Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirect after fake VirusScanner virus removed


  • This topic is locked This topic is locked
19 replies to this topic

#1 TurboMike

TurboMike

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 14 May 2010 - 11:05 AM

First, I got a fake "Virus scanner" virus. Removed, came back twice, now its not coming back after finding junk all over the registry. But I'm stuck with redirects. I randomly get a fake proxy registry entry that keeps coming back. GMer says Atapi is corrupt even tho I've replaced it from another machine a few times. ComboFix and a TDSS remover say they see a rootkit and are not removing it. I ass-u-me its a nasty rootkit and dont know where to turn next. Halp!

-cd emulation disabled
-attach and ark attached
-here is my DDS:


DDS (Ver_10-03-17.01) - FAT32x86
Run by Worldship at 10:14:20.98 on Fri 05/14/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2412 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\Ltxsrv.exe
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Worldship\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35[1].exe" /scan:boot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NA1Messenger] c:\ups\wstd\UPSNA1Msgr.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\worlds~1\startm~1\programs\startup\shortc~1.lnk - c:\lantasti\CONNECT.BAT
StartupFolder: c:\docume~1\worlds~1\startm~1\programs\startup\hitman~1.lnk - c:\program files\hitman pro 3.5\HitmanPro35[1].exe
StartupFolder: c:\docume~1\worlds~1\startm~1\programs\startup\starup.lnk - c:\ups\wstd\WorldShipTD.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upswor~1.lnk - c:\ups\wstd\wstdPldReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upswor~2.lnk - c:\ups\wstd\WSTDMessaging.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
DPF: Garmin Communicator Plug-In
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}
DPF: {17492023-C23A-453E-A040-C7C580BBF700}
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8}
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B}
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272384296718
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913}
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9}
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5967/mcfscan.cab
TCP: {7CCEA0CC-A4A9-44A1-A099-D1E34997E2FC} = 207.69.188.185,207.69.188.186
Notify: GoToAssist - c:\program files\citrix\gotoassist\508\G2AWinLogon.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - u:\eudora\EuShlExt.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-11-13 28552]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-5-11 1872320]
R2 Afsd;LANtastic Installable File System;c:\windows\system32\drivers\Afsd.sys [2006-8-10 69920]
R2 Ailb;LANtastic NetBIOS protocol;c:\windows\system32\drivers\Ntailb.sys [2006-8-10 62880]
R2 Asnbpsd;LANtastic Client Protocol;c:\windows\system32\drivers\Asnbpsd.sys [2006-8-10 40992]
R2 Atila;LANtastic Services;c:\windows\system32\drivers\Atila.sys [2006-8-10 14816]
R2 Fsdk-wrap;LANtastic NT file system wrapper;c:\windows\system32\drivers\Fsdk-wrap.sys [2006-8-10 200640]
R2 Ldbnt;LANtastic Database;c:\windows\system32\drivers\Ldbnt.sys [2006-8-10 104416]
R2 LTXSRV;LANtastic Utilities;c:\windows\system32\Ltxsrv.exe [2006-8-10 34304]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -supswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -sUPSWSDBSERVER [?]
R2 Ntbrowse;LANtastic Computer Browser;c:\windows\system32\drivers\Ntbrowse.sys [2006-8-10 10848]
R2 Ntlib;LANtastic Library;c:\windows\system32\drivers\Ltlib.sys [2006-8-10 33568]
R2 Ntsvr;LANtastic Server Service;c:\windows\system32\drivers\Ntsvr.sys [2006-8-10 47520]
R2 Ntsvrsnb;LANtastic Server Protocol;c:\windows\system32\drivers\Ntsvrsnb.sys [2006-8-10 39072]
S3 LANtasticServer;LANtastic Server;c:\windows\system32\services.exe [2004-8-4 110592]
S3 LANtasticWorkstation;LANtastic Workstation;c:\windows\system32\services.exe [2004-8-4 110592]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.exe -i upswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.EXE -i UPSWSDBSERVER [?]
S4 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2008-8-6 216032]

=============== Created Last 30 ================

2010-05-14 14:11:30 0 ----a-w- c:\documents and settings\worldship\defogger_reenable
2010-05-13 19:05:08 0 d-----w- C:\07245269
2010-05-13 19:03:43 142288 ----a-w- C:\07245269.zip
2010-05-13 17:10:27 0 d-----w- C:\10150680
2010-05-13 17:08:46 262779 ----a-w- C:\10150680.zip
2010-05-12 15:00:00 0 d-sh--w- C:\Recycled
2010-05-12 14:31:25 0 d-----w- C:\ComboFix
2010-05-12 14:25:38 0 d-----w- C:\FOUND.002
2010-05-11 21:13:44 0 d-----w- C:\FOUND.001
2010-05-11 20:25:03 0 d-----w- c:\windows\system32\MpEngineStore
2010-05-11 20:21:56 0 d-----w- C:\bc09c815826bf628cee2f3c1f8
2010-05-11 19:22:03 0 d-----w- c:\program files\a-squared Free
2010-05-11 18:58:11 0 d-----w- C:\J1
2010-05-11 18:57:28 0 d-----w- C:\J0042670
2010-05-11 17:52:30 145666 ----a-w- C:\J1.zip
2010-05-11 17:52:27 274271 ----a-w- C:\J0042670.zip
2010-05-11 15:22:28 0 d-----w- c:\temp\19659673
2010-05-11 15:21:50 307069 ----a-w- c:\temp\19659673.zip
2010-05-03 14:29:29 0 d-----w- C:\UPS
2010-04-30 18:32:59 0 d-----w- C:\UPSbad2
2010-04-30 15:27:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-30 15:27:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 21:16:09 98816 ----a-w- c:\windows\sed.exe
2010-04-29 20:57:14 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-29 20:57:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-29 20:56:59 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-29 20:22:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:22:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 20:18:04 0 d-----w- C:\FOUND.000
2010-04-29 19:29:21 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-27 16:13:57 0 d-----w- c:\windows\ie8updates
2010-04-27 16:12:46 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-27 16:12:46 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-04-26 19:13:43 0 d--h--w- c:\windows\ie8
2010-04-26 18:42:41 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-26 15:58:42 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-26 15:58:42 1409 ----a-w- c:\windows\QTFont.for
2010-04-23 19:22:57 0 d-sh--w- c:\documents and settings\worldship\IECompatCache
2010-04-23 17:26:05 0 d-sh--w- c:\documents and settings\worldship\PrivacIE
2010-04-23 17:24:42 0 d-sh--w- c:\documents and settings\worldship\IETldCache
2010-04-19 14:03:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-19 14:03:29 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-19 13:51:50 39326675 ----a-w- c:\temp\83406op.zip
2010-04-16 21:25:41 0 d-----w- c:\temp\BACKUP
2010-04-16 20:22:53 0 d-----w- C:\UPSbad
2010-04-16 19:42:50 0 d-----w- c:\temp\ARCHIVE
2010-04-16 18:38:38 356 ----a-w- c:\temp\regfix.reg
2010-04-16 18:24:32 0 d-----w- C:\19659610
2010-04-16 18:23:48 1616370 ----a-w- C:\19659610.zip

==================== Find3M ====================

2010-04-30 19:18:38 5376 ----a-w- c:\windows\system32\drivers\ViaIde.sys
2010-04-26 19:58:14 256512 ----a-w- c:\windows\PEV.exe
2010-04-05 15:44:02 1985188 ----a-w- C:\nmi0410.zip
2010-03-10 13:18:22 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-03-10 04:33:42 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2010-03-10 04:33:38 1025024 ------w- c:\windows\system32\dllcache\browseui.dll
2010-02-25 15:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-25 06:24:38 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-25 06:24:38 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2010-02-25 06:24:38 611840 ------w- c:\windows\system32\dllcache\mstime.dll
2010-02-25 06:24:38 206848 ------w- c:\windows\system32\dllcache\occache.dll
2010-02-25 06:24:38 1209344 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2010-02-25 06:24:36 5944832 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-02-25 06:24:36 594432 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-25 06:24:36 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-25 06:24:36 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2010-02-25 06:24:36 1985536 ----a-w- c:\windows\system32\dllcache\iertutil.dll
2010-02-25 06:24:36 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-02-25 06:24:34 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2010-02-24 13:11:08 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:26 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:50 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe

============= FINISH: 10:16:11.99 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:48 AM

Posted 15 May 2010 - 01:29 AM

Hello, TurboMike.
My name is aommaster and I will be helping you with your log.


If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://www.aommaster.com
Posted Image
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#3 TurboMike

TurboMike
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 17 May 2010 - 08:43 AM

I only got the LOG.TXT from RSIT, there was no info.txt:

Logfile of random's system information tool 1.07 (written by random/random)
Run by Worldship at 2010-05-17 09:31:20
Microsoft Windows XP Professional Service Pack 3
System drive C: has 6 GB (8%) free of 76 GB
Total RAM: 3062 MB (80% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:31:36 AM, on 5/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ltxsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Worldship\Desktop\RSIT.exe
C:\Program Files\trend micro\Worldship.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35[1].exe" /scan:boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Shortcut to CONNECT.BAT.lnk = C:\LANTASTI\CONNECT.BAT
O4 - Startup: Hitman Pro 3.5.lnk = C:\Program Files\Hitman Pro 3.5\HitmanPro35[1].exe
O4 - Startup: Starup.lnk = C:\UPS\WSTD\WorldShipTD.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} -
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1272384296718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...967/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CCEA0CC-A4A9-44A1-A099-D1E34997E2FC}: NameServer = 207.69.188.185,207.69.188.186
O17 - HKLM\System\CS2\Services\Tcpip\..\{7CCEA0CC-A4A9-44A1-A099-D1E34997E2FC}: NameServer = 207.69.188.185,207.69.188.186
O17 - HKLM\System\CS4\Services\Tcpip\..\{7CCEA0CC-A4A9-44A1-A099-D1E34997E2FC}: NameServer = 207.69.188.185,207.69.188.186
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LANtastic Utilities (LTXSRV) - Artisoft, Inc. - C:\WINDOWS\system32\Ltxsrv.exe

--
End of file - 6860 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-04-30 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-04-30 79648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2004-08-20 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2004-08-20 118784]
"HitmanPro35"=C:\Program Files\Hitman Pro 3.5\HitmanPro35[1].exe [2010-04-29 5937984]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"NA1Messenger"=C:\UPS\WSTD\UPSNA1Msgr.exe [2009-12-01 24576]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftpqueue]
C:\Program Files\WS_FTP Pro\ftpqueue.exe [2005-08-18 245760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe [2004-08-20 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe [2005-10-14 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe [2004-08-20 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3
"UPS"=3
"Symantec RemoteAssist"=3
"ReflectService"=2
"NMSAccessU"=2
"MSSQLServerADHelper"=3
"MSSQL$UPSWSDBSERVER"=2
"LexBceS"=2
"Lavasoft Ad-Aware Service"=2
"idsvc"=3
"IDriverT"=3
"ftpqueue"=2
"Fax"=2
"FastUserSwitchingCompatibility"=3
"JavaQuickStarterService"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
UPS WorldShip PLD Reminder Utility.lnk - C:\UPS\WSTD\wstdPldReminder.exe
UPS WorldShip Messaging Utility.lnk - C:\UPS\WSTD\WSTDMessaging.exe

C:\Documents and Settings\Worldship\Start Menu\Programs\Startup
Shortcut to CONNECT.BAT.lnk - C:\LANTASTI\CONNECT.BAT
Hitman Pro 3.5.lnk - C:\Program Files\Hitman Pro 3.5\HitmanPro35[1].exe
Starup.lnk - C:\UPS\WSTD\WorldShipTD.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll [2009-11-17 10536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-08-20 344064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"=U:\EUDORA\EuShlExt.dll [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCTAVSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PCTAVSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\WS_FTP Pro\FTP95PRO.EXE"="C:\Program Files\WS_FTP Pro\FTP95PRO.EXE:*:Enabled:WS_FTP 95"
"C:\WINDOWS\System32\mmc.exe"="C:\WINDOWS\System32\mmc.exe:*:Enabled:Microsoft Management Console"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\mshta.exe"="C:\WINDOWS\system32\mshta.exe:*:Enabled:mshta"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-05-17 09:11:20 ----D---- C:\rsit
2010-05-13 15:05:08 ----D---- C:\07245269
2010-05-13 13:10:27 ----D---- C:\10150680
2010-05-12 11:00:00 ----SHD---- C:\Recycled
2010-05-12 10:42:37 ----A---- C:\ComboFix.txt
2010-05-12 10:31:25 ----D---- C:\ComboFix
2010-05-12 10:25:38 ----D---- C:\FOUND.002
2010-05-12 10:13:18 ----HD---- C:\WINDOWS\$NtUninstallKB978542$
2010-05-11 17:13:44 ----D---- C:\FOUND.001
2010-05-11 16:25:03 ----D---- C:\WINDOWS\system32\MpEngineStore
2010-05-11 16:21:56 ----D---- C:\bc09c815826bf628cee2f3c1f8
2010-05-11 15:26:19 ----A---- C:\TDSSKiller.2.2.8.1_11.05.2010_15.26.19_log.txt
2010-05-11 15:22:03 ----D---- C:\Program Files\a-squared Free
2010-05-11 14:58:11 ----D---- C:\J1
2010-05-11 14:57:28 ----D---- C:\J0042670
2010-05-03 10:29:29 ----D---- C:\UPS
2010-04-30 14:32:59 ----D---- C:\UPSbad2
2010-04-30 11:27:29 ----A---- C:\WINDOWS\system32\javaws.exe
2010-04-30 11:27:29 ----A---- C:\WINDOWS\system32\javaw.exe
2010-04-30 11:27:29 ----A---- C:\WINDOWS\system32\java.exe
2010-04-30 11:27:29 ----A---- C:\WINDOWS\system32\deployJava1.dll
2010-04-30 10:40:02 ----D---- C:\WINDOWS\temp
2010-04-29 17:16:09 ----A---- C:\WINDOWS\sed.exe
2010-04-29 16:57:00 ----D---- C:\Documents and Settings\All Users\Application Data\Hitman Pro
2010-04-29 16:56:59 ----D---- C:\Program Files\Hitman Pro 3.5
2010-04-29 16:18:04 ----D---- C:\FOUND.000
2010-04-29 12:11:04 ----A---- C:\resetlog.txt
2010-04-27 12:13:57 ----D---- C:\WINDOWS\ie8updates
2010-04-27 12:08:43 ----A---- C:\WINDOWS\system32\wups2.dll
2010-04-26 15:13:43 ----HD---- C:\WINDOWS\ie8
2010-04-26 15:03:17 ----HD---- C:\WINDOWS\$NtUninstallKB980182$
2010-04-26 14:42:41 ----D---- C:\Documents and Settings\All Users\Application Data\avG

======List of files/folders modified in the last 1 months======

2010-05-17 09:06:22 ----A---- C:\WINDOWS\wstdUPSWSHIP.INI
2010-05-14 17:44:20 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-05-12 10:40:30 ----A---- C:\WINDOWS\system.ini
2010-05-04 12:49:36 ----A---- C:\WINDOWS\DUNZLOG.TXT
2010-05-03 11:08:52 ----A---- C:\WINDOWS\ODBC.INI
2010-05-03 11:05:00 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-04-30 14:53:24 ----A---- C:\WINDOWS\wstdUninstall.txt
2010-04-30 11:51:08 ----A---- C:\WINDOWS\system32\MRT.exe
2010-04-29 13:10:42 ----A---- C:\WINDOWS\WIN.INI
2010-04-27 12:14:48 ----A---- C:\WINDOWS\imsins.BAK
2010-04-26 15:58:14 ----A---- C:\WINDOWS\PEV.exe
2010-04-26 15:53:56 ----SH---- C:\boot.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 Afsd;LANtastic Installable File System; C:\WINDOWS\system32\DRIVERS\Afsd.sys [2009-04-07 69920]
R2 Ailb;LANtastic NetBIOS protocol; C:\WINDOWS\system32\DRIVERS\Ntailb.sys [2009-04-07 62880]
R2 Asnbpsd;LANtastic Client Protocol; C:\WINDOWS\system32\DRIVERS\Asnbpsd.sys [2009-04-07 40992]
R2 Atila;LANtastic Services; C:\WINDOWS\system32\DRIVERS\Atila.sys [2009-04-07 14816]
R2 Fsdk-wrap;LANtastic NT file system wrapper; C:\WINDOWS\system32\DRIVERS\fsdk-wrap.sys [2009-04-07 200640]
R2 Ldbnt;LANtastic Database; C:\WINDOWS\system32\DRIVERS\Ldbnt.sys [2009-04-07 104416]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 Ntbrowse;LANtastic Computer Browser; C:\WINDOWS\system32\DRIVERS\Ntbrowse.sys [2009-04-07 10848]
R2 Ntlib;LANtastic Library; C:\WINDOWS\system32\DRIVERS\ltlib.sys [2009-04-07 33568]
R2 Ntsvr;LANtastic Server Service; C:\WINDOWS\system32\DRIVERS\Ntsvr.sys [2009-04-07 47520]
R2 Ntsvrsnb;LANtastic Server Protocol; C:\WINDOWS\system32\DRIVERS\Ntsvrsnb.sys [2009-04-07 39072]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-05-29 186112]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-08-20 737874]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-04-09 612352]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\WORLDS~1\LOCALS~1\Temp\catchme.sys []
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 pxtdapob;pxtdapob; \??\C:\DOCUME~1\WORLDS~1\LOCALS~1\Temp\pxtdapob.sys []
S3 usbbus;LGE CDMA Composite USB Device; C:\WINDOWS\system32\DRIVERS\lgusbbus.sys [2007-04-09 12672]
S3 UsbDiag;LGE CDMA USB Serial Port; C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys [2007-04-09 21248]
S3 USBModem;LGE CDMA USB Modem; C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys [2007-04-09 22912]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 a2free;a-squared Free Service; C:\Program Files\a-squared Free\a2service.exe [2010-04-15 1872320]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-04-30 153376]
R2 LTXSRV;LANtastic Utilities; C:\WINDOWS\system32\Ltxsrv.exe [2009-04-07 34304]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER; C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe [2005-05-04 9150464]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe [2009-11-24 16680]
S3 LANtasticServer;LANtastic Server; C:\WINDOWS\system32\services.exe [2009-02-06 110592]
S3 LANtasticWorkstation;LANtastic Workstation; C:\WINDOWS\system32\services.exe [2009-02-06 110592]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER; C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE [2005-05-03 323584]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S4 ftpqueue;Ipswitch WS_FTP Queue; C:\Program Files\WS_FTP Pro\ftpsched.exe [2005-08-18 212992]
S4 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S4 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S4 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2004-03-05 303104]
S4 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2005-05-03 73728]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 NMSAccessU;NMSAccessU; C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-04-15 71096]
S4 ReflectService;Macrium Reflect Image Mounting Service; C:\Program Files\Macrium\Reflect\ReflectService.exe [2008-08-06 216032]
S4 Symantec RemoteAssist;Symantec RemoteAssist; C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe [2008-01-29 394704]
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------





Attched is the GMER log. THANKS!!!

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-17 09:29:37
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\WORLDS~1\LOCALS~1\Temp\pxtdapob.sys


---- Kernel code sections - GMER 1.0.15 ----

_PTEXT C:\WINDOWS\system32\DRIVERS\Ldbnt.sys entry point in "_PTEXT" section [0x9B5CEA60]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1032] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 02A5000A
.text C:\WINDOWS\System32\svchost.exe[1032] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0273000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1232] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1232] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1232] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1332] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\Program Files\a-squared Free\a2service.exe[1872] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 00454E05 C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2384] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\Afsd \Device\ALT_AFSD fsdk-wrap.sys
Device \Driver\Afsd \Device\AFSD fsdk-wrap.sys
Device -> \Driver\atapi \Device\Harddisk0\DR0 8A420AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  gmer.log   16.28KB   2 downloads

Edited by aommaster, 17 May 2010 - 01:46 PM.


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:48 AM

Posted 17 May 2010 - 01:47 PM

Hi!

Posting up both the logs together is fine, no need for the attachments.

If info.txt didn't pop up, then it's possible that you've run RSIT before. In that case, please look for info.txt in your c:\rsit folder
My website: http://www.aommaster.com
Posted Image
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#5 TurboMike

TurboMike
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 17 May 2010 - 02:32 PM

Yeah I actually ran it 3 or 4 times while trying to get the log over to a computer where I can post here. The afflicted computer gets a "website not found" when I click "Add Reply" here at bleepingcomputer.com. Its extra vindictive that you can type out a reply and add logs and then lose everything as soon as you hit "Add Reply". I didnt realize you only get info.txt in a window the first time you run it.

Here it is:






info.txt logfile of random's system information tool 1.06 2010-05-17 09:11:42

======Uninstall list======

-->"C:\Program Files\InstallShield Installation Information\{11B95B0C-D13F-4E5D-B375-D98C9B6CE7B9}\setup.exe" -WSD -s -f1"C:\Program Files\InstallShield Installation Information\{11B95B0C-D13F-4E5D-B375-D98C9B6CE7B9}\setup.iss" -f2C:\WINDOWS\Setup.log
-->"C:\Program Files\InstallShield Installation Information\{52C1E6E3-85EB-448E-9004-F5EB14DEF22B}\setup.exe" -WSD -s -f1"C:\Program Files\InstallShield Installation Information\{52C1E6E3-85EB-448E-9004-F5EB14DEF22B}\setup.iss" -f2C:\WINDOWS\Setup.log
-->"C:\Program Files\InstallShield Installation Information\{6C6965D1-799C-4136-AE06-ACF80A311D35}\setup.exe" -WSD -s -f1"C:\Program Files\InstallShield Installation Information\{6C6965D1-799C-4136-AE06-ACF80A311D35}\setup.iss" -f2C:\WINDOWS\Setup.log
-->"C:\Program Files\InstallShield Installation Information\{871D9278-C4DE-4B83-9B31-FDE1BE4B7096}\setup.exe" -WSD -s -f1"C:\Program Files\InstallShield Installation Information\{871D9278-C4DE-4B83-9B31-FDE1BE4B7096}\setup.iss" -f2C:\WINDOWS\Setup.log
-->"C:\Program Files\InstallShield Installation Information\{8A549839-FC1C-4A24-A209-EC27AACE75E5}\setup.exe" -WSD -s -f1"C:\Program Files\InstallShield Installation Information\{8A549839-FC1C-4A24-A209-EC27AACE75E5}\setup.iss" -f2C:\WINDOWS\Setup.log
-->"C:\Program Files\InstallShield Installation Information\{9614DAD1-A91F-4225-9907-59D68336BC04}\setup.exe" -WSD -s -f1"C:\Program Files\InstallShield Installation Information\{9614DAD1-A91F-4225-9907-59D68336BC04}\setup.iss" -f2C:\WINDOWS\Setup.log
-->"C:\Program Files\InstallShield Installation Information\{C02D7C81-8AEA-4155-B665-5271BA7877BA}\setup.exe" -WSD -s -f1"C:\Program Files\InstallShield Installation Information\{C02D7C81-8AEA-4155-B665-5271BA7877BA}\setup.iss" -f2C:\WINDOWS\Setup.log
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B785F89C-FD1A-466F-9AF3-32A060A1099A}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
a-squared Free 4.5-->"C:\Program Files\a-squared Free\unins000.exe"
Broadcom Advanced Control Suite 2-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2E086814-7392-4E0F-ADB8-54A81E47406C} /l1033
CCC-->MsiExec.exe /I{95749C5B-BC37-41E3-8D39-EEF4C21A2825}
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
CDBurnerXP-->"C:\Program Files\CDBurnerXP\unins000.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant D850 56K V.9x DFVc Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Dell Printer Software Uninstall-->C:\Program Files\Dell_HostCD\Install\Uninstall.exe
Digital Line Detect-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
DriveImage XML-->"C:\Program Files\Runtime Software\DriveImage XML\Uninstall.exe" "C:\Program Files\Runtime Software\DriveImage XML\install.log" -u
FormsComponent-->MsiExec.exe /I{BC728F95-2D3F-4D05-9E1E-F2A3CEBF3FE8}
FOSS-->MsiExec.exe /I{EA9629DA-5715-48BA-B054-28169702B176}
Garmin USB Drivers-->MsiExec.exe /X{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}
Garmin USB Drivers-->MsiExec.exe /X{B1102A25-3AA3-446B-AA0F-A699B07A02FD}
Garmin WebUpdater-->MsiExec.exe /X{D17111CB-C992-42A9-9D56-C19395102AAA}
getPlus®_ocx-->rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
GoToAssist 8.0.0.508-->C:\Program Files\Citrix\GoToAssist\508\G2AUninstaller.exe /uninstall
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hitman Pro 3.5-->"C:\Program Files\Hitman Pro 3.5\HitmanPro35[1].exe" /uninstall
Hotfix 2050 for SQL Server 2000 ENU (KB948110)-->"C:\WINDOWS\$SQLUninstallSQL2000-KB948110-v8.00.2050-x86-ENU$\spuninst\spuninst.exe"
Hotfix 2055 for SQL Server 2000 ENU (KB960082)-->"C:\WINDOWS\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$\spuninst\spuninst.exe"
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
hp LaserJet 2300 Uninstaller-->C:\Program Files\Hewlett-Packard\LJ2300\Uninstall\unhp.exe ciuninst.ini
ICCHelp-->MsiExec.exe /I{A5763105-D1D5-4862-A3FE-EC058F9AA73E}
ImportML-->MsiExec.exe /X{859DECFE-CA10-4914-95D6-6EDC8011666B}
InstallShield Express 5.0 Visual FoxPro Limited Edition-->MsiExec.exe /I{C621DFA7-85D8-4CDF-89EA-B01001790038}
Intel® Graphics Media Accelerator Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Ipswitch WS_FTP Pro Uninstall-->"C:\Program Files\WS_FTP Pro\remove32.exe" -f C:\Program Files\WS_FTP Pro -d C:\Program Files\WS_FTP Pro -g WS_FTP Pro
J2SE Runtime Environment 5.0 Update 10-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 20-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216020FF}
Kaspersky Online Scanner-->C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LANtastic for Windows NT-->RUNDLL32.EXE C:\WINDOWS\system32\L4W32UTL.DLL,VerifyAndSpawn C:\WINDOWS\UNINST.EXE -fC:\LANTASTI\WINNT\DeIsL1.isu -c"C:\LANTASTI\WINNT\UNINST.DLL"
LG USB Modem driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\Setup.exe" -l0x9 LG
Macrium Reflect - Free Edition-->MsiExec.exe /I{448CD608-6E01-418B-A699-D6A1C6C4258C}
MAILERS+4 Delivery Point Validation Add-On-->"C:\Program Files\Melissa DATA\MAILERS+4\unins001.exe"
MAILERS+4-->"C:\Program Files\Melissa DATA\MAILERS+4\unins000.exe"
MAILERS+4-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{54F0DFE9-4BA9-41FA-A655-5A9C58A5AE9A}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Expedia Streets 98-->C:\Program Files\Common Files\Microsoft Shared\Geography\Setup\acmsetup.exe /U /T SUS60409.stf
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft SOAP Toolkit 3.0 Samples-->MsiExec.exe /I{437D9E8F-A8B0-4A5A-9137-6F624551D3F0}
Microsoft SOAP Toolkit 3.0-->MsiExec.exe /I{BCB4C18A-ACA6-4383-8688-E19933A705DD}
Microsoft SQL Server Desktop Engine (UPSWSDBSERVER)-->MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual FoxPro 9.0 Professional - English-->C:\Program Files\Microsoft Visual FoxPro 9\setup\Visual FoxPro 9.0 Professional - English\setup.exe /MaintMode
Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
MSIChecker-->MsiExec.exe /I{C9D43B38-34AD-4EC2-B696-46F42D49D174}
MSXML 4.0 SP2 (KB925672)-->MsiExec.exe /I{A9CF9052-F4A0-475D-A00F-A8388C62DD63}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
NA1Messenger-->MsiExec.exe /I{D44E7219-947E-4F1B-830E-66EF11ACC543}
Netflix Movie Viewer-->MsiExec.exe /X{BCE72AED-3332-4863-9567-C5DCB9052CA2}
NetWaiting-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
NRF-->MsiExec.exe /I{68AF09E3-1167-4771-903C-CCCDCF7E171C}
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
Panda ActiveScan-->C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PolicyManager-->MsiExec.exe /I{56B59C2A-EFB8-44AC-88F5-3280171E4522}
Reconciler-->MsiExec.exe /I{5AE59A84-B2F3-42CC-A246-5AF80F6EE770}
ReportServer-->MsiExec.exe /I{33035862-543C-4405-9CC6-08593CF2C25F}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB974455)-->"C:\WINDOWS\ie7updates\KB974455-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB976325)-->"C:\WINDOWS\ie7updates\KB976325-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB978207)-->"C:\WINDOWS\ie7updates\KB978207-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB981332)-->"C:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974455)-->"C:\WINDOWS\$NtUninstallKB974455$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165)-->"C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977816)-->"C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978338)-->"C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978542)-->"C:\WINDOWS\$NtUninstallKB978542$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978601)-->"C:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979309)-->"C:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979683)-->"C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980232)-->"C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981349)-->"C:\WINDOWS\$NtUninstallKB981349$\spuninst\spuninst.exe"
Spybot - Search & Destroy 1.5.2.20-->"C:\WINDOWS\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
SupportUtility-->MsiExec.exe /I{C30E30A6-0AB5-470A-AB67-D322938F5429}
Symantec Technical Support Web Controls-->MsiExec.exe /X{20C53FA2-4307-4671-A93F-9463B29DFCF1}
System-->MsiExec.exe /I{DB2C58E0-6284-4B48-97F2-22A980B6360B}
UnifiedPrinting-->MsiExec.exe /I{CF2962CB-E3E7-4AA5-B6CE-EE59A600ECBE}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 7 (KB976749)-->"C:\WINDOWS\ie7updates\KB976749-IE7\spuninst\spuninst.exe"
Update for Windows Internet Explorer 7 (KB980182)-->"C:\WINDOWS\ie7updates\KB980182-IE7\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB980182)-->"C:\WINDOWS\ie8updates\KB980182-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Update for Windows XP (KB980182)-->"C:\WINDOWS\$NtUninstallKB980182$\spuninst\spuninst.exe"
UPS WorldShip-->C:\UPS\WSTD\Uninstall\Uninstall.exe
UPSDB-->MsiExec.exe /I{4AE3EAC8-FAD9-4ECC-A339-BBAD8C72DE71}
UPSICC-->MsiExec.exe /I{390160B4-D276-4A04-8002-8D3101A0D367}
UPSlinkHTTP-->MsiExec.exe /I{E358CC1E-4953-4E27-ADEB-8B27D8BBC20E}
UPSVCMM-->MsiExec.exe /I{1FAF0F08-7120-4192-BF6A-B1EC7E26A935}
UPSVCMM-->MsiExec.exe /I{C23415D8-FE94-4F52-B5C4-0FFA2202C6D9}
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
WebHelp-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8C5BD501-AD5D-4A75-9321-076509B438FC}\SETUP.exe" -l0x9 -removeonly
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)-->rundll32.exe C:\PROGRA~1\DIFX\15B7F172FC21855D\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\grmnusb_8E661E05CC789A6D1B8ABAA087CF60EDD72AC35D\grmnusb.inf
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Installer Clean Up-->MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WorldShip-->MsiExec.exe /I{2A033A00-FE0D-4609-B0E8-2C49CC494FC8}
ZIP Reader 8.00.0018-->MsiExec.exe /I{856C155E-4A74-4041-B026-04F96FFD1BCD}

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======System event log======

Computer Name: UPS
Event Code: 49
Message: Configuring the Page file for crash dump failed. Make sure there is a page
file on the boot partition and that is large enough to contain all physical
memory.

Record Number: 49470
Source Name: Ftdisk
Time Written: 20100419102035.000000-240
Event Type: error
User:

Computer Name: UPS
Event Code: 45
Message: The system could not sucessfully load the crash dump driver.

Record Number: 49469
Source Name: Ftdisk
Time Written: 20100419102035.000000-240
Event Type: error
User:

Computer Name: UPS
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 49453
Source Name: Tcpip
Time Written: 20100419100606.000000-240
Event Type: warning
User:

Computer Name: UPS
Event Code: 49
Message: Configuring the Page file for crash dump failed. Make sure there is a page
file on the boot partition and that is large enough to contain all physical
memory.

Record Number: 49438
Source Name: Ftdisk
Time Written: 20100419092706.000000-240
Event Type: error
User:

Computer Name: UPS
Event Code: 45
Message: The system could not sucessfully load the crash dump driver.

Record Number: 49437
Source Name: Ftdisk
Time Written: 20100419092706.000000-240
Event Type: error
User:

=====Application event log=====

Computer Name: UPS
Event Code: 2004
Message: Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Record Number: 4439
Source Name: PerfNet
Time Written: 20090914100309.000000-240
Event Type: error
User:

Computer Name: UPS
Event Code: 1517
Message: Windows saved user UPS\Worldship registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 4438
Source Name: Userenv
Time Written: 20090911165857.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: UPS
Event Code: 19011
Message:
Record Number: 4436
Source Name: MSSQL$UPSWSDBSERVER
Time Written: 20090911094933.000000-240
Event Type: warning
User:

Computer Name: UPS
Event Code: 2004
Message: Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Record Number: 4435
Source Name: PerfNet
Time Written: 20090911094923.000000-240
Event Type: error
User:

Computer Name: UPS
Event Code: 1517
Message: Windows saved user UPS\Worldship registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 4434
Source Name: Userenv
Time Written: 20090910180236.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=1
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;c:;c:\odi;c:\temp;c:\util;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\Program Files\QuickTime\QTSystem
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 1, GenuineIntel
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=0401
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"CLASSPATH"=.;

-----------------EOF-----------------




#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:48 AM

Posted 17 May 2010 - 02:38 PM

Hello, TurboMike.
Yeah, rason info.txt only pops up once is because we'll only be using it once. Very rarely does it change much smile.gif


We need to disable TeaTimer
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. ClickMode and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press yes
  5. Click on Tools
  6. Click on Resident
  7. Uncheck the following checkboxes:
    • Resident "SDHelper" (Internet Explorer bad download blocker) active.
    • Resident "TeaTimer" (Protection for over-all system settings) active.
  8. Close/Exit Spybot Search and Destroy


NEXT:

We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  6. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  7. Click on Yes, to continue scanning for malware.
  8. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt

My website: http://www.aommaster.com
Posted Image
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#7 TurboMike

TurboMike
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 17 May 2010 - 03:20 PM

Here it is:



ComboFix 10-05-16.02 - Worldship 05/17/2010 16:02:55.6.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2730 [GMT -4:00]
Running from: c:\documents and settings\Worldship\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\ViaIde.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-17 to 2010-05-17 )))))))))))))))))))))))))))))))
.

2010-05-17 13:11 . 2010-05-17 13:11 -------- d-----w- C:\rsit
2010-05-13 19:05 . 2010-05-13 19:05 -------- d-----w- C:\07245269
2010-05-13 19:03 . 2010-05-13 19:07 142288 ----a-w- C:\07245269.zip
2010-05-13 17:10 . 2010-05-13 17:10 -------- d-----w- C:\10150680
2010-05-13 17:08 . 2010-05-13 15:54 262779 ----a-w- C:\10150680.zip
2010-05-12 14:25 . 2010-05-12 14:25 -------- d-----w- C:\FOUND.002
2010-05-11 21:13 . 2010-05-11 21:13 -------- d-----w- C:\FOUND.001
2010-05-11 20:25 . 2010-05-11 20:25 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-11 20:21 . 2010-05-11 20:21 -------- d-----w- C:\bc09c815826bf628cee2f3c1f8
2010-05-11 19:22 . 2010-05-11 19:22 -------- d-----w- c:\program files\a-squared Free
2010-05-11 18:58 . 2010-05-11 18:58 -------- d-----w- C:\J1
2010-05-11 18:57 . 2010-05-11 18:57 -------- d-----w- C:\J0042670
2010-05-11 17:52 . 2010-05-11 17:48 145666 ----a-w- C:\J1.zip
2010-05-11 17:52 . 2010-05-11 17:48 274271 ----a-w- C:\J0042670.zip
2010-05-11 15:22 . 2010-05-11 15:22 -------- d-----w- c:\temp\19659673
2010-05-11 15:21 . 2010-05-10 13:55 307069 ----a-w- c:\temp\19659673.zip
2010-05-03 14:29 . 2010-05-03 14:29 -------- d-----w- C:\UPS
2010-04-30 18:32 . 2010-04-30 18:33 -------- d-----w- C:\UPSbad2
2010-04-30 15:27 . 2010-04-30 15:26 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 20:57 . 2010-05-17 13:06 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-29 20:57 . 2010-04-29 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-29 20:56 . 2010-04-29 20:57 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-29 20:22 . 2010-04-29 16:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:22 . 2010-04-29 16:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 20:18 . 2010-04-29 20:18 -------- d-----w- C:\FOUND.000
2010-04-29 19:29 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-27 16:13 . 2010-04-27 16:13 -------- d-----w- c:\windows\ie8updates
2010-04-27 16:12 . 2010-02-25 06:24 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-04-27 16:12 . 2010-02-25 06:24 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-27 16:08 . 2009-08-06 23:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-04-26 19:13 . 2010-04-26 19:13 -------- d--h--w- c:\windows\ie8
2010-04-26 18:42 . 2010-04-26 18:42 -------- d-----w- c:\documents and settings\Worldship\Local Settings\Application Data\avG
2010-04-26 18:42 . 2010-04-26 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-23 19:22 . 2010-04-23 19:22 -------- d-sh--w- c:\documents and settings\Worldship\IECompatCache
2010-04-23 17:29 . 2010-04-23 17:29 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-23 17:26 . 2010-04-23 17:26 -------- d-sh--w- c:\documents and settings\Worldship\PrivacIE
2010-04-23 17:24 . 2010-04-23 17:24 -------- d-sh--w- c:\documents and settings\Worldship\IETldCache
2010-04-23 16:16 . 2010-04-23 16:16 -------- d-----w- c:\documents and settings\Worldship\Local Settings\Application Data\lrplhgbuf
2010-04-19 14:03 . 2010-04-26 14:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-19 14:03 . 2010-04-19 14:03 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-19 14:03 . 2010-04-19 14:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-19 13:51 . 2010-04-19 13:52 39326675 ----a-w- c:\temp\83406op.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-17 20:00 . 2004-08-04 16:00 5376 ----a-w- c:\windows\system32\drivers\ViaIde.sys
2010-05-03 15:20 . 2005-07-08 17:23 44232 ----a-w- c:\documents and settings\Worldship\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-16 17:46 . 2010-04-16 18:23 1616370 ----a-w- C:\19659610.zip
2010-04-05 15:44 . 2010-04-05 17:35 1985188 ----a-w- C:\nmi0410.zip
2010-03-24 14:22 . 2010-03-24 14:22 -------- d-----w- c:\program files\DIFX
2010-03-24 14:22 . 2010-03-24 14:22 -------- d-----w- c:\program files\Garmin
2010-03-10 06:15 . 2004-08-04 16:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 16:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 16:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2004-08-04 16:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
.

((((((((((((((((((((((((((((( SnapShot_2010-05-12_14.40.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-17 20:01 . 2010-05-17 20:01 16384 c:\windows\temp\Perflib_Perfdata_7b8.dat
+ 2010-05-17 20:01 . 2010-05-17 20:01 16384 c:\windows\temp\Perflib_Perfdata_79c.dat
+ 2004-08-04 16:00 . 2008-04-13 18:40 96512 c:\windows\SYSTEM32\DRIVERS\atapi.sys
- 2004-08-04 16:00 . 2010-05-11 19:46 96512 c:\windows\SYSTEM32\DRIVERS\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2009-12-02 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Worldship\Start Menu\Programs\Startup\
Shortcut to CONNECT.BAT.lnk - c:\lantasti\CONNECT.BAT [2005-7-14 791]
Hitman Pro 3.5.lnk - c:\program files\Hitman Pro 3.5\HitmanPro35[1].exe [2010-4-29 5937984]
Starup.lnk - c:\ups\WSTD\WorldShipTD.exe [2009-12-1 15429632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2009-12-1 40960]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2009-12-1 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "u:\eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-11-17 17:07 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCTAVSvc]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftpqueue]
2005-08-18 14:46 245760 ----a-w- c:\program files\WS_FTP Pro\ftpqueue.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2004-08-20 05:51 118784 ----a-w- c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-10-14 18:50 114688 ----a-w- c:\windows\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2004-08-20 05:55 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UPS"=3 (0x3)
"Symantec RemoteAssist"=3 (0x3)
"ReflectService"=2 (0x2)
"NMSAccessU"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$UPSWSDBSERVER"=2 (0x2)
"LexBceS"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"ftpqueue"=2 (0x2)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WS_FTP Pro\\FTP95PRO.EXE"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1434:UDP"= 1434:UDP:UDP 1434

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [11/13/2009 12:16 PM 28552]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\SYSTEM32\DRIVERS\pssnap.sys [5/20/2008 9:32 AM 15328]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [5/11/2010 3:22 PM 1872320]
R2 Afsd;LANtastic Installable File System;c:\windows\SYSTEM32\DRIVERS\Afsd.sys [8/10/2006 4:34 PM 69920]
R2 Ailb;LANtastic NetBIOS protocol;c:\windows\SYSTEM32\DRIVERS\Ntailb.sys [8/10/2006 4:34 PM 62880]
R2 Asnbpsd;LANtastic Client Protocol;c:\windows\SYSTEM32\DRIVERS\Asnbpsd.sys [8/10/2006 4:34 PM 40992]
R2 Atila;LANtastic Services;c:\windows\SYSTEM32\DRIVERS\Atila.sys [8/10/2006 4:34 PM 14816]
R2 Fsdk-wrap;LANtastic NT file system wrapper;c:\windows\SYSTEM32\DRIVERS\Fsdk-wrap.sys [8/10/2006 4:34 PM 200640]
R2 Ldbnt;LANtastic Database;c:\windows\SYSTEM32\DRIVERS\Ldbnt.sys [8/10/2006 4:34 PM 104416]
R2 LTXSRV;LANtastic Utilities;c:\windows\SYSTEM32\Ltxsrv.exe [8/10/2006 4:34 PM 34304]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]
R2 Ntbrowse;LANtastic Computer Browser;c:\windows\SYSTEM32\DRIVERS\Ntbrowse.sys [8/10/2006 4:34 PM 10848]
R2 Ntlib;LANtastic Library;c:\windows\SYSTEM32\DRIVERS\Ltlib.sys [8/10/2006 4:34 PM 33568]
R2 Ntsvr;LANtastic Server Service;c:\windows\SYSTEM32\DRIVERS\Ntsvr.sys [8/10/2006 4:34 PM 47520]
R2 Ntsvrsnb;LANtastic Server Protocol;c:\windows\SYSTEM32\DRIVERS\Ntsvrsnb.sys [8/10/2006 4:34 PM 39072]
S3 LANtasticServer;LANtastic Server;c:\windows\SYSTEM32\services.exe [8/4/2004 12:00 PM 110592]
S3 LANtasticWorkstation;LANtastic Workstation;c:\windows\SYSTEM32\services.exe [8/4/2004 12:00 PM 110592]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]
S4 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [8/6/2008 12:34 PM 216032]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
TCP: {7CCEA0CC-A4A9-44A1-A099-D1E34997E2FC} = 207.69.188.185,207.69.188.186
DPF: Garmin Communicator Plug-In
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-17 16:11
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A420AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba16cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9ef9852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9e29bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9e36a21
SendHandler -> NDIS.sys @ 0xb9e1487b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll
c:\windows\System32\ltnp32.dll
c:\windows\System32\AUILIB.dll

- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(400)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\ltshex.dll
c:\program files\WS_FTP Pro\nsftpch.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\System32\ltnp32.dll
c:\windows\System32\AUILIB.dll
.
Completion time: 2010-05-17 16:15:54
ComboFix-quarantined-files.txt 2010-05-17 20:15
ComboFix2.txt 2010-05-12 14:42
ComboFix3.txt 2010-04-30 19:37
ComboFix4.txt 2009-11-23 16:31

Pre-Run: 6,228,213,760 bytes free
Post-Run: 6,295,257,088 bytes free

- - End Of File - - 438BEFB26325E14888F69839FCA1C4E7

#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:48 AM

Posted 17 May 2010 - 03:34 PM

Hi!

Do you recognize any of the numerically-named zip files in the log? E.g.C:\07245269.zip

If not, let me know and I can remove them.
My website: http://www.aommaster.com
Posted Image
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#9 TurboMike

TurboMike
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 17 May 2010 - 03:51 PM

Those are old data files I dont need anymore. I need to delete them anyway.

#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:48 AM

Posted 17 May 2010 - 04:50 PM

Hello, TurboMike.
Okay, no problem.

We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    TDL::
    C:\WINDOWS\system32\drivers\atapi.sys

    File::
    C:\07245269
    C:\07245269.zip
    C:\10150680
    C:\10150680.zip
    C:\FOUND.002
    C:\FOUND.001
    C:\J1
    C:\J0042670
    C:\J1.zip
    C:\J0042670.zip
    c:\temp\19659673
    c:\temp\19659673.zip
    C:\FOUND.000
    c:\temp\83406op.zip
    C:\19659610.zip
    C:\nmi0410.zip
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • ComboFix.txt

My website: http://www.aommaster.com
Posted Image
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#11 TurboMike

TurboMike
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 18 May 2010 - 09:59 AM

New log:




ComboFix 10-05-16.05 - Worldship 05/18/2010 10:30:21.7.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2722 [GMT -4:00]
Running from: c:\documents and settings\Worldship\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Worldship\Desktop\cfscript.txt

FILE ::
"C:\07245269"
"C:\07245269.zip"
"C:\10150680"
"C:\10150680.zip"
"C:\19659610.zip"
"C:\FOUND.000"
"C:\FOUND.001"
"C:\FOUND.002"
"C:\J0042670"
"C:\J0042670.zip"
"C:\J1"
"C:\J1.zip"
"C:\nmi0410.zip"
"c:\temp\19659673"
"c:\temp\19659673.zip"
"c:\temp\83406op.zip"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\07245269.zip
C:\10150680.zip
C:\19659610.zip
C:\J0042670.zip
C:\J1.zip
C:\nmi0410.zip
c:\temp\19659673.zip
c:\temp\83406op.zip

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
Infected copy of c:\windows\system32\drivers\ViaIde.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))
.

2010-05-17 13:11 . 2010-05-17 13:11 -------- d-----w- C:\rsit
2010-05-13 19:05 . 2010-05-13 19:05 -------- d-----w- C:\07245269
2010-05-13 17:10 . 2010-05-13 17:10 -------- d-----w- C:\10150680
2010-05-12 14:25 . 2010-05-12 14:25 -------- d-----w- C:\FOUND.002
2010-05-11 21:13 . 2010-05-11 21:13 -------- d-----w- C:\FOUND.001
2010-05-11 20:25 . 2010-05-11 20:25 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-11 20:21 . 2010-05-11 20:21 -------- d-----w- C:\bc09c815826bf628cee2f3c1f8
2010-05-11 19:22 . 2010-05-11 19:22 -------- d-----w- c:\program files\a-squared Free
2010-05-11 18:58 . 2010-05-11 18:58 -------- d-----w- C:\J1
2010-05-11 18:57 . 2010-05-11 18:57 -------- d-----w- C:\J0042670
2010-05-11 15:22 . 2010-05-11 15:22 -------- d-----w- c:\temp\19659673
2010-05-03 14:29 . 2010-05-03 14:29 -------- d-----w- C:\UPS
2010-04-30 18:32 . 2010-04-30 18:33 -------- d-----w- C:\UPSbad2
2010-04-30 15:27 . 2010-04-30 15:26 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 20:57 . 2010-05-18 14:02 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-29 20:57 . 2010-04-29 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-29 20:56 . 2010-04-29 20:57 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-29 20:22 . 2010-04-29 16:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:22 . 2010-04-29 16:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 20:18 . 2010-04-29 20:18 -------- d-----w- C:\FOUND.000
2010-04-29 19:29 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-27 16:13 . 2010-04-27 16:13 -------- d-----w- c:\windows\ie8updates
2010-04-27 16:12 . 2010-02-25 06:24 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-04-27 16:12 . 2010-02-25 06:24 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-27 16:08 . 2009-08-06 23:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-04-26 19:13 . 2010-04-26 19:13 -------- d--h--w- c:\windows\ie8
2010-04-26 18:42 . 2010-04-26 18:42 -------- d-----w- c:\documents and settings\Worldship\Local Settings\Application Data\avG
2010-04-26 18:42 . 2010-04-26 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-23 19:22 . 2010-04-23 19:22 -------- d-sh--w- c:\documents and settings\Worldship\IECompatCache
2010-04-23 17:29 . 2010-04-23 17:29 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-23 17:26 . 2010-04-23 17:26 -------- d-sh--w- c:\documents and settings\Worldship\PrivacIE
2010-04-23 17:24 . 2010-04-23 17:24 -------- d-sh--w- c:\documents and settings\Worldship\IETldCache
2010-04-23 16:16 . 2010-04-23 16:16 -------- d-----w- c:\documents and settings\Worldship\Local Settings\Application Data\lrplhgbuf
2010-04-19 14:03 . 2010-04-26 14:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-19 14:03 . 2010-04-19 14:03 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-19 14:03 . 2010-04-19 14:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-18 14:26 . 2004-08-04 16:00 5376 ----a-w- c:\windows\system32\drivers\ViaIde.sys
2010-05-03 15:20 . 2005-07-08 17:23 44232 ----a-w- c:\documents and settings\Worldship\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-24 14:22 . 2010-03-24 14:22 -------- d-----w- c:\program files\DIFX
2010-03-24 14:22 . 2010-03-24 14:22 -------- d-----w- c:\program files\Garmin
2010-03-10 06:15 . 2004-08-04 16:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 16:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 16:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-05-12_14.40.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-18 14:39 . 2010-05-18 14:39 16384 c:\windows\temp\Perflib_Perfdata_7b4.dat
+ 2010-05-18 14:39 . 2010-05-18 14:39 16384 c:\windows\temp\Perflib_Perfdata_798.dat
+ 2004-08-04 16:00 . 2008-04-13 18:40 96512 c:\windows\SYSTEM32\DRIVERS\atapi.sys
- 2004-08-04 16:00 . 2010-05-11 19:46 96512 c:\windows\SYSTEM32\DRIVERS\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2009-12-02 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Worldship\Start Menu\Programs\Startup\
Shortcut to CONNECT.BAT.lnk - c:\lantasti\CONNECT.BAT [2005-7-14 791]
Hitman Pro 3.5.lnk - c:\program files\Hitman Pro 3.5\HitmanPro35[1].exe [2010-4-29 5937984]
Starup.lnk - c:\ups\WSTD\WorldShipTD.exe [2009-12-1 15429632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2009-12-1 40960]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2009-12-1 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "u:\eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-11-17 17:07 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCTAVSvc]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftpqueue]
2005-08-18 14:46 245760 ----a-w- c:\program files\WS_FTP Pro\ftpqueue.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2004-08-20 05:51 118784 ----a-w- c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-10-14 18:50 114688 ----a-w- c:\windows\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2004-08-20 05:55 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UPS"=3 (0x3)
"Symantec RemoteAssist"=3 (0x3)
"ReflectService"=2 (0x2)
"NMSAccessU"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$UPSWSDBSERVER"=2 (0x2)
"LexBceS"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"ftpqueue"=2 (0x2)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WS_FTP Pro\\FTP95PRO.EXE"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1434:UDP"= 1434:UDP:UDP 1434

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [11/13/2009 12:16 PM 28552]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\SYSTEM32\DRIVERS\pssnap.sys [5/20/2008 9:32 AM 15328]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [5/11/2010 3:22 PM 1872320]
R2 Afsd;LANtastic Installable File System;c:\windows\SYSTEM32\DRIVERS\Afsd.sys [8/10/2006 4:34 PM 69920]
R2 Ailb;LANtastic NetBIOS protocol;c:\windows\SYSTEM32\DRIVERS\Ntailb.sys [8/10/2006 4:34 PM 62880]
R2 Asnbpsd;LANtastic Client Protocol;c:\windows\SYSTEM32\DRIVERS\Asnbpsd.sys [8/10/2006 4:34 PM 40992]
R2 Atila;LANtastic Services;c:\windows\SYSTEM32\DRIVERS\Atila.sys [8/10/2006 4:34 PM 14816]
R2 Fsdk-wrap;LANtastic NT file system wrapper;c:\windows\SYSTEM32\DRIVERS\Fsdk-wrap.sys [8/10/2006 4:34 PM 200640]
R2 Ldbnt;LANtastic Database;c:\windows\SYSTEM32\DRIVERS\Ldbnt.sys [8/10/2006 4:34 PM 104416]
R2 LTXSRV;LANtastic Utilities;c:\windows\SYSTEM32\Ltxsrv.exe [8/10/2006 4:34 PM 34304]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]
R2 Ntbrowse;LANtastic Computer Browser;c:\windows\SYSTEM32\DRIVERS\Ntbrowse.sys [8/10/2006 4:34 PM 10848]
R2 Ntlib;LANtastic Library;c:\windows\SYSTEM32\DRIVERS\Ltlib.sys [8/10/2006 4:34 PM 33568]
R2 Ntsvr;LANtastic Server Service;c:\windows\SYSTEM32\DRIVERS\Ntsvr.sys [8/10/2006 4:34 PM 47520]
R2 Ntsvrsnb;LANtastic Server Protocol;c:\windows\SYSTEM32\DRIVERS\Ntsvrsnb.sys [8/10/2006 4:34 PM 39072]
S3 LANtasticServer;LANtastic Server;c:\windows\SYSTEM32\services.exe [8/4/2004 12:00 PM 110592]
S3 LANtasticWorkstation;LANtastic Workstation;c:\windows\SYSTEM32\services.exe [8/4/2004 12:00 PM 110592]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]
S4 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [8/6/2008 12:34 PM 216032]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
TCP: {7CCEA0CC-A4A9-44A1-A099-D1E34997E2FC} = 207.69.188.185,207.69.188.186
DPF: Garmin Communicator Plug-In
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-18 10:40
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A420AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba16cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9ef9852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9e29bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9e36a21
SendHandler -> NDIS.sys @ 0xb9e1487b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll
c:\windows\System32\ltnp32.dll
c:\windows\System32\AUILIB.dll

- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3128)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\ltshex.dll
c:\program files\WS_FTP Pro\nsftpch.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\System32\ltnp32.dll
c:\windows\System32\AUILIB.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
.
**************************************************************************
.
Completion time: 2010-05-18 10:46:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-18 14:46
ComboFix2.txt 2010-05-17 20:16
ComboFix3.txt 2010-05-12 14:42
ComboFix4.txt 2010-04-30 19:37
ComboFix5.txt 2010-05-18 14:23

Pre-Run: 6,280,970,240 bytes free
Post-Run: 6,252,527,616 bytes free

- - End Of File - - C2E23246E318D8D9A9BAE3275F4920AD

#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:48 AM

Posted 18 May 2010 - 12:44 PM

Hi!

Please post up a fresh GMER log.
My website: http://www.aommaster.com
Posted Image
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#13 TurboMike

TurboMike
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 18 May 2010 - 02:00 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-18 14:58:30
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\WORLDS~1\LOCALS~1\Temp\pxtdapob.sys


---- Kernel code sections - GMER 1.0.15 ----

_PTEXT C:\WINDOWS\system32\DRIVERS\Ldbnt.sys entry point in "_PTEXT" section [0x9BC71A60]
? C:\DOCUME~1\WORLDS~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[504] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1028] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1028] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1028] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1028] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1028] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0329000A
.text C:\WINDOWS\System32\svchost.exe[1028] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0328000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1492] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\a-squared Free\a2service.exe[1864] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 00454E05 C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
.text C:\WINDOWS\explorer.exe[3128] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\explorer.exe[3128] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\explorer.exe[3128] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C

---- Devices - GMER 1.0.15 ----

Device \Driver\Afsd \Device\ALT_AFSD fsdk-wrap.sys
Device \Driver\Afsd \Device\AFSD fsdk-wrap.sys
Device -> \Driver\atapi \Device\Harddisk0\DR0 8A420AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:48 AM

Posted 18 May 2010 - 02:52 PM

Hello, TurboMike.
We need to run TDSSKiller
  1. Download TDSSKiller and save it to your Desktop.
  2. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  3. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks and do not include the word "Code") Then press OK.
    CODE
    "%userprofile%\Desktop\TDSSKiller.exe" -l "%userprofile%\Desktop\TDSSKiller.txt" -v

    **Note:If it says "Hidden service detected" DO NOT type anything in. Just press Enter.
  4. When it is done, a log file should be created on your desktop called "TDSSKiller.txt" please copy and paste the contents of that file here

In your next reply, please include the following:
  • TDSSKiller.txt

My website: http://www.aommaster.com
Posted Image
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#15 TurboMike

TurboMike
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 18 May 2010 - 03:19 PM

16:14:12:578 2632 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17
16:14:12:578 2632 ================================================================================
16:14:12:578 2632 SystemInfo:

16:14:12:578 2632 OS Version: 5.1.2600 ServicePack: 3.0
16:14:12:578 2632 Product type: Workstation
16:14:12:578 2632 ComputerName: UPS
16:14:12:578 2632 UserName: Worldship
16:14:12:578 2632 Windows directory: C:\WINDOWS
16:14:12:578 2632 Processor architecture: Intel x86
16:14:12:578 2632 Number of processors: 1
16:14:12:578 2632 Page size: 0x1000
16:14:12:578 2632 Boot type: Normal boot
16:14:12:578 2632 ================================================================================
16:14:12:593 2632 UnloadDriverW: NtUnloadDriver error 2
16:14:12:593 2632 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2
16:14:12:640 2632 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:14:12:640 2632 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:14:12:640 2632 wfopen_ex: Trying to KLMD file open
16:14:12:640 2632 wfopen_ex: File opened ok (Flags 2)
16:14:12:640 2632 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:14:12:640 2632 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:14:12:640 2632 wfopen_ex: Trying to KLMD file open
16:14:12:640 2632 wfopen_ex: File opened ok (Flags 2)
16:14:12:640 2632 KLAVA engine initialized
16:14:12:828 2632 Initialize success
16:14:12:828 2632
16:14:12:828 2632 Scanning Services ...
16:14:13:156 2632 Raw services enum returned 347 services
16:14:13:171 2632
16:14:13:171 2632 Scanning Drivers ...
16:14:13:703 2632 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
16:14:13:828 2632 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:14:13:875 2632 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
16:14:14:046 2632 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
16:14:14:359 2632 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
16:14:14:453 2632 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
16:14:14:671 2632 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
16:14:14:937 2632 Afsd (8b9c6b76f7ccf408dcb1fac14ca8ea59) C:\WINDOWS\system32\DRIVERS\Afsd.sys
16:14:15:171 2632 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
16:14:15:421 2632 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
16:14:15:531 2632 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
16:14:15:671 2632 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
16:14:15:828 2632 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
16:14:16:093 2632 Ailb (ccc7b60a333c89448ede9ef3810154af) C:\WINDOWS\system32\DRIVERS\Ntailb.sys
16:14:16:218 2632 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
16:14:16:453 2632 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
16:14:16:531 2632 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
16:14:16:609 2632 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
16:14:16:750 2632 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
16:14:16:921 2632 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
16:14:17:062 2632 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
16:14:17:328 2632 Asnbpsd (b9795eb10bc392d8259f0ed8b21bf9e2) C:\WINDOWS\system32\DRIVERS\Asnbpsd.sys
16:14:17:421 2632 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:14:17:671 2632 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
16:14:18:187 2632 Atila (f1b1373be50aeada6624a22f28b96e5e) C:\WINDOWS\system32\DRIVERS\Atila.sys
16:14:18:265 2632 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:14:18:421 2632 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:14:18:640 2632 b57w2k (4826fcf97c47b361a2e2f68cd487a19e) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
16:14:18:671 2632 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:14:19:062 2632 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
16:14:19:093 2632 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:14:19:265 2632 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
16:14:19:437 2632 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:14:19:656 2632 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
16:14:19:750 2632 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:14:19:796 2632 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
16:14:20:078 2632 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
16:14:20:234 2632 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
16:14:20:296 2632 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
16:14:20:437 2632 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
16:14:20:656 2632 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
16:14:20:781 2632 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
16:14:21:046 2632 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
16:14:21:093 2632 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:14:21:187 2632 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
16:14:21:359 2632 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
16:14:21:421 2632 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
16:14:21:578 2632 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
16:14:21:593 2632 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
16:14:21:640 2632 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
16:14:21:875 2632 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
16:14:22:078 2632 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
16:14:22:203 2632 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
16:14:22:468 2632 Fsdk-wrap (fa7f112d154d902b2d3aa6f384d744c7) C:\WINDOWS\system32\DRIVERS\fsdk-wrap.sys
16:14:22:500 2632 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:14:22:531 2632 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:14:22:718 2632 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:14:22:781 2632 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:14:22:828 2632 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
16:14:23:000 2632 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
16:14:23:218 2632 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
16:14:23:296 2632 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
16:14:23:390 2632 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
16:14:23:625 2632 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
16:14:23:843 2632 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:14:24:109 2632 ialm (0acebb31989cbf9a5663fe4a33d28d21) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
16:14:24:203 2632 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:14:24:328 2632 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
16:14:24:437 2632 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
16:14:24:546 2632 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:14:24:796 2632 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
16:14:24:968 2632 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:14:25:046 2632 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:14:25:281 2632 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:14:25:515 2632 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:14:25:718 2632 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:14:26:015 2632 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:14:26:312 2632 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:14:26:390 2632 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
16:14:26:890 2632 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
16:14:27:000 2632 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
16:14:27:515 2632 Ldbnt (38862ff1d3e7a2a3185939bad889c1d9) C:\WINDOWS\system32\DRIVERS\Ldbnt.sys
16:14:27:687 2632 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
16:14:27:875 2632 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:14:27:937 2632 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
16:14:28:109 2632 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
16:14:28:296 2632 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:14:28:343 2632 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:14:28:546 2632 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
16:14:28:609 2632 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
16:14:28:812 2632 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:14:28:906 2632 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:14:29:125 2632 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
16:14:29:359 2632 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:14:29:562 2632 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:14:29:781 2632 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
16:14:30:046 2632 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:14:30:234 2632 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
16:14:30:468 2632 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
16:14:30:671 2632 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:14:30:875 2632 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:14:30:906 2632 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:14:31:203 2632 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
16:14:31:281 2632 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:14:31:437 2632 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:14:31:656 2632 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
16:14:31:921 2632 Ntbrowse (336b7ae1ae2e85d7a12193b880e64b90) C:\WINDOWS\system32\DRIVERS\Ntbrowse.sys
16:14:32:296 2632 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
16:14:32:781 2632 Ntlib (4858a950d8d4cb02bc85929a7f65eab9) C:\WINDOWS\system32\DRIVERS\ltlib.sys
16:14:35:921 2632 Ntsvr (ebabf8b6e3f8ab0e728b3a3e80266c58) C:\WINDOWS\system32\DRIVERS\Ntsvr.sys
16:14:36:203 2632 Ntsvrsnb (294f1e8a4eb5ab58092451c1ebb2b4e6) C:\WINDOWS\system32\DRIVERS\Ntsvrsnb.sys
16:14:36:250 2632 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:14:36:609 2632 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
16:14:36:812 2632 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:14:36:859 2632 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:14:37:093 2632 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
16:14:37:343 2632 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
16:14:37:578 2632 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:14:37:812 2632 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys
16:14:37:859 2632 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
16:14:38:375 2632 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:14:38:578 2632 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
16:14:39:984 2632 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
16:14:40:156 2632 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
16:14:40:343 2632 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:14:40:406 2632 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
16:14:40:484 2632 pssnap (599dac0114eaf8edaf88b44d0c6183f6) C:\WINDOWS\system32\DRIVERS\pssnap.sys
16:14:40:671 2632 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:14:40:796 2632 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
16:14:40:937 2632 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
16:14:41:062 2632 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
16:14:41:203 2632 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
16:14:41:343 2632 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
16:14:41:359 2632 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:14:41:546 2632 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:14:41:734 2632 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:14:41:750 2632 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:14:41:953 2632 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:14:41:984 2632 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:14:42:156 2632 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:14:42:375 2632 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
16:14:42:468 2632 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:14:42:656 2632 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:14:42:687 2632 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
16:14:42:750 2632 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
16:14:42:859 2632 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
16:14:43:218 2632 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
16:14:43:250 2632 smwdm (4aa922332433cdeb8b82c072c212e32e) C:\WINDOWS\system32\drivers\smwdm.sys
16:14:43:296 2632 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
16:14:43:453 2632 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
16:14:43:531 2632 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
16:14:43:796 2632 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
16:14:43:828 2632 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:14:43:953 2632 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
16:14:44:125 2632 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
16:14:44:265 2632 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
16:14:44:390 2632 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
16:14:44:515 2632 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
16:14:44:656 2632 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
16:14:44:796 2632 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:14:44:937 2632 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:14:45:046 2632 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
16:14:45:140 2632 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:14:45:187 2632 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
16:14:45:281 2632 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
16:14:45:328 2632 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
16:14:45:593 2632 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
16:14:45:796 2632 usbbus (d9f3bb7c292f194f3b053ce295754eb8) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
16:14:46:015 2632 UsbDiag (c4f77da649f99fad116ea585376fc164) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
16:14:46:250 2632 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:14:46:328 2632 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:14:46:515 2632 USBModem (c0613ce45e617bc671de8ebb1b30d175) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
16:14:46:625 2632 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
16:14:46:734 2632 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:14:46:843 2632 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:14:46:937 2632 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
16:14:47:156 2632 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
16:14:47:390 2632 ViaIde (d428fd43b9325aed15e14be372117d3a) C:\WINDOWS\system32\DRIVERS\viaide.sys
16:14:47:390 2632 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\viaide.sys. Real md5: d428fd43b9325aed15e14be372117d3a, Fake md5: 3b3efcda263b8ac14fdf9cbdd0791b2e
16:14:47:390 2632 File "C:\WINDOWS\system32\DRIVERS\viaide.sys" infected by TDSS rootkit ... 16:14:50:218 2632 Backup copy not found, trying to cure infected file..
16:14:50:218 2632 Cure success, using it..
16:14:50:218 2632 will be cured on next reboot
16:14:50:359 2632 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
16:14:50:453 2632 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:14:50:796 2632 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
16:14:51:031 2632 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
16:14:51:093 2632 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
16:14:51:375 2632 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
16:14:51:640 2632 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
16:14:51:640 2632 Reboot required for cure complete..
16:14:51:640 2632 Cure on reboot scheduled successfully
16:14:51:640 2632
16:14:51:640 2632 Completed
16:14:51:640 2632
16:14:51:640 2632 Results:
16:14:51:640 2632 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:14:51:656 2632 File objects infected / cured / cured on reboot: 1 / 0 / 1
16:14:51:656 2632
16:14:51:656 2632 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:14:51:656 2632 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:14:51:656 2632 UnloadDriverW: NtUnloadDriver error 1
16:14:51:656 2632 KLMD(ARK) unloaded successfully




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users