I'm being taken to random sites, randomly

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages
1
2
→

You cannot start a new topic
This topic is locked

I'm being taken to random sites, randomly I can't seem to shake it

#1 aGOREaPHOBIa

New Member

Group: Members
Posts: 13
Joined: 17-May 11

Posted 17 May 2011 - 11:30 PM

When I click on a link in Google it will open up the link, but also a new tab with some random site. Sometimes the site is sort of related to the links I'm clicking. Also new tabs will open up randomly without ever clicking a link, like a pop-up, always with a random site. I've run Malwarebytes free, IObit Advanced System Care free sometimes finding malware and removing it, but I still experience the random sites. Seems to happen less in Opera, more in Firefox and IE. I've looked at processes and can't seem to find any blatant offenders. I would totally read the forum tuts on how to remove it, but I don't know what "it" is. Thanks in advance, I really admire your guys' hard work.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 21:29:57.53 on Tue 05/17/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.339 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\Program Files\IObit\Advanced SystemCare 4\PMonitor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Opera\opera.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=userinit.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 4] "c:\program files\iobit\advanced systemcare 4\ASCTray.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\9n6pn6yn.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\opera\program\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-3-3 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-3-3 27576]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-5-2 352656]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo livepcsupport\CLPSLS.exe [2010-2-12 148744]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-3-3 1803224]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2011-5-2 312152]
R3 gameport;FM801 PCI Joystick;c:\windows\system32\drivers\fmjoy.sys [2010-9-20 9728]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2010-11-15 584832]
R3 wdm_fm801;FM801 PCI Audio (WDM);c:\windows\system32\drivers\fm801.sys [2010-9-20 328320]
S4 Belkin Wifi Service;Belkin Wifi Service;c:\program files\belkin\f5d8053\v6\WifiSvc.exe [2010-11-15 274432]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-05-16 20:34:05 -------- d-----w- c:\docume~1\admini~1\applic~1\.clamwin
2011-05-16 20:33:42 -------- d-----w- c:\program files\ClamWin
2011-05-16 20:33:42 -------- d-----w- c:\documents and settings\all users\.clamwin
2011-05-09 21:44:29 -------- d-----w- C:\Adobe
2011-05-03 05:12:13 388096 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-03 05:12:09 -------- d-----w- c:\program files\Trend Micro
2011-05-03 05:05:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit
2011-05-03 05:02:30 -------- d-----w- c:\docume~1\admini~1\applic~1\IObit
2011-05-03 05:02:28 -------- d-----w- c:\program files\IObit
2011-05-02 20:58:41 54016 ----a-w- c:\windows\system32\drivers\wtha.sys
2011-05-02 16:20:49 -------- d-s---w- C:\ComboFicks
2011-05-02 15:55:45 -------- d-----w- C:\!KillBox
2011-05-01 04:14:06 -------- d-----w- c:\windows\system32\appmgmt
.
==================== Find3M ====================
.
2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-03-13 03:33:02 285480 ----a-w- c:\windows\system32\guard32.dll
2011-03-12 22:13:33 65536 ----a-w- c:\program files\update_kernel.exe
2011-03-12 21:04:38 65536 ----a-w- c:\program files\win64checkKBDK.exe
2011-03-08 03:37:22 398760 ----a-r- c:\windows\system32\cpnprt2.cid
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JB-57REA0 rev.20.00K20 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x873124E7]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x873187d0]; MOV EAX, [0x8731884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x8733CAB8]
3 CLASSPNP[0xF784EFD7] -> nt!IofCallDriver[0x804E37C5] -> \Device\00000060[0x8733E3B8]
5 ACPI[0xF77A5620] -> nt!IofCallDriver[0x804E37C5] -> [0x87376D98]
\Driver\atapi[0x8733E908] -> IRP_MJ_CREATE -> 0x873124E7
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x87312332
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 21:31:38.01 ===============

Attached File(s)

Attach.txt (7.56K)
Number of downloads: 0
ark.log (396.89K)
Number of downloads: 1

#2 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 20 May 2011 - 07:43 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
Please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

DeFogger

desktop

DeFogger

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK

Do not

Download DDS:

DDS by sUBs

Link1

Link2

Link3

Please disable any anti-malware program that will block scripts from running before running DDS.

Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
- DDS.txt
- Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

Please Download Rootkit Unhooker Save it to your desktop.
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

information and logs:

In your next post I need the following

.logs from DDS
log from RKUnHooker
let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#3 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 23 May 2011 - 07:54 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

do you still need help with this?
do you need more time?
are you having problems following my instructions?
if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

<-- Don't worry every little bit helps.

#4 aGOREaPHOBIa

New Member

Group: Members
Posts: 13
Joined: 17-May 11

Posted 23 May 2011 - 11:17 PM

Yes I still need more time. Thanks!

#5 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 23 May 2011 - 11:26 PM

no problem

gringo

<-- Don't worry every little bit helps.

