Jump to content
Sign in to follow this  
sambora1984

Hjt Log For Recurring Exe File Hijacking Browser

Recommended Posts

Hi Please help with this nasty little recurring virus thing. I have spent hours deleting startup entries running malwarebytes, spybot etc but with no luck. The offending item can be seen in the log below at F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\ddbndqyl\ljsaqqic.exe

 

I've even tried replacing the system.ini and win.ini from the C:\windows\pss folder but this didn't have much effect.

 

After every reboot any file that has been deleted simply re-appears! Please help.

 

Thanks

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 18:02:38, on 07/05/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\AGRSMMSG.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\NETGEAR\WG111T\wlan111t.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://b.casalemedia.com/V2/52928/68146/index.html?XX

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

R3 - URLSearchHook: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZon1.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\ddbndqyl\ljsaqqic.exe,

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZon1.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZon1.dll

O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [iSW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')

O4 - Startup: ljsaqqic.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{21000BEC-F93D-4E81-9CCA-BF6F00B866B4}: NameServer = 192.168.0.1

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

--

End of file - 10141 bytes

Share this post


Link to post
Share on other sites

**In any case where you happen to be busy or unable to give us a reply, we would be grateful if you keep us informed in advance and we will be more than happy to wait. Failure to do so we will have your thread closed in THREE(3) days.

:)

Hello there, sambora1984

 

:wp:

 

I'm Conspire, I'll be glad to help you with your computer problems.

 

Please observe these rules while we work:

  • Read the entire procedure
  • It is important to perform ALL actions in sequence.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with me till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

IMPORTANT NOTE : Please do not delete anything unless instructed to.

Share this post


Link to post
Share on other sites

Hello there,

 

Let's see what else do we have here.

 

Please download DDS by sUBs from one of the following links and save it to your desktop.

  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
===================================================

 

Posted Image

  • Please download GMER from one of the following locations, and save it to your desktop:

  • Main Mirror

    This version will download a randomly named file (Recommended)

  • Zip Mirror

    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Extract the contents of the zipped file to desktop (applicable only to Zip mirror) .
  • Double click Posted Image or Posted Image on your desktop.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image

     

    Posted Image

    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

  • Save it where you can easily find it, such as your desktop, and attach it in your reply.
**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

 

===================================================

 

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===================================================

 

On your next reply please post :

DDS log

GMER log

Checkup log

Let me know if you have any problems in performing with the steps above or any questions you may have.

 

Good Day!

Share this post


Link to post
Share on other sites

Hi thanks for replying. I'm not currently with the infected machine. I won't be able to run these logs until saturday unless I get to the machine before then. I'd Appreciate if you would keep this thread open as I will reply as soon as I can.

 

Thanks

Share this post


Link to post
Share on other sites

Hi Conspire,

 

Forgive me for posting everything but I cannot see where I can attach any files in the reply dialog...am I being stupid?!

 

Anyway here are the requested logs. I look forward to your reply.

 

Many thanks

 

 

 

DDS-------------------

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Ishbel at 17:38:33.25 on 14/05/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.908 [GMT 1:00]

.

FW: ZoneAlarm Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Mozilla Firefox\firefox.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\AGRSMMSG.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\NETGEAR\WG111T\wlan111t.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Ishbel\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://b.casalemedia.com/V2/52928/68146/index.html?XX

uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

uURLSearchHooks: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZon1.dll

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\ddbndqyl\ljsaqqic.exe,

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZon1.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZon1.dll

TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe -NoStart

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10o_ActiveX.exe -update activex

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [PS2] c:\windows\system32\ps2.exe

mRun: [%FP%Friendly fts.exe] "c:\program files\voyagertest\fts.exe"

mRun: [AutoTBar] c:\program files\hp\digital imaging\bin\AUTOTBAR.EXE

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [<NO NAME>]

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [iSW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"

mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe

IE: &Search

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {21000BEC-F93D-4E81-9CCA-BF6F00B866B4} = 192.168.0.1

Notify: igfxcui - igfxsrvc.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\ishbel\applic~1\mozilla\firefox\profiles\n01olo1j.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q=

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: AOL Broadband Toolbar: {796503e4-19fe-48a3-82da-5c1fe0a13e3f} - %profile%\extensions\{796503e4-19fe-48a3-82da-5c1fe0a13e3f}

FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}

FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\checkpoint\zaforcefield\TrustChecker

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

.

==================== Find3M ====================

.

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: SAMSUNG_SP0802N rev.TK200-04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5724F0]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5787d0]; MOV EAX, [0x8a57884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A58DAB8]

3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000006e[0x8A565F18]

5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> [0x8A564D98]

\Driver\atapi[0x8A563DF0] -> IRP_MJ_CREATE -> 0x8A5724F0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x8A57233B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 17:42:37.71 ===============

 

 

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-03-05.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 26/06/2005 13:12:26

System Uptime: 14/05/2011 17:29:41 (0 hours ago)

.

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | Gamila/Giovani/Neon series

Processor: Intel® Celeron® CPU 2.66GHz | Socket 478 | 2666/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 68 GiB total, 48.543 GiB free.

D: is FIXED (FAT32) - 7 GiB total, 2.875 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}

Description: Nokia 6500c

Device ID: ROOT\WPD\0000

Manufacturer: Nokia

Name: Nokia 6500c

PNP Device ID: ROOT\WPD\0000

Service: WUDFRd

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

.

==== Event Viewer Messages From Past Week ========

.

.

==== End Of File ===========================

 

 

GMER:

GMER 1.0.15.15627 - http://www.gmer.net

Rootkit scan 2011-05-14 18:02:46

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_SP0802N rev.TK200-04

Running: 1dq0ri0g.exe; Driver: C:\DOCUME~1\Ishbel\LOCALS~1\Temp\uxldapoc.sys

 

 

---- System - GMER 1.0.15 ----

 

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xABAE3FA2]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xABB9E534]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xABAE4A38]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xABBB76DC]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xABB9ECC0]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xABBB1EB4]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xABBB22A2]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xABBBB916]

SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys (RapportCerberus/Trusteer Ltd.) ZwCreateThread [0xF7424DB6]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xABB9EDF6]

SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys (RapportCerberus/Trusteer Ltd.) ZwDeleteFile [0xF7423E12]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xABAE81AC]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xABAE81DE]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xABBB0DF0]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xABAE8340]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xABBB9B44]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xABAE4B0E]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xABBB41CE]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xABBB3DF8]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xABAE440A]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xABAE82B6]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xABAE8220]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xABAE8252]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xABB9E0F4]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xABAE8284]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xABB9E7DC]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xABAE3F48]

SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys (RapportCerberus/Trusteer Ltd.) ZwSetInformationFile [0xF7423E86]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xABBBAE12]

SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys (RapportCerberus/Trusteer Ltd.) ZwSetValueKey [0xF7424C92]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xABAE3EE4]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xABBB2F0A]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xABBB2C86]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xABAE3E80]

 

---- Kernel code sections - GMER 1.0.15 ----

 

.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [C0, EC, B9, AB, B4, 1E, BB, ...] {SHR AH, 0xb9; STOSD ; MOV AH, 0x1e; MOV EBX, 0xbb22a2ab; STOSD }

PAGE ntoskrnl.exe!ZwCreateSemaphore + 449 8057BC56 7 Bytes JMP B9E078E8

? C:\DOCUME~1\Ishbel\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

 

---- User code sections - GMER 1.0.15 ----

 

.text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F

.text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40

.text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\ctfmon.exe[236] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB

.text C:\WINDOWS\system32\ctfmon.exe[236] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\ctfmon.exe[236] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\ctfmon.exe[236] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\ctfmon.exe[236] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD

.text C:\WINDOWS\system32\ctfmon.exe[236] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\ctfmon.exe[236] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7

.text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132

.text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8

.text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92

.text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3

.text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF

.text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E

.text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC

.text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC

.text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915

.text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105

.text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13

.text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058

.text C:\WINDOWS\system32\ctfmon.exe[236] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012

? C:\WINDOWS\System32\svchost.exe[308] time/date stamp mismatch;

.text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F

.text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40

.text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\System32\svchost.exe[308] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB

.text C:\WINDOWS\System32\svchost.exe[308] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\System32\svchost.exe[308] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\System32\svchost.exe[308] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD

.text C:\WINDOWS\System32\svchost.exe[308] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\System32\svchost.exe[308] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7

.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132

.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8

.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92

.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3

.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF

.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E

.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC

.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC

.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915

.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105

.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13

.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058

.text C:\WINDOWS\System32\svchost.exe[308] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012

.text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423

.text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D

.text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66

.text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5

.text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA

.text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE

.text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2

.text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985

.text C:\WINDOWS\System32\svchost.exe[308] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833

? C:\WINDOWS\system32\svchost.exe[388] time/date stamp mismatch;

.text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F

.text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40

.text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB

.text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\svchost.exe[388] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\svchost.exe[388] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\svchost.exe[388] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD

.text C:\WINDOWS\system32\svchost.exe[388] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\svchost.exe[388] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7

.text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132

.text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8

.text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92

.text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3

.text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF

.text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E

.text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC

.text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC

.text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915

.text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105

.text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13

.text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058

.text C:\WINDOWS\system32\svchost.exe[388] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012

.text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423

.text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D

.text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66

.text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5

.text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA

.text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE

.text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2

.text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985

.text C:\WINDOWS\system32\svchost.exe[388] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20C7828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20C7825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[416] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833

.text C:\WINDOWS\system32\HPZipm12.exe[436] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\HPZipm12.exe[436] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

.text C:\WINDOWS\system32\HPZipm12.exe[436] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F

.text C:\WINDOWS\system32\HPZipm12.exe[436] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40

.text C:\WINDOWS\system32\HPZipm12.exe[436] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies)

Share this post


Link to post
Share on other sites

Hi,

 

No it's ok if you cannot attach the file. Usually when you click Use Full Editor you will see it.

 

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

     

     

    Posted Image

     

  • If an infected file is detected, the default action will be Cure, click on Continue.

     

     

    Posted Image

     

  • If a suspicious file is detected, the default action will be Skip, click on Continue.

     

     

    Posted Image

     

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

     

     

    Posted Image

     

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Edited by Conspire

Share this post


Link to post
Share on other sites

TDSS Report:

 

Rebooted immediately after scan finished.

 

Thanks

 

2011/05/15 10:15:11.0031 1684 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29

2011/05/15 10:15:11.0718 1684 ================================================================================

2011/05/15 10:15:11.0718 1684 SystemInfo:

2011/05/15 10:15:11.0718 1684

2011/05/15 10:15:11.0718 1684 OS Version: 5.1.2600 ServicePack: 3.0

2011/05/15 10:15:11.0718 1684 Product type: Workstation

2011/05/15 10:15:11.0718 1684 ComputerName: EMMA

2011/05/15 10:15:11.0718 1684 UserName: Ishbel

2011/05/15 10:15:11.0718 1684 Windows directory: C:\WINDOWS

2011/05/15 10:15:11.0718 1684 System windows directory: C:\WINDOWS

2011/05/15 10:15:11.0718 1684 Processor architecture: Intel x86

2011/05/15 10:15:11.0718 1684 Number of processors: 1

2011/05/15 10:15:11.0718 1684 Page size: 0x1000

2011/05/15 10:15:11.0718 1684 Boot type: Normal boot

2011/05/15 10:15:11.0718 1684 ================================================================================

2011/05/15 10:15:12.0234 1684 Initialize success

2011/05/15 10:15:18.0968 3468 ================================================================================

2011/05/15 10:15:18.0968 3468 Scan started

2011/05/15 10:15:18.0968 3468 Mode: Manual;

2011/05/15 10:15:18.0968 3468 ================================================================================

2011/05/15 10:15:20.0687 3468 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/05/15 10:15:20.0906 3468 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/05/15 10:15:21.0328 3468 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/05/15 10:15:21.0531 3468 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2011/05/15 10:15:21.0718 3468 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys

2011/05/15 10:15:21.0937 3468 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2011/05/15 10:15:22.0531 3468 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2011/05/15 10:15:23.0093 3468 AR5523 (92637b97f57c1669d521a54482c4579c) C:\WINDOWS\system32\DRIVERS\WG11TND5.sys

2011/05/15 10:15:23.0312 3468 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/05/15 10:15:23.0750 3468 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/05/15 10:15:23.0953 3468 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/05/15 10:15:24.0375 3468 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/05/15 10:15:24.0546 3468 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/05/15 10:15:24.0718 3468 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/05/15 10:15:24.0906 3468 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/05/15 10:15:25.0156 3468 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/05/15 10:15:25.0375 3468 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/05/15 10:15:25.0546 3468 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/05/15 10:15:25.0734 3468 cdrbsdrv (351735695e9ead93de6af85d8beb1ca8) C:\WINDOWS\system32\drivers\cdrbsdrv.sys

2011/05/15 10:15:25.0937 3468 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/05/15 10:15:26.0703 3468 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/05/15 10:15:26.0937 3468 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/05/15 10:15:27.0265 3468 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/05/15 10:15:27.0468 3468 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/05/15 10:15:27.0671 3468 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/05/15 10:15:27.0812 3468 DNINDIS5 (d2ee54cdbced01d48f2b18642be79a98) C:\WINDOWS\system32\DNINDIS5.SYS

2011/05/15 10:15:28.0140 3468 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/05/15 10:15:28.0375 3468 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/05/15 10:15:28.0625 3468 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/05/15 10:15:28.0828 3468 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/05/15 10:15:29.0031 3468 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/05/15 10:15:29.0250 3468 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/05/15 10:15:29.0437 3468 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys

2011/05/15 10:15:29.0656 3468 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/05/15 10:15:29.0843 3468 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/05/15 10:15:30.0046 3468 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/05/15 10:15:30.0265 3468 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/05/15 10:15:30.0468 3468 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/05/15 10:15:30.0765 3468 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2011/05/15 10:15:30.0953 3468 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2011/05/15 10:15:31.0203 3468 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2011/05/15 10:15:31.0406 3468 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/05/15 10:15:31.0734 3468 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/05/15 10:15:31.0921 3468 ialm (d4405bd2b6e95efdc8e674ed4032874f) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2011/05/15 10:15:32.0187 3468 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/05/15 10:15:32.0468 3468 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/05/15 10:15:32.0671 3468 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/05/15 10:15:32.0875 3468 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/05/15 10:15:33.0078 3468 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/05/15 10:15:33.0296 3468 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/05/15 10:15:33.0500 3468 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/05/15 10:15:33.0750 3468 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/05/15 10:15:33.0953 3468 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/05/15 10:15:34.0203 3468 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/05/15 10:15:34.0312 3468 ISWKL (2e41433579de4381f1b0f7b30b013ddc) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys

2011/05/15 10:15:34.0515 3468 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys

2011/05/15 10:15:34.0687 3468 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/05/15 10:15:34.0890 3468 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/05/15 10:15:35.0171 3468 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/05/15 10:15:35.0375 3468 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/05/15 10:15:35.0609 3468 lanusb (73f6efd2a2315af34f7872559686c471) C:\WINDOWS\system32\DRIVERS\glausb.sys

2011/05/15 10:15:36.0031 3468 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys

2011/05/15 10:15:36.0250 3468 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys

2011/05/15 10:15:36.0515 3468 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys

2011/05/15 10:15:36.0718 3468 LVUSBSta (64bc29c3a0388bfc580bb8b1346f7659) C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys

2011/05/15 10:15:37.0062 3468 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/05/15 10:15:37.0312 3468 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/05/15 10:15:37.0515 3468 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/05/15 10:15:37.0703 3468 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/05/15 10:15:37.0875 3468 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/05/15 10:15:38.0328 3468 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/05/15 10:15:38.0531 3468 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/05/15 10:15:38.0765 3468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/05/15 10:15:39.0000 3468 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/05/15 10:15:39.0218 3468 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/05/15 10:15:39.0421 3468 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/05/15 10:15:39.0625 3468 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/05/15 10:15:39.0812 3468 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/05/15 10:15:40.0000 3468 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/05/15 10:15:40.0296 3468 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/05/15 10:15:40.0484 3468 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/05/15 10:15:40.0671 3468 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/05/15 10:15:40.0843 3468 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/05/15 10:15:41.0062 3468 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/05/15 10:15:41.0281 3468 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/05/15 10:15:41.0468 3468 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/05/15 10:15:41.0656 3468 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/05/15 10:15:41.0859 3468 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/05/15 10:15:42.0125 3468 NETMDUSB (986acdece933131288f1957dc359865f) C:\WINDOWS\system32\Drivers\NETMDUSB.sys

2011/05/15 10:15:42.0343 3468 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/05/15 10:15:42.0562 3468 nmwcd (696b37ea78f9d9767a2f18ba0304a51a) C:\WINDOWS\system32\drivers\nmwcd.sys

2011/05/15 10:15:42.0734 3468 nmwcdc (bbb6010fc01d9239d88fcdf133e03ff0) C:\WINDOWS\system32\drivers\nmwcdc.sys

2011/05/15 10:15:42.0937 3468 nmwcdcj (4c3726467d67483f054c88f058e9c153) C:\WINDOWS\system32\drivers\nmwcdcj.sys

2011/05/15 10:15:43.0171 3468 nmwcdcm (4c3726467d67483f054c88f058e9c153) C:\WINDOWS\system32\drivers\nmwcdcm.sys

2011/05/15 10:15:43.0375 3468 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/05/15 10:15:43.0515 3468 NSNDIS5 (53f7546e8daefb3a0813f5e19c4613c9) C:\WINDOWS\system32\NSNDIS5.SYS

2011/05/15 10:15:43.0734 3468 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/05/15 10:15:43.0953 3468 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/05/15 10:15:44.0140 3468 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/05/15 10:15:44.0312 3468 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/05/15 10:15:44.0500 3468 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/05/15 10:15:44.0734 3468 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/05/15 10:15:44.0937 3468 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/05/15 10:15:45.0109 3468 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/05/15 10:15:45.0312 3468 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/05/15 10:15:45.0609 3468 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/05/15 10:15:45.0812 3468 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/05/15 10:15:46.0593 3468 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys

2011/05/15 10:15:46.0781 3468 PID_PEPI (84b9084692fe00df09f20e516d831c57) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS

2011/05/15 10:15:47.0046 3468 PPPoEWin (8ae03e978bc99f31ae31b183cd373951) C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS

2011/05/15 10:15:47.0281 3468 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/05/15 10:15:47.0484 3468 Ps2 (bffdb363485501a38f0bca83aec810db) C:\WINDOWS\system32\DRIVERS\PS2.sys

2011/05/15 10:15:47.0671 3468 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/05/15 10:15:47.0875 3468 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/05/15 10:15:48.0062 3468 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/05/15 10:15:48.0671 3468 RapportCerberus_25973 (3d80f6fb972cffab9a760892f9ab7232) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys

2011/05/15 10:15:48.0796 3468 RapportEI (2c1507b17cd25b3f5d3ddf530fd23bda) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys

2011/05/15 10:15:48.0843 3468 RapportPG (701e59b8e6ebff150dad0c4dba835932) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

2011/05/15 10:15:49.0062 3468 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/05/15 10:15:49.0281 3468 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/05/15 10:15:49.0484 3468 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/05/15 10:15:49.0671 3468 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/05/15 10:15:49.0875 3468 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/05/15 10:15:50.0078 3468 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/05/15 10:15:50.0296 3468 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/05/15 10:15:50.0500 3468 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/05/15 10:15:50.0750 3468 RT73 (4f153709d0691c6de8c9a4c5e813907c) C:\WINDOWS\system32\DRIVERS\rt73.sys

2011/05/15 10:15:50.0906 3468 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS

2011/05/15 10:15:51.0093 3468 RTLWUSB (f564f1c5813b47a86903d42cd778311c) C:\WINDOWS\system32\DRIVERS\wg111v2.sys

2011/05/15 10:15:51.0328 3468 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/05/15 10:15:51.0531 3468 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/05/15 10:15:51.0734 3468 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/05/15 10:15:51.0953 3468 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/05/15 10:15:52.0406 3468 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/05/15 10:15:52.0703 3468 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/05/15 10:15:52.0906 3468 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/05/15 10:15:53.0171 3468 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/05/15 10:15:53.0406 3468 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/05/15 10:15:53.0578 3468 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/05/15 10:15:53.0781 3468 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/05/15 10:15:54.0375 3468 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/05/15 10:15:54.0609 3468 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/05/15 10:15:54.0828 3468 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/05/15 10:15:55.0000 3468 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/05/15 10:15:55.0203 3468 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/05/15 10:15:55.0500 3468 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/05/15 10:15:55.0828 3468 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/05/15 10:15:56.0062 3468 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2011/05/15 10:15:56.0265 3468 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/05/15 10:15:56.0437 3468 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/05/15 10:15:56.0640 3468 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/05/15 10:15:56.0906 3468 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/05/15 10:15:57.0109 3468 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/05/15 10:15:57.0437 3468 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/05/15 10:15:57.0703 3468 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/05/15 10:15:57.0906 3468 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

2011/05/15 10:15:58.0312 3468 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/05/15 10:15:58.0500 3468 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/05/15 10:15:58.0687 3468 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/05/15 10:15:58.0859 3468 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys

2011/05/15 10:15:59.0156 3468 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/05/15 10:15:59.0359 3468 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys

2011/05/15 10:15:59.0546 3468 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2011/05/15 10:15:59.0828 3468 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/05/15 10:16:00.0109 3468 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2011/05/15 10:16:00.0343 3468 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2011/05/15 10:16:00.0531 3468 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/05/15 10:16:00.0734 3468 WudfPf (50eb9e21963b4f06fd010d007d54351b) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/05/15 10:16:00.0937 3468 WudfRd (6e209664bdea8a15b5e8e480d6c607c2) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/05/15 10:16:01.0171 3468 ZY202_XP (bd6354de4d081de96c79bdb53f55ca82) C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys

2011/05/15 10:16:01.0375 3468 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/05/15 10:16:01.0390 3468 ================================================================================

2011/05/15 10:16:01.0390 3468 Scan finished

2011/05/15 10:16:01.0390 3468 ================================================================================

2011/05/15 10:16:01.0406 2536 Detected object count: 1

2011/05/15 10:16:15.0234 2536 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot

2011/05/15 10:16:15.0234 2536 \HardDisk0 - ok

2011/05/15 10:16:15.0234 2536 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2011/05/15 10:16:57.0375 2916 Deinitialize success

Share this post


Link to post
Share on other sites

Great. We shall move to the next step.

 

Please read through these instructions to familarize yourself with what to expect when this tool runs

 

 

Download ComboFix from one of these locations:

 

Link 1

Link 2

 

 

* IMPORTANT !!! Save ComboFix.exe to your Desktop

 

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

     

     

    **********************************************

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

Posted Image

 

Click on Yes, to continue scanning for malware.

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

 

Notes:

 

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Share this post


Link to post
Share on other sites

Hi Conspire,

 

Sorry I've not replied yet I am once again away from this machine but hope to carry out the next steps tomorrow evening. I will post results asap!

 

Thanks

Share this post


Link to post
Share on other sites

Hi Conspire,

 

Got this combofix run...ZoneAlarm somehow re-enabled half way through but it seemed to get to the end ok after i disabled it again.

 

Thanks

 

 

ComboFix 11-05-18.04 - Ishbel 19/05/2011 18:05:50.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.997 [GMT 1:00]

Running from: c:\documents and settings\Ishbel\Desktop\ComboFix.exe

FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\David\WINDOWS

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\Ishbel\WINDOWS

c:\documents and settings\LogMeInRemoteUser\WINDOWS

c:\program files\Internet Explorer\IEXPLOREmgr.exe

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\Drivers\lvlnjonw.sys

c:\windows\system32\ps2.bat

D:\Autorun.inf

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_MYWEBSEARCHSERVICE

.

.

((((((((((((((((((((((((( Files Created from 2011-04-19 to 2011-05-19 )))))))))))))))))))))))))))))))

.

.

2011-05-07 17:01 . 2011-05-07 17:01 557577 ----a-r- c:\documents and settings\Ishbel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-05-07 17:01 . 2011-05-07 17:01 -------- d-----w- c:\program files\Trend Micro

2011-05-07 16:09 . 2011-05-07 16:38 166256 ----a-w- c:\windows\Explorermgr.exe

2011-05-07 15:52 . 2011-05-19 17:17 -------- d-----w- c:\program files\ddbndqyl

2011-04-24 13:06 . 2011-05-19 17:12 -------- d-----w- c:\documents and settings\Administrator

2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP

2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\program files\SpywareBlaster

2011-04-23 10:47 . 2011-04-23 10:47 100958 ----a-w- c:\program files\Mozilla Firefox\null0.19106781029606734.exe

2011-04-22 10:55 . 2011-04-22 10:55 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer

2011-04-22 10:54 . 2011-04-22 10:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:33 . 2004-08-04 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688]

.

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

2010-08-23 14:01 2734688 ------w- c:\program files\ZoneAlarm\tbZon1.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688]

.

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{66F2E20D-0DA8-4C11-A9C8-DD8477B88ACD}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688]

.

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]

"%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 241508]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]

"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-02 98304]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1917271]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-2-21 884840]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\ddbndqyl\ljsaqqic.exe"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-10-01 21:47 87352 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ljsaqqic.exe]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ljsaqqic.exe

backup=c:\windows\pss\ljsaqqic.exeStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Ishbel^Start Menu^Programs^Startup^ljsaqqic.exe]

path=c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe

backup=c:\windows\pss\ljsaqqic.exeStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]

2008-06-03 05:35 50528 -c--a-w- c:\progra~1\AOL9~1.1\aol.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]

2008-10-09 15:07 70440 ----a-r- c:\program files\Common Files\AOL\acs\AOLDial.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]

2003-08-19 12:47 188868 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]

2003-06-28 15:10 1658965 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1223633514\ee\aolsoftware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2004-10-13 23:04 450965 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2005-01-02 05:12 98304 -c----w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2005-01-02 05:08 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1223633514\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

.

R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 11:02 57144]

R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [05/01/2011 20:02 63160]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [05/01/2011 20:02 156344]

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 14:35 26352]

R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 14:35 493032]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [19/02/2008 20:24 17149]

S3 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\Ishbel\LOCALS~1\Temp\suqkqnbo.sys --> c:\docume~1\Ishbel\LOCALS~1\Temp\suqkqnbo.sys [?]

S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [08/07/2007 17:42 112384]

S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WUAUSERV

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-07 c:\windows\Tasks\WebReg Photosmart C4100 series.job

- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 16:45]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://b.casalemedia.com/V2/52928/68146/index.html?XX

uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

TCP: {21000BEC-F93D-4E81-9CCA-BF6F00B866B4} = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Ishbel\Application Data\Mozilla\Firefox\Profiles\n01olo1j.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q=

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: AOL Broadband Toolbar: {796503e4-19fe-48a3-82da-5c1fe0a13e3f} - %profile%\extensions\{796503e4-19fe-48a3-82da-5c1fe0a13e3f}

FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}

FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker

FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-OM_Monitor - c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe

HKLM-Run-AutoTBar - c:\program files\HP\Digital Imaging\bin\AUTOTBAR.EXE

AddRemove-AOL Emergency Connect Utility 1.0 - c:\program files\Common Files\AOL\ECU\uninst.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-19 18:17

Windows 5.1.2600 Service Pack 3 NTFS

.

detected NTDLL code modification:

ZwQueryDirectoryFile

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe 166256 bytes executable

C:\ljsaqqic.exe 166256 bytes executable

.

scan completed successfully

hidden files: 2

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(824)

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

- - - - - - - > 'lsass.exe'(880)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

- - - - - - - > 'explorer.exe'(3336)

c:\windows\system32\WININET.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\progra~1\WINDOW~1\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll

c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr

c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\LMIRfsClientNP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\AOL\ACS\AOLAcsd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\LogMeIn\x86\RaMaint.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\windows\AGRSMMSG.exe

c:\windows\ALCXMNTR.EXE

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\program files\PC Connectivity Solution\ServiceLayer.exe

.

**************************************************************************

.

Completion time: 2011-05-19 18:25:40 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-19 17:25

.

Pre-Run: 51,903,340,544 bytes free

Post-Run: 51,850,108,928 bytes free

.

- - End Of File - - A5910C4D6C09B8C68A300292CB85A1C4

Share this post


Link to post
Share on other sites

Hello,

 

Go to My Computer-> Tools-> Folder Options-> View tab:

  • Under the Hidden files and folders heading:
  • Select - Show hidden files and folders.
  • Uncheck- Hide protected operating system files (recommended) option.
  • Also, make sure there is no checkmark beside Hide file extensions for known file types.
  • Click OK. (Remember to Hide files and folders once done)

Please go to one of the below sites to scan the following files:

Virus Total (Recommended)

jotti.org

VirScan

 

 

click on Browse, and upload the following file for analysis:

c:\program files\Mozilla Firefox\null0.19106781029606734.exe

c:\windows\Explorermgr.exe

 

Then click Submit. Allow the file to be scanned, and then please copy and paste the results link(for Virus Total) here for me to see.

If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.

 

===================================================

 

Please follow all previous instructions regarding security programs.

 

Open a new Notepad session

  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.

  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

File::
c:\windows\pss\ljsaqqic.exe
c:\docume~1\Ishbel\LOCALS~1\Temp\suqkqnbo.sys

Folder::
c:\program files\ddbndqyl

Driver::
Micorsoft Windows Service

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"

[-HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ljsaqqic.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Ishbel^Start Menu^Programs^Startup^ljsaqqic.exe]

Rootkit::
c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\ljsaqqic.exe
C:\ljsaqqic.exe

 

In the notepad

  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

 

This will start ComboFix again.Close all browser/windows first.

 

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

 

Posted Image

 

===================================================

 

On your next reply please post :

File scanner report

Combofix log

 

Let me know if you have any problems in performing with the steps above or any questions you may have.

 

Good Day!

Edited by Conspire

Share this post


Link to post
Share on other sites

Hello,

 

Here are the results of the virscan and combofix as requested...couldn't get either of the first two links to run so used virscan.

 

thanks

 

VirSCAN.org Scanned Report :

Scanned time : 2011/05/20 21:12:35 (BST)

Scanner results: 5% Scanner(s) (2/37) found malware!

File Name : null0.19106781029606734.exe

File Size : 100958 byte

File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5 : b0fa2f95250378c192b479f045e59164

SHA1 : 333ac1b30d4cd1a8ed695e7f745546d71188fe3e

Online report : http://file.virscan.org/report/6017fcf6650af3a768b4ca503a29e783.html

 

Scanner Engine Ver Sig Ver Sig Date Time Scan result

a-squared 5.1.0.2 20110521040419 2011-05-21 0.08 -

AhnLab V3 2011.05.21.00 2011.05.21 2011-05-21 0.08 -

AntiVir 8.2.4.242 7.11.8.85 2011-05-20 0.29 -

Antiy 2.0.18 20110205.7694535 2011-02-05 0.12 Trojan/Win32.SpyEyes.gqv[sPY]

Arcavir 2011 201105080215 2011-05-08 0.04 -

Authentium 5.1.1 201105201654 2011-05-20 1.42 -

AVAST! 4.7.4 110520-1 2011-05-20 0.01 -

AVG 8.5.850 271.1.1/3649 2011-05-20 0.25 -

BitDefender 7.90123.7367409 7.37525 2011-05-21 5.88 -

ClamAV 0.96.5 13097 2011-05-20 0.02 -

Comodo 4.0 8774 2011-05-20 0.08 -

CP Secure 1.3.0.5 2011.05.21 2011-05-21 3.40 -

Dr.Web 5.0.2.3300 2011.05.21 2011-05-21 11.94 -

F-Prot 4.4.4.56 20110520 2011-05-20 1.41 Possible W32/Heuristic-MU2!Eldorado (damaged, not disinfectable)

F-Secure 7.02.73807 2011.05.20.05 2011-05-20 3.34 -

Fortinet 4.2.257 13.246 2011-05-20 0.08 -

GData 22.397/22.112 20110520 2011-05-20 0.08 -

ViRobot 20110520 2011.05.20 2011-05-20 0.08 -

Ikarus T3.1.32.20.0 2011.05.20.78434 2011-05-20 4.73 -

JiangMin 13.0.900 2011.05.20 2011-05-20 0.08 -

Kaspersky 5.5.10 2011.05.20 2011-05-20 0.10 -

KingSoft 2009.2.5.15 2011.5.20.18 2011-05-20 0.09 -

McAfee 5400.1158 6340 2011-05-08 9.18 -

Microsoft 1.6903 2011.05.20 2011-05-20 0.08 -

NOD32 3.0.21 6138 2011-05-20 0.03 -

Norman 6.07.08 6.07.00 2011-05-20 14.02 -

Panda 9.05.01 2011.05.19 2011-05-19 0.16 -

Trend Micro 9.200-1012 8.168.15 2011-05-20 0.02 -

Quick Heal 11.00 2011.05.20 2011-05-20 0.12 -

Rising 20.0 23.58.04.03 2011-05-20 0.14 -

Sophos 3.19.1 4.65 2011-05-21 3.76 -

Sunbelt 3.9.2493.2 9337 2011-05-20 0.12 -

Symantec 1.3.0.24 20110519.002 2011-05-19 0.08 -

nProtect 20110519.01 3454403 2011-05-19 0.12 -

The Hacker 6.7.0.1 v00176 2011-04-18 0.20 -

VBA32 3.12.16.0 20110520.1647 2011-05-20 5.14 -

VirusBuster 5.2.0.28 13.6.365.0/52137182011-05-20 0.00 -

 

 

VirSCAN.org Scanned Report :

Scanned time : 2011/05/20 21:18:01 (BST)

Scanner results: 38% Scanner(s) (14/37) found malware!

File Name : Explorermgr.exe

File Size : 166256 byte

File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5 : 6c1e199ccc02acaf6e962eb75acb8c98

SHA1 : 742db8306bdbc1759d73eabd7914a93f94478cc7

Online report : http://file.virscan.org/report/2222a28a8ca81c5f9e6034410daa9ea2.html

 

Scanner Engine Ver Sig Ver Sig Date Time Scan result

a-squared 5.1.0.2 20110521040419 2011-05-21 0.08 -

AhnLab V3 2011.05.21.00 2011.05.21 2011-05-21 0.08 -

AntiVir 8.2.4.242 7.11.8.85 2011-05-20 0.29 TR/Lebag.bpc

Antiy 2.0.18 20110205.7694535 2011-02-05 0.13 -

Arcavir 2011 201105080215 2011-05-08 0.04 Trojan.Lebag.Bqq

Authentium 5.1.1 201105201654 2011-05-20 1.64 -

AVAST! 4.7.4 110520-1 2011-05-20 0.02 Win32:Dropper-gen [Drp]

AVG 8.5.850 271.1.1/3649 2011-05-20 0.25 Generic22.PDI

BitDefender 7.90123.7367409 7.37525 2011-05-21 5.92 Backdoor.Generic.634174

ClamAV 0.96.5 13097 2011-05-20 0.04 -

Comodo 4.0 8774 2011-05-20 0.08 -

CP Secure 1.3.0.5 2011.05.21 2011-05-21 0.07 -

Dr.Web 5.0.2.3300 2011.05.21 2011-05-21 11.93 Trojan.DownLoader2.39905

F-Prot 4.4.4.56 20110520 2011-05-20 1.57 -

F-Secure 7.02.73807 2011.05.20.05 2011-05-20 0.20 Trojan.Win32.Lebag.bpc [AVP]

Fortinet 4.2.257 13.246 2011-05-20 0.08 -

GData 22.397/22.112 20110520 2011-05-20 0.08 -

ViRobot 20110520 2011.05.20 2011-05-20 0.08 -

Ikarus T3.1.32.20.0 2011.05.20.78434 2011-05-20 6.89 Trojan.Win32.Lebag

JiangMin 13.0.900 2011.05.20 2011-05-20 0.08 -

Kaspersky 5.5.10 2011.05.20 2011-05-20 0.09 Trojan.Win32.Lebag.bpc

KingSoft 2009.2.5.15 2011.5.20.18 2011-05-20 0.08 -

McAfee 5400.1158 6340 2011-05-08 9.10 PWS-Zbot.gen.cy

Microsoft 1.6903 2011.05.20 2011-05-20 0.08 -

NOD32 3.0.21 6138 2011-05-20 0.03 a variant of Win32/Injector.GAW trojan

Norman 6.07.08 6.07.00 2011-05-20 12.01 -

Panda 9.05.01 2011.05.19 2011-05-19 0.08 -

Trend Micro 9.200-1012 8.168.15 2011-05-20 0.03 TROJ_SPNR.06EJ11

Quick Heal 11.00 2011.05.20 2011-05-20 0.08 -

Rising 20.0 23.58.04.03 2011-05-20 0.08 -

Sophos 3.19.1 4.65 2011-05-21 3.54 Mal/Zbot-CJ

Sunbelt 3.9.2493.2 9337 2011-05-20 0.08 -

Symantec 1.3.0.24 20110519.002 2011-05-19 0.00 -

nProtect 20110519.01 3454403 2011-05-19 0.08 -

The Hacker 6.7.0.1 v00176 2011-04-18 0.08 -

VBA32 3.12.16.0 20110520.1647 2011-05-20 4.26 Trojan.Lebag.bqq

VirusBuster 5.2.0.28 13.6.365.0/52137182011-05-20 0.00 -

 

ComboFix 11-05-18.04 - Ishbel 20/05/2011 21:26:41.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.971 [GMT 1:00]

Running from: c:\documents and settings\Ishbel\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ishbel\Desktop\CFScript.txt

FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

FILE ::

"c:\docume~1\Ishbel\LOCALS~1\Temp\suqkqnbo.sys"

"c:\windows\pss\ljsaqqic.exe"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\HP_Owner\WINDOWS

c:\program files\Internet Explorer\IEXPLOREmgr.exe

c:\program files\ddbndqyl . . . . Failed to delete

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_Micorsoft Windows Service

.

.

((((((((((((((((((((((((( Files Created from 2011-04-20 to 2011-05-20 )))))))))))))))))))))))))))))))

.

.

2011-05-07 17:01 . 2011-05-07 17:01 557577 ----a-r- c:\documents and settings\Ishbel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-05-07 17:01 . 2011-05-07 17:01 -------- d-----w- c:\program files\Trend Micro

2011-05-07 16:09 . 2011-05-07 16:38 166256 ----a-w- c:\windows\Explorermgr.exe

2011-05-07 15:52 . 2011-05-20 20:38 -------- d-----w- c:\program files\ddbndqyl

2011-04-24 13:06 . 2011-05-19 17:12 -------- d-----w- c:\documents and settings\Administrator

2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP

2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\program files\SpywareBlaster

2011-04-23 10:47 . 2011-04-23 10:47 100958 ----a-w- c:\program files\Mozilla Firefox\null0.19106781029606734.exe

2011-04-22 10:55 . 2011-04-22 10:55 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer

2011-04-22 10:54 . 2011-04-22 10:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:33 . 2004-08-04 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688]

.

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

2010-08-23 14:01 2734688 ------w- c:\program files\ZoneAlarm\tbZon1.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688]

.

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{66F2E20D-0DA8-4C11-A9C8-DD8477B88ACD}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688]

.

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]

"%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 241508]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]

"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-02 98304]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1917271]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-2-21 884840]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\ddbndqyl\ljsaqqic.exe"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-10-01 21:47 87352 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ljsaqqic.exe]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ljsaqqic.exe

backup=c:\windows\pss\ljsaqqic.exeStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Ishbel^Start Menu^Programs^Startup^ljsaqqic.exe]

path=c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe

backup=c:\windows\pss\ljsaqqic.exeStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]

2008-06-03 05:35 50528 -c--a-w- c:\progra~1\AOL9~1.1\aol.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]

2008-10-09 15:07 70440 ----a-r- c:\program files\Common Files\AOL\acs\AOLDial.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]

2003-08-19 12:47 188868 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]

2003-06-28 15:10 1658965 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1223633514\ee\aolsoftware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2004-10-13 23:04 450965 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2005-01-02 05:12 98304 -c----w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2005-01-02 05:08 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1223633514\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

.

R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 11:02 57144]

R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [05/01/2011 20:02 63160]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [05/01/2011 20:02 156344]

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 14:35 26352]

R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 14:35 493032]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [19/02/2008 20:24 17149]

S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [08/07/2007 17:42 112384]

S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-07 c:\windows\Tasks\WebReg Photosmart C4100 series.job

- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 16:45]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://b.casalemedia.com/V2/52928/68146/index.html?XX

uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

TCP: {21000BEC-F93D-4E81-9CCA-BF6F00B866B4} = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Ishbel\Application Data\Mozilla\Firefox\Profiles\n01olo1j.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q=

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: AOL Broadband Toolbar: {796503e4-19fe-48a3-82da-5c1fe0a13e3f} - %profile%\extensions\{796503e4-19fe-48a3-82da-5c1fe0a13e3f}

FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}

FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker

FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-20 22:01

Windows 5.1.2600 Service Pack 3 NTFS

.

detected NTDLL code modification:

ZwQueryDirectoryFile

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe 166256 bytes executable

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(824)

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

- - - - - - - > 'lsass.exe'(880)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

- - - - - - - > 'explorer.exe'(712)

c:\windows\system32\WININET.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\progra~1\WINDOW~1\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll

c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr

c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\LMIRfsClientNP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\AOL\ACS\AOLAcsd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\LogMeIn\x86\RaMaint.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\windows\AGRSMMSG.exe

c:\windows\ALCXMNTR.EXE

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\program files\PC Connectivity Solution\ServiceLayer.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

.

**************************************************************************

.

Completion time: 2011-05-20 22:12:42 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-20 21:12

ComboFix2.txt 2011-05-19 17:25

.

Pre-Run: 51,096,637,440 bytes free

Post-Run: 51,280,097,280 bytes free

.

- - End Of File - - E0F4FA02ADA3B9B9F81FC5F72251CEB5

Share this post


Link to post
Share on other sites

Hi,

 

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

     

     

    Posted Image

     

  • If an infected file is detected, the default action will be Cure, click on Continue.

     

     

    Posted Image

     

  • If a suspicious file is detected, the default action will be Skip, click on Continue.

     

     

    Posted Image

     

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

     

     

    Posted Image

     

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Share this post


Link to post
Share on other sites

Hi there,

 

Scan doesn't appear to have found anything. Forgot to say I've had trouble open the first two links of the virus file scanners you posted and as well I couldn't access this TDSSKiller link (had to use previous download of the program)...is this a concern?

 

Also noticed a system tray notification style box popped up yesterday saying malicious software was not completed removed...click here to resolve. I decided not to in case it was false although the first screen of it suggested it was a Microsoft thing...wasn't convinced by it though.

 

Thanks

 

2011/05/21 18:42:14.0343 2828 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29

2011/05/21 18:42:15.0406 2828 ================================================================================

2011/05/21 18:42:15.0406 2828 SystemInfo:

2011/05/21 18:42:15.0406 2828

2011/05/21 18:42:15.0406 2828 OS Version: 5.1.2600 ServicePack: 3.0

2011/05/21 18:42:15.0406 2828 Product type: Workstation

2011/05/21 18:42:15.0406 2828 ComputerName: EMMA

2011/05/21 18:42:15.0406 2828 UserName: Ishbel

2011/05/21 18:42:15.0406 2828 Windows directory: C:\WINDOWS

2011/05/21 18:42:15.0406 2828 System windows directory: C:\WINDOWS

2011/05/21 18:42:15.0406 2828 Processor architecture: Intel x86

2011/05/21 18:42:15.0406 2828 Number of processors: 1

2011/05/21 18:42:15.0406 2828 Page size: 0x1000

2011/05/21 18:42:15.0406 2828 Boot type: Normal boot

2011/05/21 18:42:15.0406 2828 ================================================================================

2011/05/21 18:42:15.0687 2828 Initialize success

2011/05/21 18:42:22.0046 2764 ================================================================================

2011/05/21 18:42:22.0046 2764 Scan started

2011/05/21 18:42:22.0046 2764 Mode: Manual;

2011/05/21 18:42:22.0046 2764 ================================================================================

2011/05/21 18:42:23.0281 2764 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/05/21 18:42:23.0515 2764 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/05/21 18:42:23.0953 2764 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/05/21 18:42:24.0140 2764 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2011/05/21 18:42:24.0328 2764 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys

2011/05/21 18:42:24.0531 2764 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2011/05/21 18:42:25.0109 2764 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2011/05/21 18:42:25.0609 2764 AR5523 (92637b97f57c1669d521a54482c4579c) C:\WINDOWS\system32\DRIVERS\WG11TND5.sys

2011/05/21 18:42:25.0796 2764 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/05/21 18:42:26.0281 2764 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/05/21 18:42:26.0453 2764 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/05/21 18:42:26.0734 2764 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/05/21 18:42:26.0890 2764 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/05/21 18:42:27.0062 2764 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/05/21 18:42:27.0296 2764 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/05/21 18:42:27.0484 2764 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/05/21 18:42:27.0718 2764 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/05/21 18:42:27.0859 2764 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/05/21 18:42:28.0046 2764 cdrbsdrv (351735695e9ead93de6af85d8beb1ca8) C:\WINDOWS\system32\drivers\cdrbsdrv.sys

2011/05/21 18:42:28.0218 2764 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/05/21 18:42:29.0015 2764 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/05/21 18:42:29.0234 2764 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/05/21 18:42:29.0453 2764 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/05/21 18:42:29.0640 2764 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/05/21 18:42:29.0812 2764 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/05/21 18:42:29.0984 2764 DNINDIS5 (d2ee54cdbced01d48f2b18642be79a98) C:\WINDOWS\system32\DNINDIS5.SYS

2011/05/21 18:42:30.0250 2764 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/05/21 18:42:30.0531 2764 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/05/21 18:42:30.0796 2764 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/05/21 18:42:30.0968 2764 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/05/21 18:42:31.0140 2764 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/05/21 18:42:31.0312 2764 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/05/21 18:42:31.0500 2764 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys

2011/05/21 18:42:31.0703 2764 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/05/21 18:42:31.0875 2764 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/05/21 18:42:32.0000 2764 GEARAspiWDM (2fb04db459c71f416ee8b05448ca4ac3) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/05/21 18:42:32.0125 2764 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/05/21 18:42:32.0328 2764 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/05/21 18:42:32.0671 2764 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2011/05/21 18:42:32.0843 2764 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2011/05/21 18:42:33.0015 2764 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2011/05/21 18:42:33.0171 2764 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/05/21 18:42:33.0593 2764 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/05/21 18:42:33.0765 2764 ialm (d4405bd2b6e95efdc8e674ed4032874f) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2011/05/21 18:42:33.0937 2764 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/05/21 18:42:34.0250 2764 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/05/21 18:42:34.0421 2764 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/05/21 18:42:34.0593 2764 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/05/21 18:42:34.0750 2764 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/05/21 18:42:34.0937 2764 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/05/21 18:42:35.0109 2764 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/05/21 18:42:35.0296 2764 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/05/21 18:42:35.0484 2764 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/05/21 18:42:35.0671 2764 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/05/21 18:42:35.0781 2764 ISWKL (2e41433579de4381f1b0f7b30b013ddc) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys

2011/05/21 18:42:35.0968 2764 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys

2011/05/21 18:42:36.0140 2764 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/05/21 18:42:36.0296 2764 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/05/21 18:42:36.0468 2764 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/05/21 18:42:36.0703 2764 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/05/21 18:42:36.0875 2764 lanusb (73f6efd2a2315af34f7872559686c471) C:\WINDOWS\system32\DRIVERS\glausb.sys

2011/05/21 18:42:37.0203 2764 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys

2011/05/21 18:42:37.0375 2764 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys

2011/05/21 18:42:37.0625 2764 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys

2011/05/21 18:42:37.0796 2764 LVUSBSta (64bc29c3a0388bfc580bb8b1346f7659) C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys

2011/05/21 18:42:38.0015 2764 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/05/21 18:42:38.0187 2764 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/05/21 18:42:38.0343 2764 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/05/21 18:42:38.0484 2764 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/05/21 18:42:38.0656 2764 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/05/21 18:42:38.0921 2764 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/05/21 18:42:39.0093 2764 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/05/21 18:42:39.0312 2764 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/05/21 18:42:39.0500 2764 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/05/21 18:42:39.0671 2764 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/05/21 18:42:39.0828 2764 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/05/21 18:42:40.0015 2764 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/05/21 18:42:40.0171 2764 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/05/21 18:42:40.0328 2764 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/05/21 18:42:40.0484 2764 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/05/21 18:42:40.0671 2764 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/05/21 18:42:40.0843 2764 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/05/21 18:42:41.0000 2764 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/05/21 18:42:41.0187 2764 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/05/21 18:42:41.0390 2764 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/05/21 18:42:41.0609 2764 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/05/21 18:42:41.0875 2764 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/05/21 18:42:42.0140 2764 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/05/21 18:42:42.0484 2764 NETMDUSB (986acdece933131288f1957dc359865f) C:\WINDOWS\system32\Drivers\NETMDUSB.sys

2011/05/21 18:42:42.0734 2764 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/05/21 18:42:43.0000 2764 nmwcd (696b37ea78f9d9767a2f18ba0304a51a) C:\WINDOWS\system32\drivers\nmwcd.sys

2011/05/21 18:42:43.0328 2764 nmwcdc (bbb6010fc01d9239d88fcdf133e03ff0) C:\WINDOWS\system32\drivers\nmwcdc.sys

2011/05/21 18:42:43.0562 2764 nmwcdcj (4c3726467d67483f054c88f058e9c153) C:\WINDOWS\system32\drivers\nmwcdcj.sys

2011/05/21 18:42:43.0828 2764 nmwcdcm (4c3726467d67483f054c88f058e9c153) C:\WINDOWS\system32\drivers\nmwcdcm.sys

2011/05/21 18:42:44.0000 2764 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/05/21 18:42:44.0156 2764 NSNDIS5 (53f7546e8daefb3a0813f5e19c4613c9) C:\WINDOWS\system32\NSNDIS5.SYS

2011/05/21 18:42:44.0453 2764 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/05/21 18:42:44.0703 2764 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/05/21 18:42:44.0906 2764 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/05/21 18:42:45.0156 2764 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/05/21 18:42:45.0343 2764 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/05/21 18:42:45.0671 2764 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/05/21 18:42:45.0921 2764 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/05/21 18:42:46.0078 2764 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/05/21 18:42:46.0250 2764 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/05/21 18:42:46.0515 2764 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/05/21 18:42:46.0687 2764 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/05/21 18:42:47.0453 2764 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys

2011/05/21 18:42:47.0718 2764 PID_PEPI (84b9084692fe00df09f20e516d831c57) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS

2011/05/21 18:42:47.0984 2764 PPPoEWin (8ae03e978bc99f31ae31b183cd373951) C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS

2011/05/21 18:42:48.0140 2764 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/05/21 18:42:48.0343 2764 Ps2 (bffdb363485501a38f0bca83aec810db) C:\WINDOWS\system32\DRIVERS\PS2.sys

2011/05/21 18:42:48.0515 2764 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/05/21 18:42:48.0687 2764 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/05/21 18:42:49.0015 2764 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/05/21 18:42:49.0968 2764 RapportCerberus_25973 (3d80f6fb972cffab9a760892f9ab7232) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys

2011/05/21 18:42:50.0109 2764 RapportEI (2c1507b17cd25b3f5d3ddf530fd23bda) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys

2011/05/21 18:42:50.0171 2764 RapportPG (701e59b8e6ebff150dad0c4dba835932) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

2011/05/21 18:42:50.0390 2764 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/05/21 18:42:50.0687 2764 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/05/21 18:42:50.0890 2764 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/05/21 18:42:51.0062 2764 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/05/21 18:42:51.0265 2764 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/05/21 18:42:51.0484 2764 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/05/21 18:42:51.0703 2764 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/05/21 18:42:51.0921 2764 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/05/21 18:42:52.0203 2764 RT73 (4f153709d0691c6de8c9a4c5e813907c) C:\WINDOWS\system32\DRIVERS\rt73.sys

2011/05/21 18:42:52.0406 2764 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS

2011/05/21 18:42:52.0640 2764 RTLWUSB (f564f1c5813b47a86903d42cd778311c) C:\WINDOWS\system32\DRIVERS\wg111v2.sys

2011/05/21 18:42:52.0906 2764 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/05/21 18:42:53.0109 2764 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/05/21 18:42:53.0312 2764 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/05/21 18:42:53.0625 2764 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/05/21 18:42:54.0015 2764 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/05/21 18:42:54.0359 2764 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/05/21 18:42:54.0625 2764 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/05/21 18:42:54.0953 2764 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/05/21 18:42:55.0234 2764 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/05/21 18:42:55.0437 2764 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/05/21 18:42:55.0687 2764 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/05/21 18:42:56.0640 2764 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/05/21 18:42:56.0859 2764 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/05/21 18:42:57.0062 2764 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/05/21 18:42:57.0218 2764 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/05/21 18:42:57.0390 2764 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/05/21 18:42:57.0859 2764 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/05/21 18:42:58.0125 2764 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/05/21 18:42:58.0343 2764 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2011/05/21 18:42:58.0640 2764 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/05/21 18:42:58.0781 2764 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/05/21 18:42:58.0968 2764 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/05/21 18:42:59.0125 2764 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/05/21 18:42:59.0281 2764 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/05/21 18:42:59.0437 2764 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/05/21 18:42:59.0640 2764 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/05/21 18:42:59.0781 2764 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

2011/05/21 18:42:59.0953 2764 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/05/21 18:43:00.0125 2764 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/05/21 18:43:00.0296 2764 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/05/21 18:43:00.0421 2764 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys

2011/05/21 18:43:00.0765 2764 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/05/21 18:43:00.0937 2764 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys

2011/05/21 18:43:01.0125 2764 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2011/05/21 18:43:01.0390 2764 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/05/21 18:43:01.0765 2764 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2011/05/21 18:43:01.0921 2764 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2011/05/21 18:43:02.0109 2764 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/05/21 18:43:02.0281 2764 WudfPf (50eb9e21963b4f06fd010d007d54351b) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/05/21 18:43:02.0453 2764 WudfRd (6e209664bdea8a15b5e8e480d6c607c2) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/05/21 18:43:02.0703 2764 ZY202_XP (bd6354de4d081de96c79bdb53f55ca82) C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys

2011/05/21 18:43:03.0015 2764 ================================================================================

2011/05/21 18:43:03.0015 2764 Scan finished

2011/05/21 18:43:03.0015 2764 ================================================================================

Share this post


Link to post
Share on other sites

Hi there,

 

The trouble you had opening the links was due to the redirection problem I suppose and I believe we will get it sorted out soon. The TDSSKiller you used is pretty much outdated but that's ok since you couldn't download the latest version.

 

For the mean time try to avoid anything which you are not running other than the ones that you knew for sure, like the tools you are asked to run with. You did the right thing. :tup:

 

Let me know if you have trouble downloading this one.

 

Download aswMBR.exe ( 511KB ) to your desktop.

 

Double click the aswMBR.exe to run it

 

Click the "Scan" button to start scan

Posted Image

 

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image

Edited by Conspire

Share this post


Link to post
Share on other sites

Hi,

 

Couldn't download from link again but managed to send it via email from another machine!

 

Thanks

 

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software

Run date: 2011-05-22 16:03:45

-----------------------------

16:03:45.109 OS Version: Windows 5.1.2600 Service Pack 3

16:03:45.109 Number of processors: 1 586 0x401

16:03:45.109 ComputerName: EMMA UserName:

16:03:46.375 Initialize success

16:04:14.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

16:04:14.515 Disk 0 Vendor: SAMSUNG_SP0802N TK200-04 Size: 76351MB BusType: 3

16:04:16.531 Disk 0 MBR read successfully

16:04:16.546 Disk 0 MBR scan

16:04:16.546 Disk 0 unknown MBR code

16:04:18.578 Disk 0 scanning sectors +156340800

16:04:18.593 Disk 0 scanning C:\WINDOWS\system32\drivers

16:04:24.515 Service scanning

16:04:25.703 Disk 0 trace - called modules:

16:04:25.718 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS

16:04:25.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a58dab8]

16:04:25.781 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\0000006f[0x8a571130]

16:04:25.781 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a5b9d98]

16:04:25.781 Scan finished successfully

16:04:39.468 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ishbel\Desktop\MBR.dat"

16:04:39.484 The log file has been saved successfully to "C:\Documents and Settings\Ishbel\Desktop\aswMBR.txt"

Share this post


Link to post
Share on other sites

Thank you

 

Please follow all previous instructions regarding security programs.

 

Open a new Notepad session

  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.

  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

Firefox::
FF - ProfilePath - c:\documents and settings\Ishbel\Application Data\Mozilla\Firefox\Profiles\n01olo1j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q=

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"

[-HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ljsaqqic.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Ishbel^Start Menu^Programs^Startup^ljsaqqic.exe]

Rootkit::
c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe
c:\program files\ddbndqyl\ljsaqqic.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\ljsaqqic.exe
c:\windows\pss\ljsaqqic.exe

 

In the notepad

  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

 

This will start ComboFix again.Close all browser/windows first.

 

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

 

Posted Image

Share this post


Link to post
Share on other sites

Hi again,

 

here are the results from the latest run of ComboFix as requested...

 

thanks

 

ComboFix 11-05-18.04 - Ishbel 23/05/2011 18:31:28.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.946 [GMT 1:00]

Running from: c:\documents and settings\Ishbel\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ishbel\Desktop\CFScriptv2.txt

FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))

.

.

2011-05-07 17:01 . 2011-05-07 17:01 557577 ----a-r- c:\documents and settings\Ishbel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-05-07 17:01 . 2011-05-07 17:01 -------- d-----w- c:\program files\Trend Micro

2011-05-07 16:09 . 2011-05-07 16:38 166256 ----a-w- c:\windows\Explorermgr.exe

2011-05-07 15:52 . 2011-05-20 20:38 -------- d-----w- c:\program files\ddbndqyl

2011-04-24 13:06 . 2011-05-19 17:12 -------- d-----w- c:\documents and settings\Administrator

2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP

2011-04-24 11:33 . 2011-04-24 11:33 -------- d-----w- c:\program files\SpywareBlaster

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:33 . 2004-08-04 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688]

.

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

2010-08-23 14:01 2734688 ------w- c:\program files\ZoneAlarm\tbZon1.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688]

.

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{66F2E20D-0DA8-4C11-A9C8-DD8477B88ACD}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688]

.

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]

"%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 241508]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]

"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-02 98304]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1917271]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-2-21 884840]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\ddbndqyl\ljsaqqic.exe"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-10-01 21:47 87352 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ljsaqqic.exe]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ljsaqqic.exe

backup=c:\windows\pss\ljsaqqic.exeStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Ishbel^Start Menu^Programs^Startup^ljsaqqic.exe]

path=c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe

backup=c:\windows\pss\ljsaqqic.exeStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]

2008-06-03 05:35 50528 -c--a-w- c:\progra~1\AOL9~1.1\aol.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]

2008-10-09 15:07 70440 ----a-r- c:\program files\Common Files\AOL\acs\AOLDial.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]

2003-08-19 12:47 188868 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]

2003-06-28 15:10 1658965 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1223633514\ee\aolsoftware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2004-10-13 23:04 450965 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2005-01-02 05:12 98304 -c----w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2005-01-02 05:08 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1223633514\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

.

R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 11:02 57144]

R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [05/01/2011 20:02 63160]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [05/01/2011 20:02 156344]

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 14:35 26352]

R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 14:35 493032]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [19/02/2008 20:24 17149]

S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [08/07/2007 17:42 112384]

S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-22 c:\windows\Tasks\WebReg Photosmart C4100 series.job

- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 16:45]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://b.casalemedia.com/V2/52928/68146/index.html?XX

uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

TCP: {21000BEC-F93D-4E81-9CCA-BF6F00B866B4} = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Ishbel\Application Data\Mozilla\Firefox\Profiles\n01olo1j.default\

FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: AOL Broadband Toolbar: {796503e4-19fe-48a3-82da-5c1fe0a13e3f} - %profile%\extensions\{796503e4-19fe-48a3-82da-5c1fe0a13e3f}

FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}

FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker

FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-23 18:42

Windows 5.1.2600 Service Pack 3 NTFS

.

detected NTDLL code modification:

ZwQueryDirectoryFile

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe 166256 bytes executable

C:\ljsaqqic.exe 166256 bytes executable

.

scan completed successfully

hidden files: 2

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(824)

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

- - - - - - - > 'lsass.exe'(880)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

- - - - - - - > 'explorer.exe'(2796)

c:\windows\system32\WININET.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\progra~1\WINDOW~1\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\LMIRfsClientNP.dll

.

Completion time: 2011-05-23 18:52:44

ComboFix-quarantined-files.txt 2011-05-23 17:52

ComboFix2.txt 2011-05-20 21:12

ComboFix3.txt 2011-05-19 17:25

.

Pre-Run: 51,856,650,240 bytes free

Post-Run: 51,864,117,248 bytes free

.

- - End Of File - - F1EA4BFB19781AC746624A6E3E39F02A

Share this post


Link to post
Share on other sites

Hi, for some reason the script is not performance as I would have expected. Please make entirely sure that you named the CFscript as CFScript.txt instead of CFScriptv2.txt this time.

 

Please follow all previous instructions regarding security programs.

 

Open a new Notepad session

  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.

  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

File::
c:\windows\Explorermgr.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"

[-HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ljsaqqic.exe]

[-HKLM\~\startupfolder\C:^Documents and Settings^Ishbel^Start Menu^Programs^Startup^ljsaqqic.exe]

Rootkit::
c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe
c:\program files\ddbndqyl\ljsaqqic.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\ljsaqqic.exe
c:\windows\pss\ljsaqqic.exe
C:\ljsaqqic.exe

 

In the notepad

  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

 

This will start ComboFix again.Close all browser/windows first.

 

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

 

Posted Image

Share this post


Link to post
Share on other sites

Hi Conspire,

 

Ok made sure it was the right file name this time sorry about that!

 

Thanks

 

ComboFix 11-05-23.02 - Ishbel 24/05/2011 19:58:26.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.982 [GMT 1:00]

Running from: c:\documents and settings\Ishbel\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ishbel\Desktop\CFScript.txt

FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

FILE ::

"c:\windows\Explorermgr.exe"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\Explorermgr.exe

.

Infected copy of c:\windows\system32\kernel32.dll was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\kernel32.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-04-24 to 2011-05-24 )))))))))))))))))))))))))))))))

.

.

2011-05-07 17:01 . 2011-05-07 17:01 557577 ----a-r- c:\documents and settings\Ishbel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-05-07 17:01 . 2011-05-07 17:01 -------- d-----w- c:\program files\Trend Micro

2011-05-07 15:52 . 2011-05-24 19:06 -------- d-----w- c:\program files\ddbndqyl

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:33 . 2004-08-04 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688]

.

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

2010-08-23 14:01 2734688 ------w- c:\program files\ZoneAlarm\tbZon1.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688]

.

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{66F2E20D-0DA8-4C11-A9C8-DD8477B88ACD}"= "c:\program files\ZoneAlarm\tbZon1.dll" [2010-08-23 2734688]

.

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]

"%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 241508]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]

"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-02 98304]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1917271]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-2-21 884840]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\ddbndqyl\ljsaqqic.exe"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-10-01 21:47 87352 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ljsaqqic.exe]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ljsaqqic.exe

backup=c:\windows\pss\ljsaqqic.exeStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Ishbel^Start Menu^Programs^Startup^ljsaqqic.exe]

path=c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe

backup=c:\windows\pss\ljsaqqic.exeStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]

2008-06-03 05:35 50528 -c--a-w- c:\progra~1\AOL9~1.1\aol.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]

2008-10-09 15:07 70440 ----a-r- c:\program files\Common Files\AOL\acs\AOLDial.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]

2003-08-19 12:47 188868 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]

2003-06-28 15:10 1658965 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1223633514\ee\aolsoftware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2004-10-13 23:04 450965 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2005-01-02 05:12 98304 -c----w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2005-01-02 05:08 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1223633514\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

.

R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 11:02 57144]

R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [05/01/2011 20:02 63160]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [05/01/2011 20:02 156344]

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 14:35 26352]

R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 14:35 493032]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [19/02/2008 20:24 17149]

S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [08/07/2007 17:42 112384]

S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-22 c:\windows\Tasks\WebReg Photosmart C4100 series.job

- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 16:45]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://b.casalemedia.com/V2/52928/68146/index.html?XX

uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

TCP: {21000BEC-F93D-4E81-9CCA-BF6F00B866B4} = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Ishbel\Application Data\Mozilla\Firefox\Profiles\n01olo1j.default\

FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: AOL Broadband Toolbar: {796503e4-19fe-48a3-82da-5c1fe0a13e3f} - %profile%\extensions\{796503e4-19fe-48a3-82da-5c1fe0a13e3f}

FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}

FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker

FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-24 20:09

Windows 5.1.2600 Service Pack 3 NTFS

.

detected NTDLL code modification:

ZwQueryDirectoryFile

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\documents and settings\Ishbel\Start Menu\Programs\Startup\ljsaqqic.exe 166256 bytes executable

C:\ljsaqqic.exe 166256 bytes executable

.

scan completed successfully

hidden files: 2

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(824)

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

- - - - - - - > 'lsass.exe'(880)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

- - - - - - - > 'explorer.exe'(2960)

c:\windows\system32\WININET.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\progra~1\WINDOW~1\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll

c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr

c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\LMIRfsClientNP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ZoneLabs\vsmon.exe

c:\program files\Common Files\AOL\ACS\AOLAcsd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\LogMeIn\x86\RaMaint.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\windows\AGRSMMSG.exe

c:\windows\ALCXMNTR.EXE

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\program files\PC Connectivity Solution\ServiceLayer.exe

.

**************************************************************************

.

Completion time: 2011-05-24 20:16:27 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-24 19:16

ComboFix2.txt 2011-05-23 17:52

ComboFix3.txt 2011-05-20 21:12

ComboFix4.txt 2011-05-19 17:25

.

Pre-Run: 51,658,248,192 bytes free

Post-Run: 51,637,104,640 bytes free

.

- - End Of File - - 9EE09893BE94B16D0FC2CB02D23A3083

Share this post


Link to post
Share on other sites

I'm afraid I have a bad news for you. Apparently, after getting some consultation from expert views, you are infected with Ramnit which unfortunately there is no cure for it unless you do a reformat. Below is the information about Ramnit and things that you need to do to get things back in running. I'm sorry.

 

Your log shows this entry: "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\ddbndqyl\ljsaqqic.exe" and c:\windows\Explorermgr.exe

 

That file and the detections by avast is an indication of a serious viral infection known as Ramnit. For specific details about that file please refer to these threat assessments:

Win32/Ramnit.A / Win32/Ramnit.B are file infectors with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

 

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

 

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

 

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

 

In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

 

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

 

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:

• Reimaging the system

• Restoring the entire system using a full system backup from before the backdoor infection

• Reformatting and reinstalling the system

Backdoors and What They Mean to You

 

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Share this post


Link to post
Share on other sites

Hi Conspire,

 

Thanks for all your help trying to sort this one. I guess it won't do any harm to start the machine from fresh anyway...it will keep me busy for half a day!

 

Thanks again,

 

Sambora1984

Share this post


Link to post
Share on other sites

Sure, I'm sorry about that. Thanks for coming back and telling me your decision. :)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...