011-04-18 0.20 - VBA32 3.12.16.0 20110520.1647 2011-05-20 5.14 - VirusBuster 5.2.0.28 13.6.365.0/52137182011-05-20 0.00 - VirSCAN.org Scanned Report : Scanned time : 2011/05/20 21:18:01 (BST) Scanner results: 38% Scanner(s) (14/37) found malware! File Name : Explorermgr.exe File Size : 166256 byte File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : 6c1e199ccc02acaf6e962eb75acb8c98 SHA1 : 742db8306bdbc1759d73eabd7914a93f94478cc7 Online report : http://file.virscan.org/report/2222a28a8ca81c5f9e6034410daa9ea2.html Scanner Engine Ver Sig Ver Sig Date Time Scan result a-squared 5.1.0.2 20110521040419 2011-05-21 0.08 - AhnLab V3 2011.05.21.00 2011.05.21 2011-05-21 0.08 - AntiVir 8.2.4.242 7.11.8.85 2011-05-20 0.29 TR/Lebag.bpc Antiy 2.0.18 20110205.7694535 2011-02-05 0.13 - Arcavir 2011 201105080215 2011-05-08 0.04 Trojan.Lebag.Bqq Authentium 5.1.1 201105201654 2011-05-20 1.64 - AVAST! 4.7.4 110520-1 2011-05-20 0.02 Win32:Dropper-gen [Drp] AVG 8.5.850 271.1.1/3649 2011-05-20 0.25 Generic22.PDI BitDefender 7.90123.7367409 7.37525 2011-05-21 5.92 Backdoor.Generic.634174 ClamAV 0.96.5 13097 2011-05-20 0.04 - Comodo 4.0 8774 2011-05-20 0.08 - CP Secure 1.3.0.5 2011.05.21 2011-05-21 0.07 - Dr.Web 5.0.2.3300 2011.05.21 2011-05-21 11.93 Trojan.DownLoader2.39905 F-Prot 4.4.4.56 20110520 2011-05-20 1.57 - F-Secure 7.02.73807 2011.05.20.05 2011-05-20 0.20 Trojan.Win32.Lebag.bpc [AVP] Fortinet 4.2.257 13.246 2011-05-20 0.08 - GData 22.397/22.112 20110520 2011-05-20 0.08 - ViRobot 20110520 2011.05.20 2011-05-20 0.08 - Ikarus T3.1.32.20.0 2011.05.20.78434 2011-05-20 6.89 Trojan.Win32.Lebag JiangMin 13.0.900 2011.05.20 2011-05-20 0.08 - Kaspersky 5.5.10 2011.05.20 2011-05-20 0.09 Trojan.Win32.Lebag.bpc KingSoft 2009.2.5.15 2011.5.20.18 2011-05-20 0.08 - McAfee 5400.1158 6340 2011-05-08 9.10 PWS-Zbot.gen.cy Microsoft 1.6903 2011.05.20 2011-05-20 0.08 - NOD32 3.0.21 6138 2011-05-20 0.03 a variant of Win32/Injector.GAW trojan Norman 6.07.08 6.07.00 2011-05-20 12.01 - Panda 9.05.01 2011.05.19 2011-05-19 0.08 - Trend Micro 9.200-1012 8.168.15 2011-05-20 0.03 TROJ_SPNR.06EJ11 Quick Heal 11.00 2011.05.20 2011-05-20 0.08 - Rising 20.0 23.58.04.03 2011-05-20 0.08 - Sophos 3.19.1 4.65 2011-05-21 3.54 Mal/Zbot-CJ Sunbelt 3.9.2493.2 9337 2011-05-20 0.08 - Symantec 1.3.0.24 20110519.002 2011-05-19 0.00 - nProtect 20110519.01 3454403 2011-05-19 0.08 - The Hacker 6.7.0.1 v00176 2011-04-18 0.08 - VBA32 3.12.16.0 20110520.1647 2011-05-20 4.26 Trojan.Lebag.bqq VirusBuster 5.2.0.28 13.6.365.0/52137182011-05-20 0.00 - ComboFix 11-05-18.04 - Ishbel 20/05/2011 21:26:41.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.971 [GMT 1:00] Running from: c:\documents and settings\Ishbel\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ishbel\Desktop\CFScript.txt FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . FILE :: "c:\docume~1\Ishbel\LOCALS~1\Temp\suqkqnbo.sys" "c:\windows\pss\ljsaqqic.exe" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\HP_Owner\WINDOWS c:\program files\Internet Explorer\IEXPLOREmgr.exe c:\program files\ddbndqyl . . . . Failed to delete . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_Micorsoft Windows Service . . ((((((((((((((((((((((((( Files Created from 2011-04-20 to 2011-05-20 ))))))))))))))))))))))))))))))) . . 2011-05-07 17:01 . 2011-05-07 17:01 557577 ----a-r- c:\documents and settings\Ishbel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-05-07 17:01 . 2011-05-07 17:01 -------- d-----w- c:\program files\Trend Micro 2011-05-07 16:09 . 2011-05-07 16:38 166256 ----a-w- c:\windows\Explorermgr.exe 2011-05-07 15:52 . 2011-05-20 20:38 -------- d-----w- c:\program files\ddbndqyl 2011-04-24 13:06 . 2011-05-19 17:12 -------- d-----w- c:\documents and settings\Administrator 2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP 2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\program files\SpywareBlaster 2011-04-23 10:47 . 2011-04-23 10:47 100958 ----a-w- c:\program files\Mozilla Firefox\null0.19106781029606734.exe 2011-04-22 10:55 . 2011-04-22 10:55 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer 2011-04-22 10:54 . 2011-04-22 10:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2004-08-04 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] 2010-08-23 14:01 2734688 ------w- c:\program files\ZoneAlarm\tbZon1.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{66F2E20D-0DA8-4C11-A9C8-DD8477B88ACD}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344] "PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112] "%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 241508] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600] "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-02 98304] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1917271] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588] NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-2-21 884840] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\ddbndqyl\ljsaqqic.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-10-01 21:47 87352 ----a-w- c:\windows\system32\LMIinit.dll . [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ljsaqqic.exe] path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ljsaqqic.exe backup=c:\windows\pss\ljsaqqic.exeStartup . [HKLM\~\startupfolder\C:^Documents and Settings^Ishbel^Start Menu^Programs^Startup^ljsaqqic.exe] path=c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe backup=c:\windows\pss\ljsaqqic.exeStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start] 2008-06-03 05:35 50528 -c--a-w- c:\progra~1\AOL9~1.1\aol.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] 2008-10-09 15:07 70440 ----a-r- c:\program files\Common Files\AOL\acs\AOLDial.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] 2003-08-19 12:47 188868 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE] 2003-06-28 15:10 1658965 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] 2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1223633514\ee\aolsoftware.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2004-10-13 23:04 450965 -c--a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2005-01-02 05:12 98304 -c----w- c:\program files\QuickTime\qttask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2005-01-02 05:08 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\1223633514\\ee\\aolsoftware.exe"= "c:\\Program Files\\AOL 9.1\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= . R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 11:02 57144] R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [05/01/2011 20:02 63160] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [05/01/2011 20:02 156344] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 14:35 26352] R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 14:35 493032] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [19/02/2008 20:24 17149] S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [08/07/2007 17:42 112384] S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?] . Contents of the 'Scheduled Tasks' folder . 2011-05-07 c:\windows\Tasks\WebReg Photosmart C4100 series.job - c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 16:45] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://b.casalemedia.com/V2/52928/68146/index.html?XX uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx TCP: {21000BEC-F93D-4E81-9CCA-BF6F00B866B4} = 192.168.0.1 FF - ProfilePath - c:\documents and settings\Ishbel\Application Data\Mozilla\Firefox\Profiles\n01olo1j.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q= FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: AOL Broadband Toolbar: {796503e4-19fe-48a3-82da-5c1fe0a13e3f} - %profile%\extensions\{796503e4-19fe-48a3-82da-5c1fe0a13e3f} FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd} FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-20 22:01 Windows 5.1.2600 Service Pack 3 NTFS . detected NTDLL code modification: ZwQueryDirectoryFile . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe 166256 bytes executable . scan completed successfully hidden files: 1 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(824) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'lsass.exe'(880) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'explorer.exe'(712) c:\windows\system32\WININET.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\progra~1\WINDOW~1\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\LMIRfsClientNP.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\AOL\ACS\AOLAcsd.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\windows\system32\HPZipm12.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\windows\AGRSMMSG.exe c:\windows\ALCXMNTR.EXE c:\program files\LogMeIn\x86\LMIGuardian.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Internet Explorer\iexplore.exe . ************************************************************************** . Completion time: 2011-05-20 22:12:42 - machine was rebooted ComboFix-quarantined-files.txt 2011-05-20 21:12 ComboFix2.txt 2011-05-19 17:25 . Pre-Run: 51,096,637,440 bytes free Post-Run: 51,280,097,280 bytes free . - - End Of File - - E0F4FA02ADA3B9B9F81FC5F72251CEB5
  7. sambora1984
    Hi Conspire, Got this combofix run...ZoneAlarm somehow re-enabled half way through but it seemed to get to the end ok after i disabled it again. Thanks ComboFix 11-05-18.04 - Ishbel 19/05/2011 18:05:50.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.997 [GMT 1:00] Running from: c:\documents and settings\Ishbel\Desktop\ComboFix.exe FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Administrator\WINDOWS c:\documents and settings\David\WINDOWS c:\documents and settings\Default User\WINDOWS c:\documents and settings\Ishbel\WINDOWS c:\documents and settings\LogMeInRemoteUser\WINDOWS c:\program files\Internet Explorer\IEXPLOREmgr.exe c:\windows\system32\config\systemprofile\WINDOWS c:\windows\system32\Drivers\lvlnjonw.sys c:\windows\system32\ps2.bat D:\Autorun.inf . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_MYWEBSEARCHSERVICE . . ((((((((((((((((((((((((( Files Created from 2011-04-19 to 2011-05-19 ))))))))))))))))))))))))))))))) . . 2011-05-07 17:01 . 2011-05-07 17:01 557577 ----a-r- c:\documents and settings\Ishbel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-05-07 17:01 . 2011-05-07 17:01 -------- d-----w- c:\program files\Trend Micro 2011-05-07 16:09 . 2011-05-07 16:38 166256 ----a-w- c:\windows\Explorermgr.exe 2011-05-07 15:52 . 2011-05-19 17:17 -------- d-----w- c:\program files\ddbndqyl 2011-04-24 13:06 . 2011-05-19 17:12 -------- d-----w- c:\documents and settings\Administrator 2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP 2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\program files\SpywareBlaster 2011-04-23 10:47 . 2011-04-23 10:47 100958 ----a-w- c:\program files\Mozilla Firefox\null0.19106781029606734.exe 2011-04-22 10:55 . 2011-04-22 10:55 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer 2011-04-22 10:54 . 2011-04-22 10:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2004-08-04 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] 2010-08-23 14:01 2734688 ------w- c:\program files\ZoneAlarm\tbZon1.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{66F2E20D-0DA8-4C11-A9C8-DD8477B88ACD}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688] . [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344] "PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112] "%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 241508] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600] "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-02 98304] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1917271] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588] NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-2-21 884840] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\ddbndqyl\ljsaqqic.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-10-01 21:47 87352 ----a-w- c:\windows\system32\LMIinit.dll . [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ljsaqqic.exe] path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ljsaqqic.exe backup=c:\windows\pss\ljsaqqic.exeStartup . [HKLM\~\startupfolder\C:^Documents and Settings^Ishbel^Start Menu^Programs^Startup^ljsaqqic.exe] path=c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe backup=c:\windows\pss\ljsaqqic.exeStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start] 2008-06-03 05:35 50528 -c--a-w- c:\progra~1\AOL9~1.1\aol.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] 2008-10-09 15:07 70440 ----a-r- c:\program files\Common Files\AOL\acs\AOLDial.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] 2003-08-19 12:47 188868 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE] 2003-06-28 15:10 1658965 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] 2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1223633514\ee\aolsoftware.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2004-10-13 23:04 450965 -c--a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2005-01-02 05:12 98304 -c----w- c:\program files\QuickTime\qttask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2005-01-02 05:08 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\1223633514\\ee\\aolsoftware.exe"= "c:\\Program Files\\AOL 9.1\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= . R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 11:02 57144] R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [05/01/2011 20:02 63160] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [05/01/2011 20:02 156344] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 14:35 26352] R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 14:35 493032] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [19/02/2008 20:24 17149] S3 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\Ishbel\LOCALS~1\Temp\suqkqnbo.sys --> c:\docume~1\Ishbel\LOCALS~1\Temp\suqkqnbo.sys [?] S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [08/07/2007 17:42 112384] S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WUAUSERV . Contents of the 'Scheduled Tasks' folder . 2011-05-07 c:\windows\Tasks\WebReg Photosmart C4100 series.job - c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 16:45] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://b.casalemedia.com/V2/52928/68146/index.html?XX uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx TCP: {21000BEC-F93D-4E81-9CCA-BF6F00B866B4} = 192.168.0.1 FF - ProfilePath - c:\documents and settings\Ishbel\Application Data\Mozilla\Firefox\Profiles\n01olo1j.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q= FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: AOL Broadband Toolbar: {796503e4-19fe-48a3-82da-5c1fe0a13e3f} - %profile%\extensions\{796503e4-19fe-48a3-82da-5c1fe0a13e3f} FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd} FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false . - - - - ORPHANS REMOVED - - - - . HKCU-Run-OM_Monitor - c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe HKLM-Run-AutoTBar - c:\program files\HP\Digital Imaging\bin\AUTOTBAR.EXE AddRemove-AOL Emergency Connect Utility 1.0 - c:\program files\Common Files\AOL\ECU\uninst.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-19 18:17 Windows 5.1.2600 Service Pack 3 NTFS . detected NTDLL code modification: ZwQueryDirectoryFile . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe 166256 bytes executable C:\ljsaqqic.exe 166256 bytes executable . scan completed successfully hidden files: 2 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(824) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'lsass.exe'(880) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'explorer.exe'(3336) c:\windows\system32\WININET.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\progra~1\WINDOW~1\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\LMIRfsClientNP.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\AOL\ACS\AOLAcsd.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\windows\system32\HPZipm12.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\windows\AGRSMMSG.exe c:\windows\ALCXMNTR.EXE c:\program files\LogMeIn\x86\LMIGuardian.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe . ************************************************************************** . Completion time: 2011-05-19 18:25:40 - machine was rebooted ComboFix-quarantined-files.txt 2011-05-19 17:25 . Pre-Run: 51,903,340,544 bytes free Post-Run: 51,850,108,928 bytes free . - - End Of File - - A5910C4D6C09B8C68A300292CB85A1C4
  8. sambora1984
    Hi Conspire, Sorry I've not replied yet I am once again away from this machine but hope to carry out the next steps tomorrow evening. I will post results asap! Thanks
  9. sambora1984
    TDSS Report: Rebooted immediately after scan finished. Thanks 2011/05/15 10:15:11.0031 1684 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29 2011/05/15 10:15:11.0718 1684 ================================================================================ 2011/05/15 10:15:11.0718 1684 SystemInfo: 2011/05/15 10:15:11.0718 1684 2011/05/15 10:15:11.0718 1684 OS Version: 5.1.2600 ServicePack: 3.0 2011/05/15 10:15:11.0718 1684 Product type: Workstation 2011/05/15 10:15:11.0718 1684 ComputerName: EMMA 2011/05/15 10:15:11.0718 1684 UserName: Ishbel 2011/05/15 10:15:11.0718 1684 Windows directory: C:\WINDOWS 2011/05/15 10:15:11.0718 1684 System windows directory: C:\WINDOWS 2011/05/15 10:15:11.0718 1684 Processor architecture: Intel x86 2011/05/15 10:15:11.0718 1684 Number of processors: 1 2011/05/15 10:15:11.0718 1684 Page size: 0x1000 2011/05/15 10:15:11.0718 1684 Boot type: Normal boot 2011/05/15 10:15:11.0718 1684 ================================================================================ 2011/05/15 10:15:12.0234 1684 Initialize success 2011/05/15 10:15:18.0968 3468 ================================================================================ 2011/05/15 10:15:18.0968 3468 Scan started 2011/05/15 10:15:18.0968 3468 Mode: Manual; 2011/05/15 10:15:18.0968 3468 ================================================================================ 2011/05/15 10:15:20.0687 3468 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/05/15 10:15:20.0906 3468 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2011/05/15 10:15:21.0328 3468 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2011/05/15 10:15:21.0531 3468 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys 2011/05/15 10:15:21.0718 3468 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys 2011/05/15 10:15:21.0937 3468 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys 2011/05/15 10:15:22.0531 3468 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2011/05/15 10:15:23.0093 3468 AR5523 (92637b97f57c1669d521a54482c4579c) C:\WINDOWS\system32\DRIVERS\WG11TND5.sys 2011/05/15 10:15:23.0312 3468 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2011/05/15 10:15:23.0750 3468 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/05/15 10:15:23.0953 3468 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/05/15 10:15:24.0375 3468 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/05/15 10:15:24.0546 3468 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/05/15 10:15:24.0718 3468 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/05/15 10:15:24.0906 3468 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/05/15 10:15:25.0156 3468 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 2011/05/15 10:15:25.0375 3468 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/05/15 10:15:25.0546 3468 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/05/15 10:15:25.0734 3468 cdrbsdrv (351735695e9ead93de6af85d8beb1ca8) C:\WINDOWS\system32\drivers\cdrbsdrv.sys 2011/05/15 10:15:25.0937 3468 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/05/15 10:15:26.0703 3468 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/05/15 10:15:26.0937 3468 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2011/05/15 10:15:27.0265 3468 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2011/05/15 10:15:27.0468 3468 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/05/15 10:15:27.0671 3468 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2011/05/15 10:15:27.0812 3468 DNINDIS5 (d2ee54cdbced01d48f2b18642be79a98) C:\WINDOWS\system32\DNINDIS5.SYS 2011/05/15 10:15:28.0140 3468 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/05/15 10:15:28.0375 3468 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/05/15 10:15:28.0625 3468 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 2011/05/15 10:15:28.0828 3468 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2011/05/15 10:15:29.0031 3468 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 2011/05/15 10:15:29.0250 3468 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2011/05/15 10:15:29.0437 3468 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys 2011/05/15 10:15:29.0656 3468 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/05/15 10:15:29.0843 3468 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/05/15 10:15:30.0046 3468 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 2011/05/15 10:15:30.0265 3468 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/05/15 10:15:30.0468 3468 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2011/05/15 10:15:30.0765 3468 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys 2011/05/15 10:15:30.0953 3468 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 2011/05/15 10:15:31.0203 3468 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys 2011/05/15 10:15:31.0406 3468 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/05/15 10:15:31.0734 3468 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2011/05/15 10:15:31.0921 3468 ialm (d4405bd2b6e95efdc8e674ed4032874f) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 2011/05/15 10:15:32.0187 3468 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/05/15 10:15:32.0468 3468 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2011/05/15 10:15:32.0671 3468 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2011/05/15 10:15:32.0875 3468 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2011/05/15 10:15:33.0078 3468 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2011/05/15 10:15:33.0296 3468 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/05/15 10:15:33.0500 3468 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/05/15 10:15:33.0750 3468 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/05/15 10:15:33.0953 3468 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/05/15 10:15:34.0203 3468 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/05/15 10:15:34.0312 3468 ISWKL (2e41433579de4381f1b0f7b30b013ddc) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys 2011/05/15 10:15:34.0515 3468 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys 2011/05/15 10:15:34.0687 3468 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/05/15 10:15:34.0890 3468 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2011/05/15 10:15:35.0171 3468 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2011/05/15 10:15:35.0375 3468 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/05/15 10:15:35.0609 3468 lanusb (73f6efd2a2315af34f7872559686c471) C:\WINDOWS\system32\DRIVERS\glausb.sys 2011/05/15 10:15:36.0031 3468 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys 2011/05/15 10:15:36.0250 3468 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys 2011/05/15 10:15:36.0515 3468 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys 2011/05/15 10:15:36.0718 3468 LVUSBSta (64bc29c3a0388bfc580bb8b1346f7659) C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys 2011/05/15 10:15:37.0062 3468 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/05/15 10:15:37.0312 3468 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2011/05/15 10:15:37.0515 3468 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/05/15 10:15:37.0703 3468 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2011/05/15 10:15:37.0875 3468 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/05/15 10:15:38.0328 3468 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/05/15 10:15:38.0531 3468 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/05/15 10:15:38.0765 3468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2011/05/15 10:15:39.0000 3468 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/05/15 10:15:39.0218 3468 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/05/15 10:15:39.0421 3468 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/05/15 10:15:39.0625 3468 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/05/15 10:15:39.0812 3468 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys 2011/05/15 10:15:40.0000 3468 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2011/05/15 10:15:40.0296 3468 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 2011/05/15 10:15:40.0484 3468 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2011/05/15 10:15:40.0671 3468 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 2011/05/15 10:15:40.0843 3468 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/05/15 10:15:41.0062 3468 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/05/15 10:15:41.0281 3468 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/05/15 10:15:41.0468 3468 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/05/15 10:15:41.0656 3468 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/05/15 10:15:41.0859 3468 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/05/15 10:15:42.0125 3468 NETMDUSB (986acdece933131288f1957dc359865f) C:\WINDOWS\system32\Drivers\NETMDUSB.sys 2011/05/15 10:15:42.0343 3468 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2011/05/15 10:15:42.0562 3468 nmwcd (696b37ea78f9d9767a2f18ba0304a51a) C:\WINDOWS\system32\drivers\nmwcd.sys 2011/05/15 10:15:42.0734 3468 nmwcdc (bbb6010fc01d9239d88fcdf133e03ff0) C:\WINDOWS\system32\drivers\nmwcdc.sys 2011/05/15 10:15:42.0937 3468 nmwcdcj (4c3726467d67483f054c88f058e9c153) C:\WINDOWS\system32\drivers\nmwcdcj.sys 2011/05/15 10:15:43.0171 3468 nmwcdcm (4c3726467d67483f054c88f058e9c153) C:\WINDOWS\system32\drivers\nmwcdcm.sys 2011/05/15 10:15:43.0375 3468 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2011/05/15 10:15:43.0515 3468 NSNDIS5 (53f7546e8daefb3a0813f5e19c4613c9) C:\WINDOWS\system32\NSNDIS5.SYS 2011/05/15 10:15:43.0734 3468 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/05/15 10:15:43.0953 3468 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/05/15 10:15:44.0140 3468 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/05/15 10:15:44.0312 3468 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/05/15 10:15:44.0500 3468 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2011/05/15 10:15:44.0734 3468 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2011/05/15 10:15:44.0937 3468 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/05/15 10:15:45.0109 3468 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/05/15 10:15:45.0312 3468 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/05/15 10:15:45.0609 3468 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/05/15 10:15:45.0812 3468 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2011/05/15 10:15:46.0593 3468 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys 2011/05/15 10:15:46.0781 3468 PID_PEPI (84b9084692fe00df09f20e516d831c57) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS 2011/05/15 10:15:47.0046 3468 PPPoEWin (8ae03e978bc99f31ae31b183cd373951) C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS 2011/05/15 10:15:47.0281 3468 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/05/15 10:15:47.0484 3468 Ps2 (bffdb363485501a38f0bca83aec810db) C:\WINDOWS\system32\DRIVERS\PS2.sys 2011/05/15 10:15:47.0671 3468 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/05/15 10:15:47.0875 3468 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/05/15 10:15:48.0062 3468 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2011/05/15 10:15:48.0671 3468 RapportCerberus_25973 (3d80f6fb972cffab9a760892f9ab7232) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys 2011/05/15 10:15:48.0796 3468 RapportEI (2c1507b17cd25b3f5d3ddf530fd23bda) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys 2011/05/15 10:15:48.0843 3468 RapportPG (701e59b8e6ebff150dad0c4dba835932) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys 2011/05/15 10:15:49.0062 3468 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/05/15 10:15:49.0281 3468 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/05/15 10:15:49.0484 3468 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/05/15 10:15:49.0671 3468 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/05/15 10:15:49.0875 3468 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/05/15 10:15:50.0078 3468 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/05/15 10:15:50.0296 3468 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/05/15 10:15:50.0500 3468 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/05/15 10:15:50.0750 3468 RT73 (4f153709d0691c6de8c9a4c5e813907c) C:\WINDOWS\system32\DRIVERS\rt73.sys 2011/05/15 10:15:50.0906 3468 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS 2011/05/15 10:15:51.0093 3468 RTLWUSB (f564f1c5813b47a86903d42cd778311c) C:\WINDOWS\system32\DRIVERS\wg111v2.sys 2011/05/15 10:15:51.0328 3468 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/05/15 10:15:51.0531 3468 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2011/05/15 10:15:51.0734 3468 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 2011/05/15 10:15:51.0953 3468 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2011/05/15 10:15:52.0406 3468 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys 2011/05/15 10:15:52.0703 3468 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2011/05/15 10:15:52.0906 3468 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2011/05/15 10:15:53.0171 3468 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/05/15 10:15:53.0406 3468 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 2011/05/15 10:15:53.0578 3468 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/05/15 10:15:53.0781 3468 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2011/05/15 10:15:54.0375 3468 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/05/15 10:15:54.0609 3468 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/05/15 10:15:54.0828 3468 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/05/15 10:15:55.0000 3468 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/05/15 10:15:55.0203 3468 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/05/15 10:15:55.0500 3468 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2011/05/15 10:15:55.0828 3468 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2011/05/15 10:15:56.0062 3468 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys 2011/05/15 10:15:56.0265 3468 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2011/05/15 10:15:56.0437 3468 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/05/15 10:15:56.0640 3468 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/05/15 10:15:56.0906 3468 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2011/05/15 10:15:57.0109 3468 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2011/05/15 10:15:57.0437 3468 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/05/15 10:15:57.0703 3468 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/05/15 10:15:57.0906 3468 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys 2011/05/15 10:15:58.0312 3468 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2011/05/15 10:15:58.0500 3468 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2011/05/15 10:15:58.0687 3468 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/05/15 10:15:58.0859 3468 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys 2011/05/15 10:15:59.0156 3468 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/05/15 10:15:59.0359 3468 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys 2011/05/15 10:15:59.0546 3468 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 2011/05/15 10:15:59.0828 3468 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/05/15 10:16:00.0109 3468 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys 2011/05/15 10:16:00.0343 3468 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys 2011/05/15 10:16:00.0531 3468 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 2011/05/15 10:16:00.0734 3468 WudfPf (50eb9e21963b4f06fd010d007d54351b) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2011/05/15 10:16:00.0937 3468 WudfRd (6e209664bdea8a15b5e8e480d6c607c2) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 2011/05/15 10:16:01.0171 3468 ZY202_XP (bd6354de4d081de96c79bdb53f55ca82) C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys 2011/05/15 10:16:01.0375 3468 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0) 2011/05/15 10:16:01.0390 3468 ================================================================================ 2011/05/15 10:16:01.0390 3468 Scan finished 2011/05/15 10:16:01.0390 3468 ================================================================================ 2011/05/15 10:16:01.0406 2536 Detected object count: 1 2011/05/15 10:16:15.0234 2536 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot 2011/05/15 10:16:15.0234 2536 \HardDisk0 - ok 2011/05/15 10:16:15.0234 2536 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure 2011/05/15 10:16:57.0375 2916 Deinitialize success
  10. sambora1984
    Hi Conspire, Forgive me for posting everything but I cannot see where I can attach any files in the reply dialog...am I being stupid?! Anyway here are the requested logs. I look forward to your reply. Many thanks DDS------------------- . DDS (Ver_11-03-05.01) - NTFSx86 Run by Ishbel at 17:38:33.25 on 14/05/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.908 [GMT 1:00] . FW: ZoneAlarm Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Mozilla Firefox\firefox.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\AGRSMMSG.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\NETGEAR\WG111T\wlan111t.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\CheckPoint\ZAForceField\ForceField.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Ishbel\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://b.casalemedia.com/V2/52928/68146/index.html?XX uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll uURLSearchHooks: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZon1.dll mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\ddbndqyl\ljsaqqic.exe, BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZon1.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZon1.dll TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe -NoStart uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10o_ActiveX.exe -update activex mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [KBD] c:\hp\kbd\KBD.EXE mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE mRun: [AlcxMonitor] ALCXMNTR.EXE mRun: [PS2] c:\windows\system32\ps2.exe mRun: [%FP%Friendly fts.exe] "c:\program files\voyagertest\fts.exe" mRun: [AutoTBar] c:\program files\hp\digital imaging\bin\AUTOTBAR.EXE mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [<NO NAME>] mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe" mRun: [iSW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden" mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe IE: &Search IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: {21000BEC-F93D-4E81-9CCA-BF6F00B866B4} = 192.168.0.1 Notify: igfxcui - igfxsrvc.dll Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll Hosts: 127.0.0.1 www.spywareinfo.com . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\ishbel\applic~1\mozilla\firefox\profiles\n01olo1j.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q= FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: AOL Broadband Toolbar: {796503e4-19fe-48a3-82da-5c1fe0a13e3f} - %profile%\extensions\{796503e4-19fe-48a3-82da-5c1fe0a13e3f} FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd} FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\checkpoint\zaforcefield\TrustChecker . ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false ============= SERVICES / DRIVERS =============== . . =============== Created Last 30 ================ . . ==================== Find3M ==================== . . =================== ROOTKIT ==================== . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: SAMSUNG_SP0802N rev.TK200-04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 . device: opened successfully user: MBR read successfully . Disk trace: called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5724F0]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5787d0]; MOV EAX, [0x8a57884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A58DAB8] 3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000006e[0x8A565F18] 5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> [0x8A564D98] \Driver\atapi[0x8A563DF0] -> IRP_MJ_CREATE -> 0x8A5724F0 error: Read A device attached to the system is not functioning. kernel: MBR read successfully _asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; } detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x8A57233B user & kernel MBR OK Warning: possible TDL3 rootkit infection ! . ============= FINISH: 17:42:37.71 =============== . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_11-03-05.01) . Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume2 Install Date: 26/06/2005 13:12:26 System Uptime: 14/05/2011 17:29:41 (0 hours ago) . Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | Gamila/Giovani/Neon series Processor: Intel® Celeron® CPU 2.66GHz | Socket 478 | 2666/133mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 68 GiB total, 48.543 GiB free. D: is FIXED (FAT32) - 7 GiB total, 2.875 GiB free. E: is CDROM () . ==== Disabled Device Manager Items ============= . Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A} Description: Nokia 6500c Device ID: ROOT\WPD\0000 Manufacturer: Nokia Name: Nokia 6500c PNP Device ID: ROOT\WPD\0000 Service: WUDFRd . ==== System Restore Points =================== . No restore point in system. . ==== Installed Programs ====================== . . ==== Event Viewer Messages From Past Week ======== . . ==== End Of File =========================== GMER: GMER 1.0.15.15627 - http://www.gmer.net Rootkit scan 2011-05-14 18:02:46 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_SP0802N rev.TK200-04 Running: 1dq0ri0g.exe; Driver: C:\DOCUME~1\Ishbel\LOCALS~1\Temp\uxldapoc.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xABAE3FA2] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xABB9E534] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xABAE4A38] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xABBB76DC] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xABB9ECC0] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xABBB1EB4] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xABBB22A2] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xABBBB916] SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys (RapportCerberus/Trusteer Ltd.) ZwCreateThread [0xF7424DB6] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xABB9EDF6] SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys (RapportCerberus/Trusteer Ltd.) ZwDeleteFile [0xF7423E12] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xABAE81AC] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xABAE81DE] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xABBB0DF0] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xABAE8340] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xABBB9B44] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xABAE4B0E] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xABBB41CE] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xABBB3DF8] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xABAE440A] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xABAE82B6] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xABAE8220] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xABAE8252] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xABB9E0F4] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xABAE8284] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xABB9E7DC] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xABAE3F48] SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys (RapportCerberus/Trusteer Ltd.) ZwSetInformationFile [0xF7423E86] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xABBBAE12] SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys (RapportCerberus/Trusteer Ltd.) ZwSetValueKey [0xF7424C92] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xABAE3EE4] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xABBB2F0A] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xABBB2C86] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xABAE3E80] ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [C0, EC, B9, AB, B4, 1E, BB, ...] {SHR AH, 0xb9; STOSD ; MOV AH, 0x1e; MOV EBX, 0xbb22a2ab; STOSD } PAGE ntoskrnl.exe!ZwCreateSemaphore + 449 8057BC56 7 Bytes JMP B9E078E8 ? C:\DOCUME~1\Ishbel\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F .text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40 .text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB .text C:\WINDOWS\system32\ctfmon.exe[236] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\ctfmon.exe[236] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\ctfmon.exe[236] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\ctfmon.exe[236] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD .text C:\WINDOWS\system32\ctfmon.exe[236] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\ctfmon.exe[236] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058 .text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012 ? C:\WINDOWS\System32\svchost.exe[308] time/date stamp mismatch; .text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F .text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40 .text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB .text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\System32\svchost.exe[308] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD .text C:\WINDOWS\System32\svchost.exe[308] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\System32\svchost.exe[308] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058 .text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012 .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423 .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66 .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5 .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2 .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985 .text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833 ? C:\WINDOWS\system32\svchost.exe[388] time/date stamp mismatch; .text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F .text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40 .text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB .text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\svchost.exe[388] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\svchost.exe[388] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\svchost.exe[388] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD .text C:\WINDOWS\system32\svchost.exe[388] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\svchost.exe[388] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058 .text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012 .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423 .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66 .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5 .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2 .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985 .text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985 .text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833 .text C:\WINDOWS\system32\HPZipm12.exe[436] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\HPZipm12.exe[436] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\WINDOWS\system32\HPZipm12.exe[436] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F .text C:\WINDOWS\system32\HPZipm12.exe[436] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40 .text C:\WINDOWS\system32\HPZipm12.exe[436] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)
  11. sambora1984
    Hi thanks for replying. I'm not currently with the infected machine. I won't be able to run these logs until saturday unless I get to the machine before then. I'd Appreciate if you would keep this thread open as I will reply as soon as I can. Thanks
  12. sambora1984
    Hi Please help with this nasty little recurring virus thing. I have spent hours deleting startup entries running malwarebytes, spybot etc but with no luck. The offending item can be seen in the log below at F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\ddbndqyl\ljsaqqic.exe I've even tried replacing the system.ini and win.ini from the C:\windows\pss folder but this didn't have much effect. After every reboot any file that has been deleted simply re-appears! Please help. Thanks Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 18:02:38, on 07/05/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\AGRSMMSG.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\NETGEAR\WG111T\wlan111t.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CheckPoint\ZAForceField\ForceField.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://b.casalemedia.com/V2/52928/68146/index.html?XX R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZon1.dll F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\ddbndqyl\ljsaqqic.exe, O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZon1.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O3 - Toolbar: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZon1.dll O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe" O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [iSW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden" O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O4 - Startup: ljsaqqic.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ? O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{21000BEC-F93D-4E81-9CCA-BF6F00B866B4}: NameServer = 192.168.0.1 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 10141 bytes
  13. sambora1984
    Hi Guys, No luck, it detected the USB device but couldn't load drivers. No joy this time. I think I will install it onto a new internal, nice and easy and use the big usb drive as a general storage device. Thanks
  14. sambora1984
    Try a firmware upgrade. I have looked on the Linksys website and it is less than clear as to where you will find it. Maybe someone else will know... I had problems with a linksys wireless router and the customer help wasn't great.
  15. sambora1984
    Do you have any wireless encryption enabled? Also, do you have DHCP enabled?
×
×
  • Create New...