#6 aGOREaPHOBIa

New Member

Group: Members
Posts: 13
Joined: 17-May 11

Posted 23 May 2011 - 11:51 PM

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 22:32:13.43 on Mon 05/23/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.333 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\Program Files\IObit\Advanced SystemCare 4\PMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=userinit.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 4] "c:\program files\iobit\advanced systemcare 4\ASCTray.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\9n6pn6yn.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\opera\program\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-3-3 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-3-3 27576]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-5-2 352656]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo livepcsupport\CLPSLS.exe [2010-2-12 148744]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-3-3 1803224]
R3 gameport;FM801 PCI Joystick;c:\windows\system32\drivers\fmjoy.sys [2010-9-20 9728]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2010-11-15 584832]
R3 wdm_fm801;FM801 PCI Audio (WDM);c:\windows\system32\drivers\fm801.sys [2010-9-20 328320]
S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2011-5-2 312152]
S4 Belkin Wifi Service;Belkin Wifi Service;c:\program files\belkin\f5d8053\v6\WifiSvc.exe [2010-11-15 274432]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-05-22 01:14:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-16 20:34:05 -------- d-----w- c:\docume~1\admini~1\applic~1\.clamwin
2011-05-16 20:33:42 -------- d-----w- c:\program files\ClamWin
2011-05-16 20:33:42 -------- d-----w- c:\documents and settings\all users\.clamwin
2011-05-09 21:44:29 -------- d-----w- C:\Adobe
2011-05-03 05:12:13 388096 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-03 05:12:09 -------- d-----w- c:\program files\Trend Micro
2011-05-03 05:05:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit
2011-05-03 05:02:30 -------- d-----w- c:\docume~1\admini~1\applic~1\IObit
2011-05-03 05:02:28 -------- d-----w- c:\program files\IObit
2011-05-02 20:58:41 54016 ----a-w- c:\windows\system32\drivers\wtha.sys
2011-05-02 16:20:49 -------- d-s---w- C:\ComboFicks
2011-05-02 15:55:45 -------- d-----w- C:\!KillBox
2011-05-01 04:14:06 -------- d-----w- c:\windows\system32\appmgmt
.
==================== Find3M ====================
.
2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-03-13 03:33:02 285480 ----a-w- c:\windows\system32\guard32.dll
2011-03-12 22:13:33 65536 ----a-w- c:\program files\update_kernel.exe
2011-03-12 21:04:38 65536 ----a-w- c:\program files\win64checkKBDK.exe
2011-03-08 03:37:22 398760 ----a-r- c:\windows\system32\cpnprt2.cid
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JB-57REA0 rev.20.00K20 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x873124E7]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x873187d0]; MOV EAX, [0x8731884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x8733CAB8]
3 CLASSPNP[0xF784EFD7] -> nt!IofCallDriver[0x804E37C5] -> \Device\00000060[0x8733E3B8]
5 ACPI[0xF77A5620] -> nt!IofCallDriver[0x804E37C5] -> [0x87376D98]
\Driver\atapi[0x8733E908] -> IRP_MJ_CREATE -> 0x873124E7
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x87312332
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 22:34:07.04 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/16/2010 2:55:07 AM
System Uptime: 5/23/2011 8:54:16 PM (2 hours ago)
.
Motherboard: | | SiS-661
Processor: Intel® Celeron® CPU 2.66GHz | Socket 478 | 2666/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 167.315 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Linksys Wireless-G PCI Adapter
Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_00321737&REV_01\3&61AAA01&0&40
Manufacturer: Linksys, A Division of Cisco Systems, Inc.
Name: Linksys Wireless-G PCI Adapter
PNP Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_00321737&REV_01\3&61AAA01&0&40
Service: RT2500
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.3
Advanced SystemCare 4
Advertising Center
AiO_Scan
AnyDVD
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Display Driver
AVI to DVD Converter
AviSynth 2.5
Belkin N Wireless USB Adapter Setup
BitTorrent
Bonjour
CCleaner
Certblaster CCNA (640-802)
Certification Preparation
Cheetah DVD Burner
ClamWin Free Antivirus 0.97
CloneDVD2
COMODO Internet Security
COMODO livePCsupport
ConvertXtoDVD 4.0.9.322
CoreFLAC Audio Decoder+Source Filter (remove only)
Coupon Printer for Windows
CutePDF Writer 2.8
DolbyFiles
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.1.1.0
FLAC 1.2.1b (remove only)
Garmin Communicator Plugin
Garmin POI Loader
Garmin USB Drivers
Garmin WebUpdater
Google Chrome
Guitar Pro 5.2
HashCheck Shell Extension (x86-32)
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB970653-v3)
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
Image Resizer Powertoy for Windows XP
ImagXpress
IObit Security 360
iTunes
Java Auto Updater
Java™ 6 Update 18
LeapFrog Connect
LeapFrog MyOwnLeaptop Plugin
LiconfinKbd
LimeWire PRO 5.0.11
Malwarebytes' Anti-Malware
Menu Templates - Starter Kit
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft English TTS Engine
Microsoft National Language Support Downlevel APIs
Microsoft Office Access database engine 2007 (English)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable Package
Movie Templates - Starter Kit
Mozilla Firefox 4.0.1 (x86 en-US)
Nero 9
Nero ControlCenter
Nero Installer
Nero Recode
Nero Rescue Agent
Nero Vision
NeroBurningROM
neroxml
Opera 11.11
Picasa 3
QFolder
QuickTime
Realtek High Definition Audio Driver
SAPI Wrapper
Scan
Security Update for Windows Internet Explorer 8 (KB2360131)
Total Video Converter 3.71 100812
Train Signal Practice Exams
TTS Wrapper
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB982632)
US State and County Borders
USB Video Driver
Use the entry named LeapFrog Connect to uninstall (LeapFrog MyOwnLeaptop Plugin)
VDownloader 2.7.322
Videora iPod Converter 6
VirtualCloneDrive
WinAVI All in One Converter v1.1
Windows Driver Package - Advanced Micro Devices, Inc. (USB28xxBGA) Media (08/31/2007 5.7.0831.0)
Windows Driver Package - eMPIA Technology Inc, (emAudio) MEDIA (08/31/2007 5.7.0831.0)
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)
Windows Essentials Media Codec Pack 2.3d
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
WinPatrol 2010
WinRAR archiver
YouTube Downloader App 3.00
.
==== End Of File ===========================

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xF6566000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 3891200 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xBF1CD000 C:\WINDOWS\System32\ati3duag.dll 3821568 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBF572000 C:\WINDOWS\System32\ativvaxx.dll 2670592 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189056 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189056 bytes
0x804D7000 RAW 2189056 bytes
0x804D7000 WMIxWDM 2189056 bytes
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF065000 C:\WINDOWS\System32\ati2cqag.dll 626688 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xF138D000 C:\WINDOWS\system32\DRIVERS\RTL8192su.sys 585728 bytes (Realtek Semiconductor Corporation , Realtek RTL8192S USB NDIS Driver)
0xF7642000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF0FE000 C:\WINDOWS\System32\atikvmag.dll 540672 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xF1574000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF4768000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF1659000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 339968 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xB8363000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xF64DD000 C:\WINDOWS\system32\drivers\fm801.sys 331776 bytes (ForteMedia, Inc., WDM PCI Audio Driver)
0xBF182000 C:\WINDOWS\System32\atiok3x2.dll 307200 bytes (ATI Technologies Inc., Ring 0 x2 component)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB80CA000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF16E5000 C:\WINDOWS\System32\DRIVERS\cmdguard.sys 233472 bytes (COMODO, COMODO Internet Security Sandbox Driver)
0xF488E000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF779F000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF75FF000 C:\WINDOWS\System32\DRIVERS\NDIS.SYS 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF15E4000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF1631000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF7749000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF64B9000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF652E000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6496000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB807F000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xF160F000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF76F9000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF776F000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF75E5000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7719000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF7731000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF76E2000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF646B000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF762C000 inspect.sys 90112 bytes (COMODO, COMODO Internet Security Firewall Driver)
0xB8633000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6482000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF6552000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF16B2000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF76CF000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF778E000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF645A000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xED9B5000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7A4E000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF788E000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF77FE000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF798E000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF5491000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF797E000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF5551000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF5D54000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF5501000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF780E000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF784E000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF5D24000 C:\WINDOWS\system32\DRIVERS\HPZid412.sys 53248 bytes (HP, IEEE-1284.4-1999 Driver (Windows 2000))
0xF799E000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF79AE000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF782E000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF6A1B000 C:\WINDOWS\System32\Drivers\pcouffin.sys 49152 bytes (VSO Software, low level access layer for CD/DVD/BD devices)
0xF79CE000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF54B1000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF5431000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF781E000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF79BE000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF785E000 uagp35.sys 45056 bytes (Microsoft Corporation, MS AGPv3.5 Filter)
0xF77EE000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF5541000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF69FB000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF783E000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF796E000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF79DE000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF54D1000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB7E6F000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF54A1000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7BC6000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7B96000 C:\WINDOWS\system32\DRIVERS\sisnic.sys 32768 bytes (SiS Corporation, SiS PCI Fast Ethernet Adapter Driver)
0xF695C000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF7B8E000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7BA6000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xEE85F000 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys 28672 bytes
0xF7A6E000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF694C000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xF7ACE000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF7BDE000 C:\WINDOWS\System32\DRIVERS\cmdhlp.sys 24576 bytes (COMODO, COMODO Internet Security Helper Driver)
0xF7AEE000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF7BF6000 C:\WINDOWS\system32\DRIVERS\HPZius12.sys 24576 bytes (HP, 1284.4<->Usb Datalink Driver (Windows 2000))
0xF6B98000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7B9E000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xEE867000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xF7A7E000 VClone.sys 24576 bytes (Elaborate Bytes AG, VirtualCloneCD Driver)
0xF7AFE000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF6944000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xF7B36000 C:\WINDOWS\System32\Drivers\AnyDVD.sys 20480 bytes (SlySoft, Inc., AnyDVD Filter Driver)
0xF7B26000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF7AF6000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7A76000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7AAE000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7BD6000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7A86000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7B86000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xEB2F3000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7545000 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 16384 bytes (HP, IEEE-1284.4-1999 Print Class Driver)
0xF6BF1000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB87CC000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF6E9D000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF141C000 C:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xF7C02000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xEB7A4000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF6EA1000 C:\WINDOWS\system32\DRIVERS\fmjoy.sys 12288 bytes (Windows ® 2000 DDK provider, Game Port Enumerator)
0x872AA000 C:\WINDOWS\system32\KDCOM.DLL 12288 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF6E99000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7539000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7D4E000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7CF0000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7D96000 C:\WINDOWS\System32\Drivers\ElbyCDIO.sys 8192 bytes (Elaborate Bytes AG, ElbyCD Windows NT/2000/XP I/O driver)
0xF7D42000 C:\WINDOWS\System32\Drivers\ElbyDelay.sys 8192 bytes (Elaborate Bytes AG, Elby Delay Lower Filter Driver)
0xF7D4C000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7DA2000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7D50000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7D44000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7D46000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7CEE000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7E11000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xED942000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7EDC000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7DB6000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x87312332 ?_empty_? 3278 bytes
==============================================
>Stealth
==============================================
0xF7719000 WARNING: suspicious driver modification [atapi.sys::0x87312332]

No additional problems so far. I was wondering however about the DDS script. When I click on it to run it, it opens up a garbled mess in Notepad. I try right clicking to run as administrator and there isn't an option, just an "Open". The only way I know how to make it work is when right-clicking selecting "Run Sandboxed in Comodo" I don't know if that makes a difference. Thanks for your help.

#7 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 24 May 2011 - 07:08 AM

Hello

I was wondering however about the DDS script.
do you have Autocad installed?

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#8 aGOREaPHOBIa

New Member

Group: Members
Posts: 13
Joined: 17-May 11

Posted 24 May 2011 - 07:47 PM

Ahh! Things got worse! The first google link I clicked on took me somewhere else, and got a Java 6 banner acting like it was loading, a Malware Protection fake virus scanning thing popped up too. I closed it. The java banner ended up with an error message in a window titled Java Virtual Machine Launcher saying "unable to access jarfile \\91.193.72.53\pub\new.avi I closed it. Im getting more Malware Protection fake notifications. I can see there is a new system tray icon. I wan't to kill it but will wait to see what you say.

ComboFix 11-05-24.01 - Administrator 05/24/2011 17:51:28.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.699 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\2gweorjqjutp92vjy9gake
c:\documents and settings\Administrator\Application Data\Adobe\plugs
c:\documents and settings\Administrator\Application Data\Adobe\plugs\mmc53.exe
c:\documents and settings\Administrator\Application Data\Adobe\shed
c:\documents and settings\Administrator\Application Data\Adobe\shed\thr1.chm
c:\documents and settings\LocalService\2gweorjqjutp92vjy9gake
c:\windows\system32\Drivers\wtha.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-04-25 to 2011-05-25 )))))))))))))))))))))))))))))))
.
.
2011-05-22 01:14 . 2011-05-22 01:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-16 20:34 . 2011-05-16 20:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\.clamwin
2011-05-16 20:33 . 2011-05-16 20:33 -------- d-----w- c:\program files\ClamWin
2011-05-16 20:33 . 2011-05-16 20:33 -------- d-----w- c:\documents and settings\All Users\.clamwin
2011-05-13 03:54 . 2011-05-13 03:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities
2011-05-09 21:44 . 2011-05-09 21:44 -------- d-----w- C:\Adobe
2011-05-09 19:25 . 2011-05-09 19:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-05-06 02:06 . 2011-05-06 02:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-03 05:12 . 2011-05-03 05:12 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-03 05:12 . 2011-05-03 05:12 -------- d-----w- c:\program files\Trend Micro
2011-05-03 05:05 . 2011-05-03 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-05-03 05:02 . 2011-05-03 05:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2011-05-03 05:02 . 2011-05-03 05:26 -------- d-----w- c:\program files\IObit
2011-05-02 15:55 . 2011-05-02 15:55 -------- d-----w- C:\!KillBox
2011-04-25 02:25 . 2011-04-25 02:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-04-12 03:35 . 2011-04-12 03:35 5120 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{7EA72399-EE18-40C6-90D5-8629ED6978AF}\IconTmpl.6CB586F0_5D86_454E_A763_2AAC2F44EA18.exe
2011-03-13 03:33 . 2010-03-04 02:54 285480 ----a-w- c:\windows\system32\guard32.dll
2011-03-13 03:33 . 2010-03-04 02:54 94784 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-03-13 03:33 . 2010-03-04 02:54 27576 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-03-13 03:33 . 2010-03-04 02:54 239368 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-03-13 03:33 . 2010-03-04 02:54 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-03-12 22:13 . 2011-03-12 22:13 65536 ----a-w- c:\program files\update_kernel.exe
2011-03-12 21:04 . 2011-03-12 20:42 65536 ----a-w- c:\program files\win64checkKBDK.exe
2011-03-08 03:37 . 2010-10-18 17:07 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-04-14 16:26 . 2011-05-09 19:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
[-] 2009-09-14 . A29E1209F925A0E9B330E11DA5FC7BAB . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
.
.
.
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\regsvc.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot_2011-04-01_06.33.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-22 21:59 . 2001-08-22 21:59 27136 c:\windows\system32\WinNTDlls\CTL3D32.DLL
+ 2001-08-22 21:59 . 2001-08-22 21:59 45056 c:\windows\system32\Win98Dlls\ctl3d32.dll
+ 2011-04-25 04:06 . 2008-04-14 16:42 23552 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\wdmaud.drv
+ 2011-04-25 04:06 . 2008-04-14 11:15 49408 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\stream.sys
+ 2011-04-25 04:06 . 2008-04-14 11:15 60160 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\drmk.sys
+ 2011-04-25 04:06 . 2001-10-15 20:15 53248 c:\windows\system32\ReinstallBackups\0000\DriverFiles\FTdll32.dll
- 2001-08-23 12:00 . 2011-03-14 01:01 66042 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2011-05-11 02:21 66042 c:\windows\system32\perfc009.dat
+ 2002-03-27 21:29 . 2002-03-27 21:29 24576 c:\windows\system32\msxml3a.dll
+ 2010-03-22 02:04 . 2010-12-21 00:09 38224 c:\windows\system32\drivers\mbamswissarmy.sys
- 2010-03-22 02:04 . 2010-04-29 21:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys
- 2010-03-22 02:04 . 2010-04-29 21:39 20952 c:\windows\system32\drivers\mbam.sys
+ 2010-03-22 02:04 . 2010-12-21 00:08 20952 c:\windows\system32\drivers\mbam.sys
+ 2010-05-31 04:34 . 2011-05-02 05:23 40208 c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
+ 2008-04-14 03:42 . 2008-04-14 03:42 99328 c:\windows\rfierod.dll
+ 2011-04-25 04:06 . 2008-04-14 16:41 4096 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\ksuser.dll
+ 2010-05-30 05:51 . 2011-04-17 17:56 999496 c:\windows\system32\Restore\rstrlog.dat
+ 2011-04-25 04:06 . 2008-04-14 11:49 146048 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\portcls.sys
+ 2011-04-25 04:06 . 2008-04-14 11:46 141056 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\ks.sys
+ 2011-04-25 04:06 . 2001-08-21 03:47 270336 c:\windows\system32\ReinstallBackups\0000\DriverFiles\fmctrl.exe
+ 2011-04-25 04:06 . 2001-11-02 20:33 328320 c:\windows\system32\ReinstallBackups\0000\DriverFiles\fm801.sys
+ 2001-08-23 12:00 . 2011-05-11 02:21 429846 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2011-03-14 01:01 429846 c:\windows\system32\perfh009.dat
+ 2006-05-09 17:22 . 2006-05-09 17:22 196608 c:\windows\system32\MUPTestPrinter.exe
+ 2011-05-22 01:14 . 2011-05-22 01:14 239776 c:\windows\system32\Macromed\Flash\FlashUtil10q_Plugin.exe
+ 2007-05-04 21:33 . 2007-05-04 21:33 851968 c:\windows\system32\LocalAT.dll
+ 2010-03-16 23:43 . 2011-04-17 16:26 181040 c:\windows\system32\FNTCACHE.DAT
+ 2008-04-14 03:42 . 2008-04-14 03:42 373248 c:\windows\iwajiwanomoh.dll
+ 2011-04-12 00:16 . 2011-04-12 00:16 836096 c:\windows\Installer\de7bc2.msi
+ 2010-12-31 03:06 . 2011-04-17 04:58 380928 c:\windows\Installer\{881F5DE8-9367-4B81-A325-E91BBC6472F9}\iTunesIco.exe
- 2010-12-31 03:06 . 2010-12-31 03:06 380928 c:\windows\Installer\{881F5DE8-9367-4B81-A325-E91BBC6472F9}\iTunesIco.exe
+ 2010-01-27 01:07 . 2011-05-22 01:14 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2011-05-03 05:12 . 2011-05-03 05:12 1094656 c:\windows\Installer\248541.msi
+ 2011-04-12 03:39 . 2011-04-12 03:39 6860800 c:\windows\Installer\198322e.msi
+ 2011-04-12 03:35 . 2011-04-12 03:35 1093632 c:\windows\Installer\194333d.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-04-21 402832]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-03-13 2548552]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-26 323976]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-12 1280344]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless Networking Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless Networking Utility.lnk
backup=c:\windows\pss\Belkin Wireless Networking Utility.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2010-04-03 06:27 499712 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FmctrlTray]
2001-08-21 03:47 270336 ----a-w- c:\windows\system32\fmctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-14 00:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2010-11-19 19:38 193880 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 18:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
2001-08-23 12:00 3072 ----a-w- c:\windows\system32\systray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2006-04-29 13:21 94208 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [3/3/2010 8:54 PM 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3/3/2010 8:54 PM 27576]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [5/2/2011 11:02 PM 352656]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO livePCsupport\CLPSLS.exe [2/12/2010 8:23 PM 148744]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [5/2/2011 11:26 PM 312152]
R3 gameport;FM801 PCI Joystick;c:\windows\system32\drivers\fmjoy.sys [9/20/2010 5:11 PM 9728]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [11/15/2010 11:24 PM 584832]
R3 wdm_fm801;FM801 PCI Audio (WDM);c:\windows\system32\drivers\fm801.sys [9/20/2010 5:11 PM 328320]
S4 Belkin Wifi Service;Belkin Wifi Service;c:\program files\Belkin\F5D8053\v6\WifiSvc.exe [11/15/2010 11:24 PM 274432]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-24 c:\windows\Tasks\ASC4_PerformanceMonitor.job
- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-05-03 22:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9n6pn6yn.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-24 18:22
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JB-57REA0 rev.20.00K20 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8730D332
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-583907252-1637723038-1644491937-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,18,d6,e8,47,20,2f,00,48,a0,20,fd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,ca,e9,2c,bb,69,9d,42,b6,cf,3b,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,18,d6,e8,47,20,2f,00,48,a0,20,fd,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(972)
c:\windows\system32\guard32.dll
c:\windows\system32\WININET.dll
.
Completion time: 2011-05-24 18:28:05
ComboFix-quarantined-files.txt 2011-05-25 00:27
ComboFix2.txt 2011-05-01 05:09
ComboFix3.txt 2011-04-25 18:57
ComboFix4.txt 2011-04-01 06:35
ComboFix5.txt 2011-05-02 16:23
.
Pre-Run: 179,584,733,184 bytes free
Post-Run: 180,539,645,952 bytes free
.
- - End Of File - - DDA8DF4754159E62A8BD21C517B664AE

#9 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 24 May 2011 - 07:56 PM

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo

<-- Don't worry every little bit helps.

#10 aGOREaPHOBIa

New Member

Group: Members
Posts: 13
Joined: 17-May 11

Posted 24 May 2011 - 08:10 PM

2011/05/24 19:01:58.0437 2500 TDSS rootkit removing tool 2.5.2.0 May 24 2011 11:01:23
2011/05/24 19:02:00.0453 2500 ================================================================================
2011/05/24 19:02:00.0453 2500 SystemInfo:
2011/05/24 19:02:00.0453 2500
2011/05/24 19:02:00.0453 2500 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/24 19:02:00.0453 2500 Product type: Workstation
2011/05/24 19:02:00.0453 2500 ComputerName: SPENC-PC
2011/05/24 19:02:00.0453 2500 UserName: Administrator
2011/05/24 19:02:00.0453 2500 Windows directory: C:\WINDOWS
2011/05/24 19:02:00.0453 2500 System windows directory: C:\WINDOWS
2011/05/24 19:02:00.0453 2500 Processor architecture: Intel x86
2011/05/24 19:02:00.0453 2500 Number of processors: 1
2011/05/24 19:02:00.0453 2500 Page size: 0x1000
2011/05/24 19:02:00.0453 2500 Boot type: Normal boot
2011/05/24 19:02:00.0453 2500 ================================================================================
2011/05/24 19:02:01.0656 2500 Initialize success
2011/05/24 19:02:04.0875 12680 ================================================================================
2011/05/24 19:02:04.0875 12680 Scan started
2011/05/24 19:02:04.0875 12680 Mode: Manual;
2011/05/24 19:02:04.0875 12680 ================================================================================
2011/05/24 19:02:08.0437 12680 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/24 19:02:09.0218 12680 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/24 19:02:10.0734 12680 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/24 19:02:11.0500 12680 AegisP (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/05/24 19:02:12.0359 12680 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/05/24 19:02:17.0171 12680 AnyDVD (5a102fc9894247da311c19b62dae64f2) C:\WINDOWS\system32\Drivers\AnyDVD.sys
2011/05/24 19:02:18.0000 12680 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/05/24 19:02:21.0015 12680 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/24 19:02:21.0875 12680 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/24 19:02:23.0656 12680 ati2mtag (c0b86ecb324e50f6bbd529f9d5c6b24b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/24 19:02:24.0703 12680 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/24 19:02:25.0500 12680 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/24 19:02:26.0468 12680 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/24 19:02:28.0015 12680 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/24 19:02:28.0781 12680 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/24 19:02:29.0578 12680 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/24 19:02:31.0203 12680 cmdGuard (dd530ee7d9efbb0ec42aebe7226b8a93) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
2011/05/24 19:02:32.0000 12680 cmdHlp (07cbbe993ed08a52dafac1e6cf27b6a5) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
2011/05/24 19:02:35.0984 12680 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/24 19:02:36.0828 12680 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/24 19:02:37.0703 12680 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/24 19:02:38.0468 12680 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/24 19:02:39.0296 12680 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/24 19:02:40.0843 12680 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/24 19:02:41.0593 12680 ElbyCDIO (fa13264eea448b2e1b3a844ae4f75c7a) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
2011/05/24 19:02:42.0406 12680 ElbyDelay (df9957db3bfe5136aad3c2c101806c98) C:\WINDOWS\system32\Drivers\ElbyDelay.sys
2011/05/24 19:02:43.0187 12680 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/24 19:02:43.0984 12680 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/24 19:02:44.0859 12680 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/24 19:02:45.0609 12680 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/24 19:02:46.0468 12680 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/05/24 19:02:47.0281 12680 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/24 19:02:48.0062 12680 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/24 19:02:48.0890 12680 gameport (7ee9a39c7d9d17aa537baef0e1c358cb) C:\WINDOWS\system32\DRIVERS\fmjoy.sys
2011/05/24 19:02:49.0671 12680 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/24 19:02:50.0484 12680 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/24 19:02:51.0296 12680 grmnusb (6003bc70f1a8307262bd3c941bda0b7e) C:\WINDOWS\system32\drivers\grmnusb.sys
2011/05/24 19:02:52.0093 12680 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/24 19:02:53.0640 12680 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/05/24 19:02:54.0421 12680 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/05/24 19:02:55.0296 12680 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/05/24 19:02:56.0062 12680 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/24 19:02:58.0343 12680 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/24 19:02:59.0187 12680 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/24 19:03:00.0843 12680 Inspect (8154a2c13b72b08db11157673c60c3eb) C:\WINDOWS\system32\DRIVERS\inspect.sys
2011/05/24 19:03:02.0468 12680 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/24 19:03:03.0265 12680 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/05/24 19:03:04.0078 12680 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/24 19:03:04.0828 12680 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/24 19:03:05.0671 12680 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/24 19:03:06.0500 12680 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/24 19:03:07.0281 12680 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/24 19:03:08.0093 12680 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/24 19:03:08.0828 12680 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/24 19:03:09.0656 12680 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/24 19:03:10.0484 12680 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/24 19:03:12.0078 12680 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/24 19:03:12.0812 12680 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/24 19:03:13.0593 12680 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/24 19:03:15.0234 12680 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/24 19:03:16.0109 12680 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/24 19:03:16.0906 12680 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/24 19:03:17.0703 12680 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/24 19:03:18.0484 12680 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/24 19:03:19.0296 12680 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/24 19:03:20.0046 12680 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/24 19:03:20.0937 12680 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/24 19:03:21.0781 12680 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/24 19:03:22.0500 12680 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/24 19:03:23.0375 12680 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/24 19:03:24.0125 12680 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/24 19:03:24.0875 12680 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/24 19:03:25.0656 12680 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/24 19:03:26.0875 12680 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/24 19:03:27.0656 12680 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/05/24 19:03:28.0484 12680 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/24 19:03:29.0281 12680 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/24 19:03:30.0093 12680 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/24 19:03:30.0921 12680 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/24 19:03:31.0703 12680 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/24 19:03:32.0546 12680 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/05/24 19:03:33.0375 12680 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/24 19:03:34.0125 12680 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/24 19:03:34.0859 12680 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/24 19:03:35.0812 12680 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/24 19:03:37.0453 12680 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/24 19:03:38.0218 12680 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/24 19:03:39.0015 12680 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2011/05/24 19:03:44.0484 12680 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/24 19:03:45.0343 12680 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/24 19:03:46.0109 12680 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/24 19:03:50.0734 12680 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/24 19:03:51.0546 12680 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/24 19:03:52.0312 12680 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/24 19:03:53.0093 12680 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/24 19:03:53.0921 12680 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/24 19:03:54.0750 12680 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/24 19:03:55.0531 12680 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/24 19:03:56.0359 12680 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/24 19:03:57.0187 12680 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/24 19:03:58.0031 12680 RT2500 (e2988349fe0567cbe4161cc653575a8e) C:\WINDOWS\system32\DRIVERS\RT2500.sys
2011/05/24 19:03:58.0843 12680 RTL8192su (19e1cc285f736616b7379a7462fc438a) C:\WINDOWS\system32\DRIVERS\RTL8192su.sys
2011/05/24 19:03:59.0671 12680 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/24 19:04:00.0484 12680 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/24 19:04:01.0328 12680 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/24 19:04:02.0109 12680 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/24 19:04:03.0734 12680 SISNIC (3fbb6ef8b5a71a2fa11f5f461bb73219) C:\WINDOWS\system32\DRIVERS\sisnic.sys
2011/05/24 19:04:04.0515 12680 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/05/24 19:04:06.0093 12680 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/24 19:04:06.0937 12680 Sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/24 19:04:07.0734 12680 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/24 19:04:08.0531 12680 ss_bus (54946449a0eb74915a4bb34f7ee51a5a) C:\WINDOWS\system32\DRIVERS\ss_bus.sys
2011/05/24 19:04:09.0328 12680 ss_mdfl (4450bc0b2e9d7d9b90e3c3de4ea00a78) C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
2011/05/24 19:04:10.0093 12680 ss_mdm (30b8d0dd01ead1243f329caf7d7d1517) C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
2011/05/24 19:04:10.0875 12680 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/05/24 19:04:11.0656 12680 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/24 19:04:12.0453 12680 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/24 19:04:16.0234 12680 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/24 19:04:17.0125 12680 Tcpip (a29e1209f925a0e9b330e11da5fc7bab) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/24 19:04:17.0875 12680 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/24 19:04:18.0703 12680 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/24 19:04:19.0562 12680 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/24 19:04:21.0171 12680 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
2011/05/24 19:04:22.0000 12680 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/24 19:04:23.0578 12680 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/24 19:04:24.0421 12680 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/05/24 19:04:25.0187 12680 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/24 19:04:26.0000 12680 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/24 19:04:26.0750 12680 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/24 19:04:27.0578 12680 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/05/24 19:04:28.0453 12680 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/24 19:04:29.0187 12680 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/24 19:04:29.0984 12680 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/24 19:04:30.0828 12680 VClone (1a131c2ca1b99542f9b0dd0c901f6587) C:\WINDOWS\system32\DRIVERS\VClone.sys
2011/05/24 19:04:31.0578 12680 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/24 19:04:33.0218 12680 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/24 19:04:34.0015 12680 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/24 19:04:35.0562 12680 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/24 19:04:36.0390 12680 wdm_fm801 (cbf2290ecaa5d56246b96abeaf99730d) C:\WINDOWS\system32\drivers\fm801.sys
2011/05/24 19:04:37.0343 12680 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/05/24 19:04:38.0187 12680 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/24 19:04:39.0000 12680 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/24 19:04:39.0156 12680 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/05/24 19:04:39.0171 12680 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/24 19:04:39.0171 12680 ================================================================================
2011/05/24 19:04:39.0171 12680 Scan finished
2011/05/24 19:04:39.0171 12680 ================================================================================
2011/05/24 19:04:39.0203 12616 Detected object count: 1
2011/05/24 19:04:39.0203 12616 Actual detected object count: 1
2011/05/24 19:05:44.0609 12616 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/24 19:05:44.0609 12616 \Device\Harddisk0\DR0 - ok
2011/05/24 19:05:44.0609 12616 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/05/24 19:06:09.0015 14316 Deinitialize success

#11 aGOREaPHOBIa

New Member

Group: Members
Posts: 13
Joined: 17-May 11

Posted 24 May 2011 - 08:20 PM

Comodo just popped up an alert of a malicious item located at c:\programfiles\opera\0.7834830152246541.exe

#12 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 24 May 2011 - 08:58 PM

Now rerun combofix for me now

gringo

<-- Don't worry every little bit helps.

#13 aGOREaPHOBIa

New Member

Group: Members
Posts: 13
Joined: 17-May 11

Posted 24 May 2011 - 09:24 PM

ComboFix 11-05-24.01 - Administrator 05/24/2011 20:06:38.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.685 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\defender
c:\documents and settings\All Users\Application Data\defender.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-25 to 2011-05-25 )))))))))))))))))))))))))))))))
.
.
2011-05-25 01:48 . 2004-09-29 18:14 69632 ----a-w- c:\windows\system32\HPZipm12.2
2011-05-25 01:26 . 2004-09-29 18:14 69632 ----a-w- c:\windows\system32\HPZipm12.1
2011-05-22 01:14 . 2011-05-22 01:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-16 20:34 . 2011-05-16 20:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\.clamwin
2011-05-16 20:33 . 2011-05-16 20:33 -------- d-----w- c:\program files\ClamWin
2011-05-16 20:33 . 2011-05-16 20:33 -------- d-----w- c:\documents and settings\All Users\.clamwin
2011-05-13 03:54 . 2011-05-13 03:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities
2011-05-09 21:44 . 2011-05-09 21:44 -------- d-----w- C:\Adobe
2011-05-09 19:25 . 2011-05-09 19:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-05-06 02:06 . 2011-05-06 02:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-03 05:12 . 2011-05-03 05:12 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-03 05:12 . 2011-05-03 05:12 -------- d-----w- c:\program files\Trend Micro
2011-05-03 05:05 . 2011-05-03 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-05-03 05:02 . 2011-05-03 05:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2011-05-03 05:02 . 2011-05-03 05:26 -------- d-----w- c:\program files\IObit
2011-05-02 15:55 . 2011-05-02 15:55 -------- d-----w- C:\!KillBox
2011-04-25 02:25 . 2011-04-25 02:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-04-12 03:35 . 2011-04-12 03:35 5120 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{7EA72399-EE18-40C6-90D5-8629ED6978AF}\IconTmpl.6CB586F0_5D86_454E_A763_2AAC2F44EA18.exe
2011-03-13 03:33 . 2010-03-04 02:54 285480 ----a-w- c:\windows\system32\guard32.dll
2011-03-13 03:33 . 2010-03-04 02:54 94784 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-03-13 03:33 . 2010-03-04 02:54 27576 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-03-13 03:33 . 2010-03-04 02:54 239368 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-03-13 03:33 . 2010-03-04 02:54 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-03-12 22:13 . 2011-03-12 22:13 65536 ----a-w- c:\program files\update_kernel.exe
2011-03-12 21:04 . 2011-03-12 20:42 65536 ----a-w- c:\program files\win64checkKBDK.exe
2011-03-08 03:37 . 2010-10-18 17:07 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-04-14 16:26 . 2011-05-09 19:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
[-] 2009-09-14 . A29E1209F925A0E9B330E11DA5FC7BAB . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
.
.
.
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\regsvc.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot_2011-04-01_06.33.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-22 21:59 . 2001-08-22 21:59 27136 c:\windows\system32\WinNTDlls\CTL3D32.DLL
+ 2001-08-22 21:59 . 2001-08-22 21:59 45056 c:\windows\system32\Win98Dlls\ctl3d32.dll
+ 2011-04-25 04:06 . 2008-04-14 16:42 23552 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\wdmaud.drv
+ 2011-04-25 04:06 . 2008-04-14 11:15 49408 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\stream.sys
+ 2011-04-25 04:06 . 2008-04-14 11:15 60160 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\drmk.sys
+ 2011-04-25 04:06 . 2001-10-15 20:15 53248 c:\windows\system32\ReinstallBackups\0000\DriverFiles\FTdll32.dll
+ 2001-08-23 12:00 . 2011-05-25 01:11 66042 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2011-03-14 01:01 66042 c:\windows\system32\perfc009.dat
+ 2002-03-27 21:29 . 2002-03-27 21:29 24576 c:\windows\system32\msxml3a.dll
+ 2010-03-16 09:19 . 2004-09-29 18:09 57344 c:\windows\system32\HPZisn12.dll
- 2010-03-16 09:19 . 2004-09-29 19:09 57344 c:\windows\system32\HPZisn12.dll
- 2010-03-16 09:19 . 2004-09-29 19:09 94208 c:\windows\system32\HPZipt12.dll
+ 2010-03-16 09:19 . 2004-09-29 18:09 94208 c:\windows\system32\HPZipt12.dll
- 2010-03-16 09:19 . 2004-09-29 19:08 61440 c:\windows\system32\HPZinw12.exe
+ 2010-03-16 09:19 . 2004-09-29 18:08 61440 c:\windows\system32\HPZinw12.exe
+ 2010-03-22 02:04 . 2010-12-21 00:09 38224 c:\windows\system32\drivers\mbamswissarmy.sys
- 2010-03-22 02:04 . 2010-04-29 21:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys
- 2010-03-22 02:04 . 2010-04-29 21:39 20952 c:\windows\system32\drivers\mbam.sys
+ 2010-03-22 02:04 . 2010-12-21 00:08 20952 c:\windows\system32\drivers\mbam.sys
+ 2010-05-31 04:34 . 2011-05-02 05:23 40208 c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
+ 2008-04-14 03:42 . 2008-04-14 03:42 99328 c:\windows\rfierod.dll
+ 2011-04-25 04:06 . 2008-04-14 16:41 4096 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\ksuser.dll
+ 2010-05-30 05:51 . 2011-04-17 17:56 999496 c:\windows\system32\Restore\rstrlog.dat
+ 2011-04-25 04:06 . 2008-04-14 11:49 146048 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\portcls.sys
+ 2011-04-25 04:06 . 2008-04-14 11:46 141056 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\ks.sys
+ 2011-04-25 04:06 . 2001-08-21 03:47 270336 c:\windows\system32\ReinstallBackups\0000\DriverFiles\fmctrl.exe
+ 2011-04-25 04:06 . 2001-11-02 20:33 328320 c:\windows\system32\ReinstallBackups\0000\DriverFiles\fm801.sys
+ 2001-08-23 12:00 . 2011-05-25 01:11 429846 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2011-03-14 01:01 429846 c:\windows\system32\perfh009.dat
+ 2006-05-09 17:22 . 2006-05-09 17:22 196608 c:\windows\system32\MUPTestPrinter.exe
+ 2011-05-22 01:14 . 2011-05-22 01:14 239776 c:\windows\system32\Macromed\Flash\FlashUtil10q_Plugin.exe
+ 2007-05-04 21:33 . 2007-05-04 21:33 851968 c:\windows\system32\LocalAT.dll
- 2010-03-16 09:19 . 2004-09-29 19:15 204800 c:\windows\system32\HPZipr12.dll
+ 2010-03-16 09:19 . 2004-09-29 18:15 204800 c:\windows\system32\HPZipr12.dll
- 2010-03-16 09:19 . 2004-09-29 19:12 278584 c:\windows\system32\HPZidr12.dll
+ 2010-03-16 09:19 . 2004-09-29 18:12 278584 c:\windows\system32\HPZidr12.dll
+ 2010-03-16 23:43 . 2011-04-17 16:26 181040 c:\windows\system32\FNTCACHE.DAT
+ 2008-04-14 03:42 . 2008-04-14 03:42 373248 c:\windows\iwajiwanomoh.dll
- 2010-03-16 09:19 . 1998-10-29 23:45 306688 c:\windows\IsUninst.exe
+ 2010-03-16 09:19 . 1998-10-29 22:45 306688 c:\windows\IsUninst.exe
+ 2011-04-12 00:16 . 2011-04-12 00:16 836096 c:\windows\Installer\de7bc2.msi
+ 2010-12-31 03:06 . 2011-04-17 04:58 380928 c:\windows\Installer\{881F5DE8-9367-4B81-A325-E91BBC6472F9}\iTunesIco.exe
- 2010-12-31 03:06 . 2010-12-31 03:06 380928 c:\windows\Installer\{881F5DE8-9367-4B81-A325-E91BBC6472F9}\iTunesIco.exe
+ 2010-01-27 01:07 . 2011-05-22 01:14 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2011-05-03 05:12 . 2011-05-03 05:12 1094656 c:\windows\Installer\248541.msi
+ 2011-04-12 03:39 . 2011-04-12 03:39 6860800 c:\windows\Installer\198322e.msi
+ 2011-04-12 03:35 . 2011-04-12 03:35 1093632 c:\windows\Installer\194333d.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-04-21 402832]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-03-13 2548552]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-26 323976]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-12 1280344]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless Networking Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless Networking Utility.lnk
backup=c:\windows\pss\Belkin Wireless Networking Utility.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2010-04-03 06:27 499712 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FmctrlTray]
2001-08-21 03:47 270336 ----a-w- c:\windows\system32\fmctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-14 00:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2010-11-19 19:38 193880 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 18:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
2001-08-23 12:00 3072 ----a-w- c:\windows\system32\systray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2006-04-29 13:21 94208 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [3/3/2010 8:54 PM 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3/3/2010 8:54 PM 27576]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [5/2/2011 11:02 PM 352656]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO livePCsupport\CLPSLS.exe [2/12/2010 8:23 PM 148744]
R3 gameport;FM801 PCI Joystick;c:\windows\system32\drivers\fmjoy.sys [9/20/2010 5:11 PM 9728]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [11/15/2010 11:24 PM 584832]
R3 wdm_fm801;FM801 PCI Audio (WDM);c:\windows\system32\drivers\fm801.sys [9/20/2010 5:11 PM 328320]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [5/2/2011 11:26 PM 312152]
S4 Belkin Wifi Service;Belkin Wifi Service;c:\program files\Belkin\F5D8053\v6\WifiSvc.exe [11/15/2010 11:24 PM 274432]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HPJMPR50
*Deregistered* - HPJMPR50
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-25 c:\windows\Tasks\ASC4_PerformanceMonitor.job
- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-05-03 22:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9n6pn6yn.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-24 20:15
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-583907252-1637723038-1644491937-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,18,d6,e8,47,20,2f,00,48,a0,20,fd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,ca,e9,2c,bb,69,9d,42,b6,cf,3b,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,18,d6,e8,47,20,2f,00,48,a0,20,fd,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(968)
c:\windows\system32\guard32.dll
.
Completion time: 2011-05-24 20:23:37
ComboFix-quarantined-files.txt 2011-05-25 02:23
ComboFix2.txt 2011-05-25 00:28
ComboFix3.txt 2011-05-01 05:09
ComboFix4.txt 2011-04-25 18:57
ComboFix5.txt 2011-05-25 02:05
.
Pre-Run: 180,095,578,112 bytes free
Post-Run: 180,438,409,216 bytes free
.
- - End Of File - - 69F094B00445F10604F5D5128ABE1F6F

#14 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 25 May 2011 - 05:37 AM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter

File sharing infects 500,000 computers

USAToday

infoworld

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

start

settings

control panel

add/remove programs

Adobe Reader 9.4.3

remove

Update Adobe Reader

http://www.adobe.com/products/acrobat/readstep2.html

Adobe Reader

here

Note:

AskBar

Your Java is out of date.

It can be updated by the Java control panel

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
An update should begin;
follow the prompts

Clear your Java Cache

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

Go Here to download HijackThis Installer
Save HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#15 aGOREaPHOBIa

New Member

Group: Members
Posts: 13
Joined: 17-May 11

Posted 25 May 2011 - 06:58 PM

So far I haven't been redirected to any random sites. Woohoo! I downloaded and installed the foxit pdf reader, and I swear I unchecked the install Asktoolbar junk, but WinPatrol keeps giving me an alert that an add-on is has been installed in IE and asks if I approve. The alert is for "GenericAskToolbar.dll" C:\Program Files\Ask.com\GenericAskToolbar.dll I deleted the folder the alert says it's located in but it still keeps popping up, twice in a row every couple of minutes. Can you help me track it down and get rid of it? Thanks a million

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6679

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/25/2011 5:44:04 PM
mbam-log-2011-05-25 (17-44-04).txt

Scan type: Quick scan
Objects scanned: 139488
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\Opera\0.7834830152246541.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:49:07 PM, on 5/25/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IObit\Advanced SystemCare 4\PMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 4] "C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Advanced SystemCare Service (AdvancedSystemCareService) - IObit - C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: ClipSrv - Unknown owner - C:\WINDOWS\system32\clipsrv.exe (file missing)
O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5099 bytes