Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Mal/Qbot-b detected

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Mal/Qbot-b detected

Unread postby kanakaboyus » July 9th, 2010, 9:08 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:57:18 PM, on 7/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Touchpad\Gesture.exe
C:\WINDOWS\system32\glidew32.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\HP\KBD\KBD.EXE
C:\program files\common files\installshield\updateservice\issch.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CirqueGesture] C:\Program Files\Touchpad\Gesture.exe
O4 - HKLM\..\Run: [Glide] glidew32.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
O4 - HKLM\..\Run: [Ask and Record FLV Service] "C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-2485643383-4133149871-2139128564-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'HP_Administrator')
O4 - HKUS\S-1-5-21-2485643383-4133149871-2139128564-1008\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'HP_Administrator')
O4 - HKUS\S-1-5-21-2485643383-4133149871-2139128564-1008\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'HP_Administrator')
O4 - HKUS\S-1-5-21-2485643383-4133149871-2139128564-1010\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'old admin')
O4 - HKUS\S-1-5-21-2485643383-4133149871-2139128564-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 2556477203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2556525015
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 12689 bytes
kanakaboyus
Regular Member
 
Posts: 48
Joined: August 17th, 2008, 12:44 pm
Advertisement
Register to Remove

Re: Mal/Qbot-b detected

Unread postby km2357 » July 12th, 2010, 2:28 pm

Hello and welcome to Malware Removal.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:


Step # 1 Download and run DDS

Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.



Step # 2: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Mal/Qbot-b detected

Unread postby kanakaboyus » July 12th, 2010, 9:18 pm

I successfully ran "DDS" and "Attach". However, I have problems running the GMER program. I followed the instructions and GMER ran for several hours. After it finished I clicked "OK" and the program closed and I was not able to create a log file. Am I misreading the instructions? After that I had problems running anything on the computer and I even had problems shutting it down. It finally rebooted and it seems to be okay now. I will post the DDS and Attach logs, and I will attempt to run GMER again tomorrow after I get confirmation from you of what I did wrong. How will I know that GMER has finished running? Does it normally take over three hours to run? Thank you


DDS (Ver_10-03-17.01) - NTFSx86
Run by Tom at 13:22:54.96 on Mon 07/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2043 [GMT -7:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Touchpad\Gesture.exe
C:\WINDOWS\system32\glidew32.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\program files\common files\installshield\updateservice\issch.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tom\Desktop\dds.scr
C:\WINDOWS\TEMP\sophos_autoupdate1.dir\alupdate.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\tom\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CirqueGesture] c:\program files\touchpad\Gesture.exe
mRun: [Glide] glidew32.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [<NO NAME>]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Ask and Record FLV Service] "c:\program files\ask & record toolbar\FLVSrvc.exe" /run
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
uPolicies-system: qiscjknuhutnsjjxhmvbTaskMgr = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: trymedia.com
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... vc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microso ... 2556477203
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 2556525015
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL

============= SERVICES / DRIVERS ===============

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-9-30 111232]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-9-30 38912]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-10-5 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-9-30 98304]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-5-27 172032]
R3 glidesvc;GlidePoint Mouseclass Service;c:\windows\system32\drivers\glidesvc.sys [2005-10-3 38183]
R3 gpmoups2;GlidePoint PS2 Touchpad Service;c:\windows\system32\drivers\gpmoups2.sys [2005-10-3 14063]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-1-20 56992]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S4 SAVCleanupService;Sophos Cleanup Service;c:\program files\sophos\sophos anti-virus\SAVCleanupService.exe [2008-7-22 90112]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 14976]

=============== Created Last 30 ================

2010-07-08 01:10:03 12800 --sha-w- c:\windows\system32\Thumbs.db
2010-07-05 02:27:22 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

==================== Find3M ====================

2010-06-11 13:49:40 1482 ----a-w- c:\docume~1\tom\applic~1\wklnhst.dat
2010-05-18 23:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 23:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-27 12:45:06 130088 ----a-w- c:\windows\system32\sdccoinstaller.dll
2010-04-24 16:10:56 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-20 03:47:44 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-13 15:46:21 7349744 ----a-w- c:\program files\FLV PlayerATBSetup.exe
2008-08-23 17:34:27 382352 ----a-w- c:\program files\jre-6u7-windows-i586-p-iftw.exe
2008-08-23 16:44:32 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2008-08-17 15:55:09 812344 ----a-w- c:\program files\HJTInstall.exe
2006-03-19 23:40:16 22 --sha-w- c:\windows\sminst\HPCD.sys
2009-07-03 16:38:45 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-10-25 14:56:18 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102520081026\index.dat
2010-01-09 13:31:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 13:23:39.45 ===============
Last edited by kanakaboyus on July 12th, 2010, 9:22 pm, edited 1 time in total.
kanakaboyus
Regular Member
 
Posts: 48
Joined: August 17th, 2008, 12:44 pm

Attach log

Unread postby kanakaboyus » July 12th, 2010, 9:19 pm

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 9/27/2008 2:42:07 PM
System Uptime: 7/12/2010 1:11:57 PM (0 hours ago)

Motherboard: ASUSTek Computer INC. | | Amberine M
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket 939 | 2188/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 224 GiB total, 102.077 GiB free.
D: is FIXED (FAT32) - 9 GiB total, 1.12 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP474: 4/13/2010 6:23:10 PM - System Checkpoint
RP475: 4/13/2010 7:58:14 PM - Software Distribution Service 3.0
RP476: 4/16/2010 4:48:38 PM - System Checkpoint
RP477: 4/17/2010 4:51:00 PM - System Checkpoint
RP478: 4/18/2010 5:29:24 PM - System Checkpoint
RP479: 4/19/2010 6:13:34 PM - System Checkpoint
RP480: 4/21/2010 7:26:15 PM - System Checkpoint
RP481: 4/23/2010 2:25:02 PM - System Checkpoint
RP482: 4/24/2010 9:10:26 AM - Removed Java(TM) 6 Update 12
RP483: 4/24/2010 9:10:50 AM - Installed Java(TM) 6 Update 20
RP484: 4/25/2010 10:24:17 AM - System Checkpoint
RP485: 4/26/2010 6:52:08 PM - System Checkpoint
RP486: 4/29/2010 8:17:54 PM - System Checkpoint
RP487: 5/1/2010 9:40:29 AM - System Checkpoint
RP488: 5/2/2010 10:20:37 AM - System Checkpoint
RP489: 5/3/2010 6:20:01 PM - System Checkpoint
RP490: 5/4/2010 7:15:01 PM - System Checkpoint
RP491: 5/6/2010 11:52:28 AM - System Checkpoint
RP492: 5/7/2010 12:35:37 PM - System Checkpoint
RP493: 5/8/2010 2:58:34 PM - System Checkpoint
RP494: 5/9/2010 3:13:35 PM - System Checkpoint
RP495: 5/10/2010 5:00:40 PM - System Checkpoint
RP496: 5/11/2010 5:43:14 PM - System Checkpoint
RP497: 5/12/2010 6:50:32 PM - System Checkpoint
RP498: 5/12/2010 6:58:28 PM - Software Distribution Service 3.0
RP499: 5/13/2010 7:24:42 PM - System Checkpoint
RP500: 5/15/2010 5:54:11 AM - System Checkpoint
RP501: 5/17/2010 6:41:06 PM - System Checkpoint
RP502: 5/19/2010 7:11:50 PM - System Checkpoint
RP503: 5/21/2010 6:21:17 PM - System Checkpoint
RP504: 5/22/2010 6:53:59 PM - System Checkpoint
RP505: 5/24/2010 11:48:56 AM - System Checkpoint
RP506: 5/25/2010 7:21:32 PM - Software Distribution Service 3.0
RP507: 5/27/2010 8:02:42 PM - System Checkpoint
RP508: 5/29/2010 12:45:47 PM - System Checkpoint
RP509: 5/30/2010 1:49:57 PM - System Checkpoint
RP510: 5/31/2010 2:43:07 PM - System Checkpoint
RP511: 6/1/2010 6:27:51 PM - System Checkpoint
RP512: 6/4/2010 6:04:08 PM - System Checkpoint
RP513: 6/6/2010 9:33:18 AM - System Checkpoint
RP514: 6/8/2010 7:16:26 PM - Software Distribution Service 3.0
RP515: 6/10/2010 1:26:19 PM - System Checkpoint
RP516: 6/11/2010 1:55:51 PM - System Checkpoint
RP517: 6/12/2010 3:22:28 PM - System Checkpoint
RP518: 6/13/2010 3:56:14 PM - System Checkpoint
RP519: 6/14/2010 5:51:09 PM - System Checkpoint
RP520: 6/15/2010 6:12:36 PM - System Checkpoint
RP521: 6/16/2010 7:26:55 PM - System Checkpoint
RP522: 6/17/2010 7:30:29 PM - System Checkpoint
RP523: 6/19/2010 10:04:10 AM - System Checkpoint
RP524: 6/20/2010 10:09:34 AM - System Checkpoint
RP525: 6/21/2010 7:00:37 PM - System Checkpoint
RP526: 6/22/2010 8:57:33 PM - System Checkpoint
RP527: 6/23/2010 8:07:32 PM - Software Distribution Service 3.0
RP528: 6/25/2010 6:35:00 PM - System Checkpoint
RP529: 6/26/2010 7:16:30 PM - System Checkpoint
RP530: 6/27/2010 7:35:38 PM - System Checkpoint
RP531: 6/29/2010 7:05:18 PM - System Checkpoint
RP532: 6/30/2010 7:23:49 PM - System Checkpoint
RP533: 7/1/2010 7:52:11 PM - System Checkpoint
RP534: 7/3/2010 7:27:18 AM - System Checkpoint
RP535: 7/4/2010 7:28:35 AM - System Checkpoint
RP536: 7/5/2010 8:19:51 AM - System Checkpoint
RP537: 7/6/2010 5:29:15 PM - System Checkpoint
RP538: 7/7/2010 6:55:15 PM - System Checkpoint
RP539: 7/9/2010 3:51:46 PM - System Checkpoint
RP540: 7/10/2010 4:21:20 PM - System Checkpoint
RP541: 7/11/2010 5:16:20 PM - System Checkpoint

==== Installed Programs ======================


2600_Help
2600Trb
2700
5 Card Slingo from HP Media Center (remove only)
AAC Decoder
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Agere Systems PCI-SV92PP Soft Modem
AiO_Scan
AiO_Scan_CDA
AiOSoftware
AiOSoftwareNPI
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Applian Director
Applian FLV Player
Ask & Record Toolbar 4.00
Ask & Record Toolbar 4.01
Ask Toolbar
AstroPop Deluxe from HP Media Center (remove only)
ATI Control Panel
ATI Display Driver
AutoUpdate
Barnyard Invasion from HP Media Center (remove only)
Bejeweled 2 Deluxe from HP Media Center (remove only)
Belarc Advisor 8.1
Blackhawk Striker 2 from HP Media Center (remove only)
Blasterball 2 from HP Media Center (remove only)
Blasterball 2 Remix from HP Media Center (remove only)
Boggle Supreme from HP Media Center (remove only)
Bonjour
Bookworm Deluxe from HP Media Center (remove only)
Bounce Symphony from HP Media Center (remove only)
BufferChm
Call of Duty(R) 4 - Modern Warfare(TM)
CameraDrivers
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Chuzzle Deluxe from HP Media Center (remove only)
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_LightScribePlugin
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
Crystal Maze from HP Media Center (remove only)
CueTour
Customer Experience Enhancement
Destinations
DeviceManagementQFolder
DISCover
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
DivX Version Checker
DocProc
DocumentViewer
DocumentViewerQFolder
Ease Video Joiner 1.00
Easy Internet Sign-up
Emicsoft FLV Converter
Family Feud
FATE from HP Media Center (remove only)
Fax
Fax_CDA
Free Photo Viewer
Garmin Communicator Plugin
Garmin USB Drivers
Garmin WebUpdater
GemMaster Mystic
GlidePoint Touchpad
Google Chrome
Google Toolbar for Internet Explorer
H.264 Decoder
Handbrake 0.9.4
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Boot Optimizer
HP Deskjet Printer Preload
HP DigitalMedia Archive
HP Document Viewer 5.3
HP Game Console and games
HP Image Zone 5.3
HP Image Zone for Media Center PC
HP Imaging Device Functions 5.3
HP Multimedia Keyboard Software
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 5.0
HP Photosmart Essential 3.5
HP Product Assistant
HP PSC & OfficeJet 5.3.A
HP PSC & OfficeJet 5.3.B
HP Solution Center & Imaging Support Tools 5.3
HP Update
HPPhotoSmartDiscLabelContent1
HPPhotosmartEssential
HPProductAssistant
HpSdpAppCoreApp
Insaniquarium Deluxe from HP Media Center (remove only)
InstantShareDevices
InterVideo WinDVD Player
iTunes
Lemonade Tycoon 2 from HP Media Center (remove only)
Lexibox Deluxe from HP Media Center (remove only)
LightScribe 1.4.52.1
Mah Jong Quest from HP Media Center (remove only)
Malwarebytes' Anti-Malware
MalwareRemovalBot
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Away Mode
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Edition 60 Days Trial Welcome Tour
Microsoft Office Standard Edition 2003
Microsoft Works
Microsoft XML Parser
MKV Splitter
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 4.5
muvee autoProducer unPlugged 1.2
Naturpic Video Converter 1.40
Netscape Browser (remove only)
NewCopy
NewCopy_CDA
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
OpenOffice.org Installer 1.0
Opera 9.52
Otto
PanoStandAlone
PC-Doctor 5 for Windows
PhotoGallery
Polar Bowler from HP Media Center (remove only)
Polar Golfer from HP Media Center (remove only)
ProductContext
PS2
PSPrinters08
PSTAPlugin
Puzzle Express from HP Media Center (remove only)
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2010
QuickTime
RandMap
Readme
RealPlayer
Realtek AC'97 Audio
Recuva (remove only)
Remove IntelliMover Demo
Replay Converter 3
Ricochet Lost Worlds from HP Media Center (remove only)
Scan
ScannerCopy
SCRABBLE from HP Media Center (remove only)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Sherlock Holmes Nemesis
Shooting Stars Pool from HP Media Center (remove only)
Shrek 2 Ogre Bowler from HP Media Center (remove only)
SkinsHP1
Slingo Deluxe from HP Media Center (remove only)
Snowboard SuperJam from HP Media Center (remove only)
SolutionCenter
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Sophos Anti-Virus
Sophos AutoUpdate
Spybot - Search & Destroy
SpywareBlaster 4.3
Status
Super Granny from HP Media Center (remove only)
Tradewinds from HP Media Center (remove only)
TrayApp
TurboTax 2008
TurboTax 2008 wcaiper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax 2009
TurboTax 2009 wcaiper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
VC80CRTRedist - 8.0.50727.4053
WebFldrs XP
WebReg
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinFF 1.1
WinPatrol 2009
WinRAR archiver
Xvid 1.1.3 final uninstall
Zuma Deluxe from HP Media Center (remove only)

==== Event Viewer Messages From Past Week ========

7/5/2010 9:12:39 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2 iaStor IntelIde ViaIde
7/5/2010 9:12:33 AM, error: Service Control Manager [7024] - The Media Center Extender Service service terminated with service-specific error 2147500037 (0x80004005).
7/5/2010 7:13:17 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2
7/11/2010 3:30:16 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.0.2 with the system having network hardware address 60:FB:42:3E:4A:A2. Network operations on this system may be disrupted as a result.
7/11/2010 3:29:54 AM, error: Dhcp [1002] - The IP address lease 192.168.0.6 for the Network Card with network address 0015F2B4994B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================
kanakaboyus
Regular Member
 
Posts: 48
Joined: August 17th, 2008, 12:44 pm

Re: Mal/Qbot-b detected

Unread postby km2357 » July 13th, 2010, 2:49 pm

However, I have problems running the GMER program. I followed the instructions and GMER ran for several hours. After it finished I clicked "OK" and the program closed and I was not able to create a log file. Am I misreading the instructions? After that I had problems running anything on the computer and I even had problems shutting it down. It finally rebooted and it seems to be okay now. I will post the DDS and Attach logs, and I will attempt to run GMER again tomorrow after I get confirmation from you of what I did wrong. How will I know that GMER has finished running? Does it normally take over three hours to run? Thank you


It sounds like you followed the instructions just fine. Was GMER the only thing running at the time? Did you have any open windows/other programs running when GMER was doing its scan? If you did, try running GMER again and have it be the only thing running during its scan and don't touch the computer at all while GMER is doing its scan.

GMER usually takes a few hours to do a scan depending on how much stuff is on the Hard Drive it is scanning. The more on the Hard Drive, the longer the scan. GMER should automatically produce a log once its done scanning and you click OK.

Try running GMER again and if you get the same result (i.e. no log), I'll have you try a different rootkit scanner.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Mal/Qbot-b detected

Unread postby kanakaboyus » July 13th, 2010, 4:16 pm

GMER was the only program running. However, my screensaver was still active, and probably my Sophos virus program might have updated itself during the process. Should I shut down the screensaver and the Sophos program before running GMER? How will I know when GMER is finished and a log has been produced? Is there a distinctive screen that will appear, or will I just no longer see the name/location of the files being scanned at the bottom of the GMER screen?
kanakaboyus
Regular Member
 
Posts: 48
Joined: August 17th, 2008, 12:44 pm

Re: Mal/Qbot-b detected

Unread postby km2357 » July 13th, 2010, 7:36 pm

However, my screensaver was still active, and probably my Sophos virus program might have updated itself during the process. Should I shut down the screensaver and the Sophos program before running GMER?


Go ahead and shutdown your screensaver and disable Sophos before running GMER. Since you'll be disabling your AntiVirus, go ahead and disconnect your computer from the Internet while you run GMER. Once you're done with GMER, you can reenable Sophos and your screensaver and connect back to the Internet so that you can post the GMER log.

How will I know when GMER is finished and a log has been produced? Is there a distinctive screen that will appear, or will I just no longer see the name/location of the files being scanned at the bottom of the GMER screen?


When GMER is finished with its scan, a new Notepad window should pop-up with the GMER log in it. The top of the log will say something like:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan [date and time of rootkit scan]
[Your version of Windows including Service Pack #]

Its possible that any malware your computer may have could be interfering with GMER and that's why you're not getting a log from it.

As I said last time, if you don't a log from GMER when you do its scan again, we'll move onto another rootkit scanner. :)
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Mal/Qbot-b detected

Unread postby kanakaboyus » July 15th, 2010, 10:20 pm

I still cannot successfully run the GMER program. I guess I'll have to try an alternate method. Thanks for your patience!
kanakaboyus
Regular Member
 
Posts: 48
Joined: August 17th, 2008, 12:44 pm

Re: Mal/Qbot-b detected

Unread postby km2357 » July 16th, 2010, 2:53 pm

Ok, no problems. We'll try an alternate rootkit scanner. :)


Step # 1 Download and run SysProt

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items only:
      Process
      Kernel Modes
      SSDT
      Kernel Hooks
      Hidden Files
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Mal/Qbot-b detected

Unread postby kanakaboyus » July 18th, 2010, 6:27 pm

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 540
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 608
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 632
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 676
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 688
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\nvsvc32.exe
PID: 860
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 904
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 964
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1032
Hidden: No
Window Visible: No

Name: C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
PID: 1076
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1400
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1444
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1684
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PID: 1716
Hidden: No
Window Visible: No

Name: C:\WINDOWS\arservice.exe
PID: 1736
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1796
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehrecvr.exe
PID: 1820
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehSched.exe
PID: 1908
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PID: 1972
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PID: 256
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 432
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
PID: 456
Hidden: No
Window Visible: No

Name: C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
PID: 492
Hidden: No
Window Visible: No

Name: C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
PID: 556
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 652
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 824
Hidden: No
Window Visible: No

Name: C:\Program Files\Canon\CAL\CALMAIN.exe
PID: 1876
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\dllhost.exe
PID: 2076
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 2196
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1580
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehtray.exe
PID: 3452
Hidden: No
Window Visible: No

Name: C:\WINDOWS\arpwrmsg.exe
PID: 3532
Hidden: No
Window Visible: No

Name: C:\Program Files\DISC\DISCover.exe
PID: 388
Hidden: No
Window Visible: No

Name: C:\Program Files\DISC\DISCUpdateMgr.exe
PID: 1764
Hidden: No
Window Visible: No

Name: C:\Program Files\Touchpad\Gesture.exe
PID: 3588
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\glidew32.exe
PID: 3596
Hidden: No
Window Visible: No

Name: C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PID: 3616
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\rundll32.exe
PID: 2396
Hidden: No
Window Visible: No

Name: C:\hp\KBD\kbd.exe
PID: 3644
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PID: 3256
Hidden: No
Window Visible: No

Name: C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
PID: 2248
Hidden: No
Window Visible: No

Name: C:\Program Files\iTunes\iTunesHelper.exe
PID: 3676
Hidden: No
Window Visible: No

Name: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID: 3752
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehmsas.exe
PID: 3816
Hidden: No
Window Visible: No

Name: C:\Program Files\DISC\DiscGui.exe
PID: 3912
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 4048
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 892
Hidden: No
Window Visible: No

Name: C:\Program Files\Messenger\msmsgs.exe
PID: 2164
Hidden: No
Window Visible: No

Name: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 212
Hidden: No
Window Visible: No

Name: C:\Program Files\DISC\DiscStreamHub.exe
PID: 2020
Hidden: No
Window Visible: No

Name: C:\Program Files\Sophos\AutoUpdate\ALMon.exe
PID: 2472
Hidden: No
Window Visible: No

Name: C:\Program Files\Palm\Hotsync.exe
PID: 2644
Hidden: No
Window Visible: No

Name: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PID: 2144
Hidden: No
Window Visible: No

Name: C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
PID: 2664
Hidden: No
Window Visible: Yes

Name: C:\Program Files\iPod\bin\iPodService.exe
PID: 2624
Hidden: No
Window Visible: No

Name: C:\WINDOWS\Alcxmntr.exe
PID: 3668
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system\hpsysdrv.exe
PID: 188
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 3276
Hidden: No
Window Visible: No

Name: C:\Program Files\HP\HP Software Update\hpwuschd2.exe
PID: 2460
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Tom\Desktop\SysProt\SysProt.exe
PID: 1856
Hidden: No
Window Visible: Yes

Name: C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PID: 2672
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PID: 1600
Hidden: No
Window Visible: No

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Tom\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: B2C80000
Module End: B2C8B000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: B85A8000
Module End: B85AA000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: B84B8000
Module End: B84BB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: B7F79000
Module End: B7FA7000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: B85AA000
Module End: B85AC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: B7F68000
Module End: B7F79000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: B80A8000
Module End: B80B2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: B80B8000
Module End: B80C8000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: B80C8000
Module End: B80D6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: B8670000
Module End: B8671000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: B8328000
Module End: B832F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaide.sys
Service Name: ViaIde
Module Base: B85AC000
Module End: B85AE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: B85AE000
Module End: B85B0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: B80D8000
Module End: B80E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: B7F49000
Module End: B7F68000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: B85B0000
Module End: B85B2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: B7F23000
Module End: B7F49000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: B8330000
Module End: B8335000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: B80E8000
Module End: B80F5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\iaStor.sys
Service Name: iaStor
Module Base: B7E4E000
Module End: B7F23000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: B7E36000
Module End: B7E4E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: B80F8000
Module End: B8101000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: B8108000
Module End: B8115000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: B7E16000
Module End: B7E36000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: B7E04000
Module End: B7E16000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: B8118000
Module End: B8121000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: B7DED000
Module End: B7E04000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: B7D60000
Module End: B7DED000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: B7D33000
Module End: B7D60000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: B7D19000
Module End: B7D33000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Service Name: AmdK8
Module Base: B8218000
Module End: B8226000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\aracpi.sys
Service Name: aracpi
Module Base: B8490000
Module End: B8496000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Service Name: nv
Module Base: B6C2F000
Module End: B7395000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: B6C1B000
Module End: B6C2F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: B6BF3000
Module End: B6C1B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: B8498000
Module End: B849D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: B6BCF000
Module End: B6BF3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: B84A0000
Module End: B84A8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: B8228000
Module End: B8233000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: B8238000
Module End: B8248000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: B8248000
Module End: B8257000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: B6BAC000
Module End: B6BCF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: B84A8000
Module End: B84AE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
Service Name: RTL8023xp
Module Base: B6B99000
Module End: B6BAC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: B8258000
Module End: B8268000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\AGRSM.sys
Service Name: AgereSoftModem
Module Base: B6A8D000
Module End: B6B99000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: B84B0000
Module End: B84B8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Service Name: ALCXWDM
Module Base: B6713000
Module End: B6A8D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B66EF000
Module End: B6713000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: B8268000
Module End: B8277000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: B66DB000
Module End: B66EF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: B8278000
Module End: B8285000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\gpmoups2.sys
Service Name: gpmoups2
Module Base: B7CD9000
Module End: B7CDD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\glidesvc.sys
Service Name: glidesvc
Module Base: B8288000
Module End: B8292000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: B8340000
Module End: B8346000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
Service Name: armoucfltr
Module Base: B85F0000
Module End: B85F2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\PS2.sys
Service Name: ---
Module Base: B8370000
Module End: B8375000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: B8378000
Module End: B837E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
Service Name: arkbcfltr
Module Base: B85F2000
Module End: B85F4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arpolicy.sys
Service Name: ARPolicy
Module Base: B7CD5000
Module End: B7CD8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: B86D9000
Module End: B86DA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: B8298000
Module End: B82A5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: B7CD1000
Module End: B7CD4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: B66C4000
Module End: B66DB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: B82A8000
Module End: B82B3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: B82B8000
Module End: B82C4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: B8380000
Module End: B8385000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: B66B3000
Module End: B66C4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: B82C8000
Module End: B82D1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: B8388000
Module End: B838D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: B8390000
Module End: B8395000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: B6683000
Module End: B66B3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: B82D8000
Module End: B82E2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: B85F4000
Module End: B85F6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: B6625000
Module End: B6683000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: B73A1000
Module End: B73A5000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: B775F000
Module End: B7769000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\nvhda32.sys
Service Name: NVHDA
Module Base: B773F000
Module End: B774C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: B772F000
Module End: B773E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: B860A000
Module End: B860C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys
Service Name: SAVOnAccessFilter
Module Base: B770F000
Module End: B7719000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys
Service Name: SAVOnAccessControl
Module Base: B4486000
Module End: B44A2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: B860C000
Module End: B860E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: B86DB000
Module End: B86DC000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: B860E000
Module End: B8610000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: B83B8000
Module End: B83BE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: B8610000
Module End: B8612000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: B8612000
Module End: B8614000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: B83C0000
Module End: B83C5000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: B83C8000
Module End: B83D0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: B8598000
Module End: B859B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: B442B000
Module End: B443E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: B43D2000
Module End: B442B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: B43AA000
Module End: B43D2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: B4384000
Module End: B43AA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: B76FF000
Module End: B7708000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: B4362000
Module End: B4384000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: B76EF000
Module End: B76F8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: B76CF000
Module End: B76DE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: B4297000
Module End: B42C2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: B4227000
Module End: B4297000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: B8158000
Module End: B8163000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Service Name: usbstor
Module Base: B83D0000
Module End: B83D7000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\BANTExt.sys
Service Name: BANTExt
Module Base: B8761000
Module End: B8762000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: B41DB000
Module End: B41FF000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B41C3000
Module End: B41DB000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: B863C000
Module End: B863E000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: B445A000
Module End: B445D000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: B83F0000
Module End: B83F5000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: B86B3000
Module End: B86B4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: B3D53000
Module End: B3D57000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: B3B0E000
Module End: B3B3B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: B3AA9000
Module End: B3ABE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: B3CB3000
Module End: B3CC2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\atksgt.sys
Service Name: atksgt
Module Base: B3978000
Module End: B39BB000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: B3937000
Module End: B3978000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: B37C8000
Module End: B381F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\lirsgt.sys
Service Name: lirsgt
Module Base: B8400000
Module End: B8405000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: B42F2000
Module End: B4302000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\usbaapl.sys
Service Name: USBAAPL
Module Base: B36A8000
Module End: B36B6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: B1DE5000
Module End: B1E10000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: B4492FBE
Driver Base: B4486000
Driver End: B44A2000
Driver Name: \SystemRoot\system32\DRIVERS\savonaccesscontrol.sys

Function Name: ZwDeleteKey
Address: B4493114
Driver Base: B4486000
Driver End: B44A2000
Driver Name: \SystemRoot\system32\DRIVERS\savonaccesscontrol.sys

Function Name: ZwSetValueKey
Address: B449317A
Driver Base: B4486000
Driver End: B44A2000
Driver Name: \SystemRoot\system32\DRIVERS\savonaccesscontrol.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\HP_Administrator\Favorites\XVN:Sample Movie site. Monthly service.url
Status: Hidden

Object: C:\Documents and Settings\Tom\Favorites\INRAN??~??Nina?????~ ????·?????·??·???? Photo Galley Page.url
Status: Hidden

Object: C:\Documents and Settings\Tom\Favorites\????????-???? ??????? ???? ????? SKSS-17.url
Status: Hidden

Object: C:\Documents and Settings\Tom\Favorites\??|???????????????????? ????.com - Home.url
Status: Hidden

Object: C:\Documents and Settings\Tom\Favorites\????·??(??·??)???|MARCIA ?????.url
Status: Hidden
kanakaboyus
Regular Member
 
Posts: 48
Joined: August 17th, 2008, 12:44 pm

Re: Mal/Qbot-b detected

Unread postby km2357 » July 18th, 2010, 10:58 pm

Step # 1: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident


Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.



Step # 2: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Mal/Qbot-b detected

Unread postby kanakaboyus » July 19th, 2010, 8:55 pm

ComboFix 10-07-19.01 - Tom 07/19/2010 17:08:06.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2248 [GMT -7:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Tom\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Tom\Local Settings\temp\IadHide5.dll
c:\documents and settings\Tom\Recent\Thumbs.db
C:\Thumbs.db
c:\windows\system32\ps2.bat
c:\windows\system32\Thumbs.db
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.

2010-07-14 23:00 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-05 02:27 . 2010-07-05 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 20:56 . 2009-09-07 01:57 -------- d-----w- c:\documents and settings\Tom\Application Data\HpUpdate
2010-07-11 01:56 . 2005-11-22 14:50 -------- d-----w- c:\program files\Java
2010-07-11 01:56 . 2005-11-22 14:50 -------- d-----w- c:\program files\Common Files\Java
2010-07-07 01:24 . 2009-05-22 07:50 -------- d-----w- c:\documents and settings\Tom\Application Data\Inikq
2010-07-05 15:51 . 2008-12-14 17:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-05 14:36 . 2008-12-14 17:54 -------- d-----w- c:\program files\SpywareBlaster
2010-07-05 02:28 . 2008-03-28 02:22 -------- d-----w- c:\program files\iTunes
2010-07-05 02:27 . 2008-03-28 02:22 -------- d-----w- c:\program files\iPod
2010-07-05 02:27 . 2008-03-28 02:18 -------- d-----w- c:\program files\Common Files\Apple
2010-07-05 02:25 . 2008-03-28 02:20 -------- d-----w- c:\program files\QuickTime
2010-07-05 02:21 . 2008-03-28 02:21 -------- d-----w- c:\program files\Bonjour
2010-07-05 02:14 . 2010-07-05 02:14 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-25 02:13 . 2009-07-09 14:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-14 14:31 . 2004-08-10 12:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 13:49 . 2008-09-28 14:15 1482 ----a-w- c:\documents and settings\Tom\Application Data\wklnhst.dat
2010-05-24 18:01 . 2010-05-24 15:14 5 ----a-w- c:\windows\system32\SySvj.dat
2010-05-24 16:16 . 2010-05-24 16:16 503808 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-53875f5c-n\msvcp71.dll
2010-05-24 16:16 . 2010-05-24 16:16 499712 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-53875f5c-n\jmc.dll
2010-05-24 16:16 . 2010-05-24 16:16 348160 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-53875f5c-n\msvcr71.dll
2010-05-24 16:16 . 2010-05-24 16:16 61440 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4d2b8425-n\decora-sse.dll
2010-05-24 16:16 . 2010-05-24 16:16 12800 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4d2b8425-n\decora-d3d.dll
2010-05-24 15:14 . 2010-05-24 15:14 -------- d-----w- c:\program files\ezvideotools
2010-05-22 22:36 . 2010-05-22 20:38 -------- d-----w- c:\program files\Replay Converter 3
2010-05-22 21:01 . 2010-01-21 01:21 -------- d-----w- c:\program files\Ask.com
2010-05-22 20:40 . 2010-05-22 20:40 -------- d-----w- c:\program files\Applian Director
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2009-07-09 14:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-07-09 14:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 12:45 . 2008-11-28 15:20 130088 ----a-w- c:\windows\system32\sdccoinstaller.dll
2010-04-24 16:10 . 2010-04-24 16:11 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-06-13 15:46 . 2009-06-13 15:45 7349744 ----a-w- c:\program files\FLV PlayerATBSetup.exe
2008-08-23 17:34 . 2008-08-23 17:34 382352 ----a-w- c:\program files\jre-6u7-windows-i586-p-iftw.exe
2008-08-23 16:44 . 2008-08-23 16:44 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2008-08-17 15:55 . 2008-08-17 15:55 812344 ----a-w- c:\program files\HJTInstall.exe
2006-03-19 23:40 . 2006-03-20 00:40 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 23:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-05 68856]
"Google Update"="c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-01 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"CirqueGesture"="c:\program files\Touchpad\Gesture.exe" [2005-10-03 123904]
"Glide"="glidew32.exe" [2005-10-03 81920]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-06-01 341312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-06 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-06 86016]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2004-08-09 81920]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-06 1657376]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-22 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-6-11 245760]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-22 36903]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"qiscjknuhutnsjjxhmvbTaskMgr"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\arpwrmsg.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\Touchpad\\Gesture.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=
"c:\\WINDOWS\\system32\\glidew32.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [9/30/2008 3:36 AM 111232]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [9/30/2008 3:36 AM 38912]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [10/5/2009 4:22 AM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [9/30/2008 3:36 AM 98304]
R3 glidesvc;GlidePoint Mouseclass Service;c:\windows\system32\drivers\glidesvc.sys [10/3/2005 1:06 AM 38183]
R3 gpmoups2;GlidePoint PS2 Touchpad Service;c:\windows\system32\drivers\gpmoups2.sys [10/3/2005 1:06 AM 14063]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [1/20/2010 6:10 PM 56992]
S4 SAVCleanupService;Sophos Cleanup Service;c:\program files\Sophos\Sophos Anti-Virus\SAVCleanupService.exe [7/22/2008 11:48 AM 90112]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [9/30/2008 3:36 AM 14976]
.
Contents of the 'Scheduled Tasks' folder

2010-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2008-11-26 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]

2010-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2485643383-4133149871-2139128564-1009Core.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 02:02]

2010-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2485643383-4133149871-2139128564-1009UA.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 02:02]

2010-07-20 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]

2007-09-25 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]

2010-07-20 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 23:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: trymedia.com
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Recuva - k:\recuva\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 17:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3988)
c:\windows\system32\WININET.dll
c:\docume~1\Tom\LOCALS~1\Temp\IadHide5.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\documents and settings\Tom\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\ARPWRMSG.EXE
c:\windows\system32\glidew32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\DISC\DiscStreamHub.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-19 17:21:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-20 00:21
ComboFix2.txt 2009-07-10 23:50

Pre-Run: 107,820,027,904 bytes free
Post-Run: 108,018,843,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - F5E89362F40E57BFA5C80E2925EB1349
kanakaboyus
Regular Member
 
Posts: 48
Joined: August 17th, 2008, 12:44 pm

Re: Mal/Qbot-b detected

Unread postby km2357 » July 20th, 2010, 2:43 pm

Step # 1: Add/Remove Programs

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

Ask Toolbar

Reboot your Computer.


Step # 2: Run CFScript

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    KILLALL::
    
    DDS::
    
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    
    DirLook::
    
    c:\documents and settings\Tom\Application Data\Inikq
    
    Registry::
    
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "qiscjknuhutnsjjxhmvbTaskMgr"=-
    
    



  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




    Image


    Note: This CFScript is for use on kanakaboyus's computer only! Do not use it on your computer.


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 2 has been completed.
2. A fresh DDS Log taken after Step 2 has been completed.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Mal/Qbot-b detected

Unread postby kanakaboyus » July 20th, 2010, 9:47 pm

ComboFix 10-07-19.01 - Tom 07/20/2010 18:26:28.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2262 [GMT -7:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((( Files Created from 2010-06-21 to 2010-07-21 )))))))))))))))))))))))))))))))
.

2010-07-14 23:00 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-05 02:27 . 2010-07-05 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-21 01:09 . 2010-01-21 01:21 -------- d-----w- c:\program files\Ask.com
2010-07-18 20:56 . 2009-09-07 01:57 -------- d-----w- c:\documents and settings\Tom\Application Data\HpUpdate
2010-07-11 01:56 . 2005-11-22 14:50 -------- d-----w- c:\program files\Java
2010-07-11 01:56 . 2005-11-22 14:50 -------- d-----w- c:\program files\Common Files\Java
2010-07-07 01:24 . 2009-05-22 07:50 -------- d-----w- c:\documents and settings\Tom\Application Data\Inikq
2010-07-05 15:51 . 2008-12-14 17:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-05 14:36 . 2008-12-14 17:54 -------- d-----w- c:\program files\SpywareBlaster
2010-07-05 02:28 . 2008-03-28 02:22 -------- d-----w- c:\program files\iTunes
2010-07-05 02:27 . 2008-03-28 02:22 -------- d-----w- c:\program files\iPod
2010-07-05 02:27 . 2008-03-28 02:18 -------- d-----w- c:\program files\Common Files\Apple
2010-07-05 02:25 . 2008-03-28 02:20 -------- d-----w- c:\program files\QuickTime
2010-07-05 02:21 . 2008-03-28 02:21 -------- d-----w- c:\program files\Bonjour
2010-07-05 02:14 . 2010-07-05 02:14 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-25 02:13 . 2009-07-09 14:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-14 14:31 . 2004-08-10 12:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 13:49 . 2008-09-28 14:15 1482 ----a-w- c:\documents and settings\Tom\Application Data\wklnhst.dat
2010-05-24 18:01 . 2010-05-24 15:14 5 ----a-w- c:\windows\system32\SySvj.dat
2010-05-24 16:16 . 2010-05-24 16:16 503808 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-53875f5c-n\msvcp71.dll
2010-05-24 16:16 . 2010-05-24 16:16 499712 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-53875f5c-n\jmc.dll
2010-05-24 16:16 . 2010-05-24 16:16 348160 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-53875f5c-n\msvcr71.dll
2010-05-24 16:16 . 2010-05-24 16:16 61440 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4d2b8425-n\decora-sse.dll
2010-05-24 16:16 . 2010-05-24 16:16 12800 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4d2b8425-n\decora-d3d.dll
2010-05-24 15:14 . 2010-05-24 15:14 -------- d-----w- c:\program files\ezvideotools
2010-05-22 22:36 . 2010-05-22 20:38 -------- d-----w- c:\program files\Replay Converter 3
2010-05-22 20:40 . 2010-05-22 20:40 -------- d-----w- c:\program files\Applian Director
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2009-07-09 14:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-07-09 14:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 12:45 . 2008-11-28 15:20 130088 ----a-w- c:\windows\system32\sdccoinstaller.dll
2010-04-24 16:10 . 2010-04-24 16:11 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-06-13 15:46 . 2009-06-13 15:45 7349744 ----a-w- c:\program files\FLV PlayerATBSetup.exe
2008-08-23 17:34 . 2008-08-23 17:34 382352 ----a-w- c:\program files\jre-6u7-windows-i586-p-iftw.exe
2008-08-23 16:44 . 2008-08-23 16:44 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2008-08-17 15:55 . 2008-08-17 15:55 812344 ----a-w- c:\program files\HJTInstall.exe
2006-03-19 23:40 . 2006-03-20 00:40 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Tom\Application Data\Inikq ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-05 68856]
"Google Update"="c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-01 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"CirqueGesture"="c:\program files\Touchpad\Gesture.exe" [2005-10-03 123904]
"Glide"="glidew32.exe" [2005-10-03 81920]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-06-01 341312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-06 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-06 86016]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2004-08-09 81920]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-06 1657376]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-22 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-6-11 245760]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-22 36903]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\arpwrmsg.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\Touchpad\\Gesture.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=
"c:\\WINDOWS\\system32\\glidew32.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [9/30/2008 3:36 AM 111232]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [9/30/2008 3:36 AM 38912]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [10/5/2009 4:22 AM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [9/30/2008 3:36 AM 98304]
R3 glidesvc;GlidePoint Mouseclass Service;c:\windows\system32\drivers\glidesvc.sys [10/3/2005 1:06 AM 38183]
R3 gpmoups2;GlidePoint PS2 Touchpad Service;c:\windows\system32\drivers\gpmoups2.sys [10/3/2005 1:06 AM 14063]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [1/20/2010 6:10 PM 56992]
S4 SAVCleanupService;Sophos Cleanup Service;c:\program files\Sophos\Sophos Anti-Virus\SAVCleanupService.exe [7/22/2008 11:48 AM 90112]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [9/30/2008 3:36 AM 14976]
.
Contents of the 'Scheduled Tasks' folder

2010-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2008-11-26 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]

2010-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2485643383-4133149871-2139128564-1009Core.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 02:02]

2010-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2485643383-4133149871-2139128564-1009UA.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 02:02]

2010-07-21 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]

2007-09-25 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: trymedia.com
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-20 18:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1496)
c:\windows\system32\WININET.dll
c:\docume~1\Tom\LOCALS~1\Temp\IadHide5.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\documents and settings\Tom\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\ARPWRMSG.EXE
c:\windows\system32\glidew32.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\DISC\DiscStreamHub.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-20 18:39:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-21 01:39
ComboFix2.txt 2010-07-20 00:21
ComboFix3.txt 2009-07-10 23:50

Pre-Run: 107,868,246,016 bytes free
Post-Run: 107,857,674,240 bytes free

- - End Of File - - 50224F78D93211674C7778FA87C43F1C
kanakaboyus
Regular Member
 
Posts: 48
Joined: August 17th, 2008, 12:44 pm

Re: Mal/Qbot-b detected

Unread postby kanakaboyus » July 20th, 2010, 9:48 pm

DDS (Ver_10-03-17.01) - NTFSx86
Run by Tom at 18:42:32.17 on Tue 07/20/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2221 [GMT -7:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Touchpad\Gesture.exe
C:\WINDOWS\system32\glidew32.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\HP\KBD\KBD.EXE
C:\program files\common files\installshield\updateservice\issch.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\tom\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CirqueGesture] c:\program files\touchpad\Gesture.exe
mRun: [Glide] glidew32.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Ask and Record FLV Service] "c:\program files\ask & record toolbar\FLVSrvc.exe" /run
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: trymedia.com
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... vc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microso ... 2556477203
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 2556525015
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-9-30 111232]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-9-30 38912]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-10-5 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-9-30 98304]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-5-27 172032]
R3 glidesvc;GlidePoint Mouseclass Service;c:\windows\system32\drivers\glidesvc.sys [2005-10-3 38183]
R3 gpmoups2;GlidePoint PS2 Touchpad Service;c:\windows\system32\drivers\gpmoups2.sys [2005-10-3 14063]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-1-20 56992]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S4 SAVCleanupService;Sophos Cleanup Service;c:\program files\sophos\sophos anti-virus\SAVCleanupService.exe [2008-7-22 90112]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 14976]

=============== Created Last 30 ================

2010-07-20 00:06:33 0 d-sha-r- C:\cmdcons
2010-07-20 00:02:04 77312 ----a-w- c:\windows\MBR.exe
2010-07-20 00:02:03 98816 ----a-w- c:\windows\sed.exe
2010-07-20 00:02:03 256512 ----a-w- c:\windows\PEV.exe
2010-07-20 00:02:03 161792 ----a-w- c:\windows\SWREG.exe
2010-07-14 23:00:30 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-05 02:27:22 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

==================== Find3M ====================

2010-06-11 13:49:40 1482 ----a-w- c:\docume~1\tom\applic~1\wklnhst.dat
2010-05-18 23:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 23:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-27 12:45:06 130088 ----a-w- c:\windows\system32\sdccoinstaller.dll
2010-04-24 16:10:56 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-06-13 15:46:21 7349744 ----a-w- c:\program files\FLV PlayerATBSetup.exe
2008-08-23 17:34:27 382352 ----a-w- c:\program files\jre-6u7-windows-i586-p-iftw.exe
2008-08-23 16:44:32 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2008-08-17 15:55:09 812344 ----a-w- c:\program files\HJTInstall.exe
2006-03-19 23:40:16 22 --sha-w- c:\windows\sminst\HPCD.sys
2009-07-03 16:38:45 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-10-25 14:56:18 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102520081026\index.dat

============= FINISH: 18:42:40.76 ===============
kanakaboyus
Regular Member
 
Posts: 48
Joined: August 17th, 2008, 12:44 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 32 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware