We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Possible Rootkit Virus 32TDDS Infection?
Options
Comments
-
Can you post all combofix text -
ComboFix-quarantined-files.txt 2010-05-02 08:36
ComboFix2.txt 2010-03-10 21:42
It will be interesting to see what the first run quarentined.0 -
Reluctant_spender wrote: »Can you post all combofix text -
ComboFix-quarantined-files.txt 2010-05-02 08:36
ComboFix2.txt 2010-03-10 21:42
It will be interesting to see what the first run quarentined.
Here is the first (3/5/10) Combofix log:
ComboFix 10-03-10.02 - Deborah 10/03/2010 21:33:16.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2036.858 [GMT 0:00]
Running from: c:\users\Deborah\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500
c:\$recycle.bin\S-1-5-21-3920910989-2757540604-3831163897-500
.
((((((((((((((((((((((((( Files Created from 2010-02-10 to 2010-03-10 )))))))))))))))))))))))))))))))
.
2010-03-10 21:40 . 2010-03-10 21:40
d
w- c:\users\Mark\AppData\Local\temp
2010-03-10 21:40 . 2010-03-10 21:40
d
w- c:\users\Default\AppData\Local\temp
2010-03-10 21:40 . 2010-03-10 21:40
d
w- c:\users\Joel\AppData\Local\temp
2010-03-10 21:40 . 2010-03-10 21:40
d
w- c:\users\Ewan\AppData\Local\temp
2010-03-10 21:40 . 2010-03-10 21:40
d
w- c:\users\Alec\AppData\Local\temp
2010-03-10 11:03 . 2010-03-10 11:03
d
w- c:\users\Deborah\AppData\Roaming\Malwarebytes
2010-03-10 11:03 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-10 11:03 . 2010-03-10 11:03
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-03-10 11:03 . 2010-03-10 11:03
d
w- c:\programdata\Malwarebytes
2010-03-10 11:03 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-09 19:34 . 2010-03-10 21:21
d
w- C:\kl.files
2010-03-09 13:53 . 2010-03-09 19:11
d
w- c:\programdata\Roxio
2010-03-09 13:53 . 2010-03-09 13:53
d
w- c:\users\Deborah\AppData\Roaming\Roxio
2010-03-09 12:44 . 2010-03-09 12:44
d
w- c:\program files\Enigma Software Group
2010-03-09 11:58 . 2009-10-22 12:54 37392 ----a-w- c:\windows\system32\drivers\99895652.sys
2010-03-09 11:58 . 2009-10-09 22:31 311312 ----a-w- c:\windows\system32\drivers\9989565.sys
2010-03-09 11:58 . 2009-09-25 16:59 128016 ----a-w- c:\windows\system32\drivers\99895651.sys
2010-03-09 10:11 . 2010-03-09 11:58
d
w- c:\programdata\Kaspersky Lab
2010-03-09 10:00 . 2010-03-09 10:00
d
w- c:\program files\QuickTime
2010-03-09 10:00 . 2010-03-09 10:00
d
w- c:\programdata\Apple Computer
2010-03-08 17:17 . 2010-03-08 17:17
d
w- c:\programdata\Kaspersky Lab Setup Files
2010-02-23 21:06 . 2010-01-23 09:44 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-23 21:06 . 2010-01-25 12:48 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-23 21:06 . 2010-01-25 12:48 472064 ----a-w- c:\windows\system32\secproc.dll
2010-02-23 21:06 . 2010-01-25 08:35 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-23 21:06 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-23 21:06 . 2010-01-25 08:34 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-23 21:06 . 2010-01-25 08:34 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-23 21:06 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-23 21:06 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-23 21:06 . 2010-01-25 12:45 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-02-17 10:02 . 2009-12-08 20:36 3600472 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-17 10:02 . 2009-12-08 20:36 3548760 ----a-w- c:\windows\system32\ntoskrnl.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 23:57 . 2008-01-21 02:23 21560 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-25 18:23 . 2009-04-19 09:07 408 ----a-w- c:\users\Deborah\AppData\Roaming\wklnhst.dat
2010-02-25 17:15 . 2009-04-23 16:22 71904 ----a-w- c:\users\Ewan\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 22:28 . 2009-05-09 10:26 71904 ----a-w- c:\users\Alec\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 17:41 . 2009-04-17 17:25 71904 ----a-w- c:\users\Deborah\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 09:16 . 2009-10-04 11:21 181632
w- c:\windows\system32\MpSigStub.exe
2010-02-23 22:32 . 2009-04-27 20:02 71904 ----a-w- c:\users\Mark\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-11 21:18 . 2006-11-02 11:18
d
w- c:\program files\Windows Mail
2010-02-09 18:29 . 2009-04-21 14:36 71336 ----a-w- c:\users\Joel\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-08 22:56 . 2009-03-31 18:56
d
w- c:\programdata\Microsoft Help
2010-01-21 17:38 . 2009-03-31 18:47
d
w- c:\program files\Microsoft Silverlight
2010-01-18 10:15 . 2010-01-16 13:43
d
w- c:\program files\Canon
2010-01-16 17:25 . 2010-01-16 17:25
d--h--w- c:\programdata\CanonIJEGV
2010-01-16 13:49 . 2010-01-16 13:49
d
w- c:\program files\Common Files\CANON
2010-01-16 13:46 . 2010-01-16 13:46
d--h--w- c:\programdata\CanonBJ
2010-01-16 13:44 . 2010-01-16 13:44
d--h--w- c:\program files\CanonBJ
2010-01-02 06:38 . 2010-01-22 17:02 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 17:02 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 17:02 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 17:02 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-28 12:35 . 2010-02-11 06:56 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-28 12:35 . 2010-02-11 06:56 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-28 12:32 . 2010-02-11 06:56 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-28 12:32 . 2010-02-11 06:56 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-28 12:32 . 2010-02-11 06:56 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-28 12:32 . 2010-02-11 06:56 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-28 12:31 . 2010-02-11 06:56 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-28 12:31 . 2010-02-11 06:56 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-28 12:28 . 2010-02-11 06:56 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-28 12:28 . 2010-02-11 06:56 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-12-11 12:07 . 2010-02-11 06:56 301568 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 12:07 . 2010-02-11 06:56 98304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-04-01 02:42 . 2009-04-01 02:37 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
Sigcheck
[-] 2010-03-09 23:57 . 12AC52A3321CEAC1BF524D38F9C75B87 . 21560 . . . . c:\windows\System32\drivers\atapi.sys
[7] 2009-04-11 . 1F05B78AB91C9075565A9D8A4B880BC4 . 19944 . . [6.0.6002.18005] . . c:\windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[7] 2009-04-01 . 0D83C87A801A3DFCD1BF73893FE7518C . 21560 . . [6.0.6001.18034] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_4c9c5a00\atapi.sys
[7] 2008-01-21 . 2D9C903DC76A66813D350A562DE40ED9 . 21560 . . [6.0.6001.18000] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[7] 2006-11-02 . 4F4FCB8B6EA06784FB6D475B7EC7300F . 19048 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 14:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [2008-08-22 2084480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-11 4452352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-22 133656]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
c:\users\Alec\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\users\Ewan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\users\Joel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\users\Deborah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2007-12-6 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-31 18:28 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""
R3 RTL8187B;TG123g USB Wireless Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-07-18 281088]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2008-01-21 19968]
S0 99895652;99895652 Boot Guard Driver;c:\windows\system32\DRIVERS\99895652.sys [2009-10-22 37392]
S1 99895651;99895651;c:\windows\system32\DRIVERS\99895651.sys [2009-09-25 128016]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-23 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-03-10 c:\windows\Tasks\User_Feed_Synchronization-{E77647F2-50D5-4DF7-8F0E-0B913CE6854C}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
2009-06-08 c:\windows\Tasks\WebReg psc 1400 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-12-10 20:36]
.
.
Supplementary Scan
.
uStart Page =
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
FF - ProfilePath - c:\users\Deborah\AppData\Roaming\Mozilla\Firefox\Profiles\dtaq0x7f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://uk.foxstart.com/?rls=en:uk:m
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-10 21:41
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-3920910989-2757540604-3831163897-1000\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:f6,05,3f,d3,5d,53,af,00
DUMPHIVE0.003 (REGF)
.
DLLs Loaded Under Running Processes
- - - - - - - > 'Explorer.exe'(3652)
c:\program files\Microsoft Office\Office10\MLSHEXT.DLL
.
Completion time: 2010-03-10 21:42:59
ComboFix-quarantined-files.txt 2010-03-10 21:42
Pre-Run: 227,114,713,088 bytes free
Post-Run: 227,457,331,200 bytes free
- - End Of File - - 902976073380AC6F43B38DBE25F976CBNo free lunch, and no free laptop
0 -
And here is the one from yesterday:
ComboFix 10-05-01.04 - Deborah 02/05/2010 9:27.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2036.1212 [GMT 1:00]
Running from: c:\users\Deborah\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2010-04-02 to 2010-05-02 )))))))))))))))))))))))))))))))
.
2010-05-02 08:35 . 2010-05-02 08:35
d
w- c:\users\Public\AppData\Local\temp
2010-05-02 08:35 . 2010-05-02 08:35
d
w- c:\users\Mark\AppData\Local\temp
2010-05-02 08:35 . 2010-05-02 08:35
d
w- c:\users\Joel\AppData\Local\temp
2010-05-02 08:35 . 2010-05-02 08:35
d
w- c:\users\Ewan\AppData\Local\temp
2010-05-02 08:35 . 2010-05-02 08:35
d
w- c:\users\Default\AppData\Local\temp
2010-05-02 08:35 . 2010-05-02 08:35
d
w- c:\users\Alec\AppData\Local\temp
2010-05-01 22:21 . 2010-05-01 22:21
d
w- c:\program files\Microsoft Security Essentials
2010-05-01 21:05 . 2010-05-01 21:05
d
w- c:\windows\system32\x64
2010-05-01 21:05 . 2008-02-11 19:13 920088 ----a-w- c:\windows\system32\igxpun.exe
2010-05-01 21:05 . 2006-11-10 15:25 319456 ----a-w- c:\windows\system32\difxapi.dll
2010-05-01 11:01 . 2010-05-01 11:01
d
w- c:\program files\CCleaner
2010-05-01 10:39 . 2010-05-01 10:39 6153352 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-05-01 10:36 . 2007-04-03 05:06 449536 ----a-w- c:\windows\system32\drivers\WlanUZG.sys
2010-05-01 06:55 . 2010-05-01 06:55
d
w- c:\users\Mark\AppData\Roaming\Malwarebytes
2010-04-15 08:12 . 2010-02-20 23:39 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-04-15 08:12 . 2010-02-20 23:37 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-04-15 08:12 . 2010-02-20 21:18 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-04-15 08:02 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-15 08:02 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-15 08:02 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-15 07:59 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-15 07:58 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 16:05 . 2010-03-09 10:11
d
w- c:\programdata\Kaspersky Lab
2010-05-01 10:39 . 2010-03-10 11:03
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-05-01 06:45 . 2006-11-02 11:18
d
w- c:\program files\Windows Mail
2010-04-29 14:39 . 2010-03-10 11:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2010-03-10 11:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-15 08:16 . 2009-03-31 18:56
d
w- c:\programdata\Microsoft Help
2010-03-10 11:03 . 2010-03-10 11:03
d
w- c:\users\Deborah\AppData\Roaming\Malwarebytes
2010-03-10 11:03 . 2010-03-10 11:03
d
w- c:\programdata\Malwarebytes
2010-03-09 23:57 . 2008-01-21 02:23 21560 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-09 19:11 . 2010-03-09 13:53
d
w- c:\programdata\Roxio
2010-03-09 13:53 . 2010-03-09 13:53
d
w- c:\users\Deborah\AppData\Roaming\Roxio
2010-03-09 12:44 . 2010-03-09 12:44
d
w- c:\program files\Enigma Software Group
2010-03-09 10:00 . 2010-03-09 10:00
d
w- c:\program files\QuickTime
2010-03-09 10:00 . 2010-03-09 10:00
d
w- c:\programdata\Apple Computer
2010-03-08 17:17 . 2010-03-08 17:17
d
w- c:\programdata\Kaspersky Lab Setup Files
2010-03-05 14:01 . 2010-04-15 08:03 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 18:23 . 2009-04-19 09:07 408 ----a-w- c:\users\Deborah\AppData\Roaming\wklnhst.dat
2010-02-25 17:15 . 2009-04-23 16:22 71904 ----a-w- c:\users\Ewan\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 22:28 . 2009-05-09 10:26 71904 ----a-w- c:\users\Alec\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 17:41 . 2009-04-17 17:25 71904 ----a-w- c:\users\Deborah\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 09:16 . 2009-10-04 11:21 181632
w- c:\windows\system32\MpSigStub.exe
2010-02-23 22:32 . 2009-04-27 20:02 71904 ----a-w- c:\users\Mark\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 11:32 . 2010-04-15 08:03 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:32 . 2010-04-15 08:03 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:32 . 2010-04-15 08:03 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 06:39 . 2010-04-15 08:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-15 08:03 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-04-15 08:03 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-04-15 08:03 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-18 17:36 . 2010-04-15 08:03 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 17:36 . 2010-04-15 08:03 3548560 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-12 10:48 . 2010-03-23 17:48 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-02-09 18:29 . 2009-04-21 14:36 71336 ----a-w- c:\users\Joel\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-01 02:42 . 2009-04-01 02:37 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
Sigcheck
[-] 2010-03-09 23:57 . 12AC52A3321CEAC1BF524D38F9C75B87 . 21560 . . . . c:\windows\System32\drivers\atapi.sys
[7] 2009-04-11 . 1F05B78AB91C9075565A9D8A4B880BC4 . 19944 . . [6.0.6002.18005] . . c:\windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[7] 2009-04-01 . 0D83C87A801A3DFCD1BF73893FE7518C . 21560 . . [6.0.6001.18034] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_4c9c5a00\atapi.sys
[7] 2008-01-21 . 2D9C903DC76A66813D350A562DE40ED9 . 21560 . . [6.0.6001.18000] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[7] 2006-11-02 . 4F4FCB8B6EA06784FB6D475B7EC7300F . 19048 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 14:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [2008-08-22 2084480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
c:\users\Alec\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
c:\users\Ewan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
c:\users\Joel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
c:\users\Deborah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2007-12-6 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-31 18:28 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""
R3 RTL8187B;TG123g USB Wireless Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-07-18 281088]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2008-01-21 19968]
R3 ZY202_VS;ZyXEL 802.11g XG202 1211 Vista Driver;c:\windows\system32\DRIVERS\WlanUZG.sys [2007-04-03 449536]
S0 99895652;99895652 Boot Guard Driver;c:\windows\system32\DRIVERS\99895652.sys [2009-10-22 37392]
S1 99895651;99895651;c:\windows\system32\DRIVERS\99895651.sys [2009-09-25 128016]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-23 155648]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-05-02 c:\windows\Tasks\User_Feed_Synchronization-{E77647F2-50D5-4DF7-8F0E-0B913CE6854C}.job
- c:\windows\system32\msfeedssync.exe [2010-04-15 04:54]
2009-06-08 c:\windows\Tasks\WebReg psc 1400 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-12-10 20:36]
.
.
Supplementary Scan
.
uStart Page =
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
FF - ProfilePath - c:\users\Deborah\AppData\Roaming\Mozilla\Firefox\Profiles\dtaq0x7f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-02 09:35
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-3920910989-2757540604-3831163897-1000\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:f6,05,3f,d3,5d,53,af,00
DUMPHIVE0.003 (REGF)
.
DLLs Loaded Under Running Processes
- - - - - - - > 'Explorer.exe'(2568)
c:\program files\Microsoft Office\Office10\MLSHEXT.DLL
.
Completion time: 2010-05-02 09:36:49
ComboFix-quarantined-files.txt 2010-05-02 08:36
ComboFix2.txt 2010-03-10 21:42
Pre-Run: 229,536,649,216 bytes free
Post-Run: 229,526,089,728 bytes free
- - End Of File - - C20AB14EE0210006BE7AC159644C87F5No free lunch, and no free laptop0 -
Have now agreed to do a Factory Restore on this Dell just to be safe. All data backed up. According to the manual to do this you either go Start>All Programs>Recovery Manager. But there is no RM menu option for this (It's running Vista Premium)!
The other given method is to press F11 at start up-but that has no effect, and just boots it normally.
The recovery partition is showing in My Computer and is accessible. What's going on?
Is there maybe a command line prompt that will get me into Recovery Manager (if RM still exists)?
Edit: must have been having a blonde moment-just realised that I downloaded the wrong manual! It's F8 at start up...No free lunch, and no free laptop0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244K Work, Benefits & Business
- 598.8K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.3K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards