Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR Rootkit


  • This topic is locked This topic is locked
46 replies to this topic

#1 robertlasiter77

robertlasiter77

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 22 January 2009 - 06:27 PM

(this is from an original post in "am i infected") Topic referenced is here: http://www.bleepingcomputer.com/forums/t/195357/trojanvundoggi-and-trojanheur564e44/ ~ OB
constantly popping up....IE/Firefox keeps wanting to close.....i tried to manually remove no luck...thanks for your assistance....much appreciated....im thinking of reformatting anyway but would like to resolve the issue first....recently downloaded eMule not sure where these viruses came so if i could find out how to keep from reinstalling them after a format that would be nice....dell dimension 8300 WinXP ZoneAlarm(but would like another)lol



DDS (Ver_09-01-19.01) - NTFSx86
Run by Terey at 17:16:36.87 on Thu 01/22/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1953 [GMT -6:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Terey\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
BHO: {2D87E553-BFA4-4923-949D-3F98214EFAF0} - No File
BHO: {559FF676-9B38-4FCF-A8EC-1C3D11444895} - No File
BHO: {6B7E770D-A4DD-4F62-BB43-AD6992763BF8} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {cd7ce864-2e76-4227-b0d6-7dc347f93bd7} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {DDFDD282-5BD1-41D5-A02E-AF61A2109543} - No File
BHO: {f58e9862-a2e1-46d0-9f43-a29a4fce12a1} - c:\windows\system32\fccyaATN.dll
TB: {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - No File
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Sonic RecordNow!]
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15015/CTSUEng.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} - hxxp://download.zonelabs.com/bin/free/cm/ICSCM.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120083082046
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129731338796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab31267.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15021/CTPID.cab
AppInit_DLLs: ugorty.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\fccyaATN
LSA: Notification Packages = scecli scecli scecli scecli scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\terey\applic~1\mozilla\firefox\profiles\8dexcyyk.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\mozilla firefox\components\FFComm.dll

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-21 353680]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2007-3-16 2368]
R4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 a2free;a-squared Free Service;"c:\program files\a-squared free\a2service.exe" --> c:\program files\a-squared free\a2service.exe [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 MagixASIODrv;MAGIX_ASIO_BoostDriver;c:\program files\magix\samplitude7_pro\mxasio.sys [2004-4-21 4899]
S3 Perfdatr;Perfdatr;c:\windows\system32\drivers\ati2mtag.sys [2003-12-12 595456]
S3 ps_1394;ps_1394;c:\windows\system32\drivers\ps_1394.sys [2008-3-3 97152]
S3 ps_avs;ps_avs;c:\windows\system32\drivers\ps_avs.sys [2008-3-3 24576]
S4 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2007-12-27 44928]

=============== Created Last 30 ================

2009-01-21 14:28 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-21 14:25 --d----- c:\windows\ERUNT
2009-01-21 14:18 --d----- C:\SDFix
2009-01-16 15:16 1,645,320 a------- c:\windows\gdiplus.dll
2009-01-16 15:16 1,184,984 a------- c:\windows\system32\wvc1dmod.dll
2009-01-16 15:16 626,688 a------- c:\windows\system32\vp7vfw.dll
2009-01-16 15:16 65,602 a------- c:\windows\system32\cook3260.dll
2009-01-16 14:28 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-16 14:28 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 14:28 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 12:06 87,608 a------- c:\docume~1\terey\applic~1\inst.exe
2009-01-15 08:41 127 a------- c:\windows\system32\MRT.INI
2009-01-12 09:17 332 a------- c:\windows\system32\BDUpdateV1.xml
2009-01-09 18:24 --d----- c:\program files\Spybot - Search & Destroy
2009-01-06 09:30 --d----- c:\program files\eMule
2009-01-04 23:05 1,212,416 a------- c:\windows\system32\AudioInfos.dll
2009-01-04 23:05 348,160 a------- c:\windows\system32\WMAFile.dll
2009-01-04 23:05 116,296 a------- c:\windows\system32\NCTWMAProfiles.prx
2009-01-04 23:05 1,986,560 a------- c:\windows\system32\AudFile.dll
2009-01-04 23:05 119,568 a------- c:\windows\system32\VB6FR.DLL
2009-01-04 23:05 40,960 a------- c:\windows\system32\SSubTmr6.dll
2009-01-04 23:05 15,360 a------- c:\windows\system32\inetfr.DLL
2009-01-04 23:05 141,312 a------- c:\windows\system32\MSCMCFR.DLL
2009-01-04 23:05 32,768 a------- c:\windows\system32\CMDLGFR.DLL
2009-01-04 23:05 44,544 a------- c:\windows\system32\msxml4a.dll
2008-12-31 09:52 421,888 a------- c:\windows\system32\ac3filter.acm
2008-12-31 09:52 --d----- c:\program files\AC3Filter
2008-12-28 11:09 4,958,588 a------- c:\windows\{00000002-00000000-00000001-00001102-00000004-20021102}.BAK
2008-12-26 12:38 --d----- C:\drvrtmp
2008-12-26 12:33 446,464 a----r-- c:\windows\system32\hhactivex.dll
2008-12-26 12:33 176,128 a------- c:\windows\system32\RcdScan.dll
2008-12-26 12:33 414,944 a------- c:\windows\system32\COMCT332.OCX
2008-12-26 12:33 328,480 a------- c:\windows\system32\ssa3d30.ocx
2008-12-26 12:33 171,967 a------- c:\windows\system32\Odbcjet.hlp
2008-12-26 12:33 7,348 a------- c:\windows\system32\Odbcjet.cnt
2008-12-24 14:46 --d----- c:\docume~1\terey\applic~1\Uniblue
2008-12-24 14:46 --d----- c:\docume~1\alluse~1\applic~1\DriverScanner
2008-12-23 21:10 --d----- c:\windows\OPTIONS
2008-12-23 21:10 --d----- c:\program files\Realtek

==================== Find3M ====================

2009-01-22 17:16 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-01-22 17:16 81,984 a------- c:\windows\system32\bdod.bin
2009-01-16 15:17 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-01-16 15:17 47,360 a------- c:\docume~1\terey\applic~1\pcouffin.sys
2009-01-15 09:20 242,184 a------- c:\windows\system32\drivers\bdfsfltr.sys
2008-12-21 21:38 88,901 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-18 16:18 66,360 a------- c:\documents and settings\terey\g2ax_customer_downloadhelper_win32_x86.exe
2008-12-16 23:27 23,348 a------- c:\windows\system32\emptyregdb.dat
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-21 15:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 15:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 15:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 15:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 15:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 15:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-13 15:18 1,221,008 a------- c:\windows\system32\zpeng25.dll
2006-11-02 09:18 81,920 a------- c:\docume~1\terey\applic~1\ezpinst.exe

============= FINISH: 17:17:54.59 ===============

Attached Files


Edited by Orange Blossom, 22 January 2009 - 06:30 PM.


BC AdBot (Login to Remove)

 


#2 robertlasiter77

robertlasiter77
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 28 January 2009 - 05:04 PM

not trying to rush anyone...just checking if im doing this all right....?

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 01 February 2009 - 12:33 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You have a very nasty infection over here.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit.

Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Download and Run MBR Rootkit Scan

Unfortunatly you have a Master Boot Record rootkit.
  • Please download MBR Rootkit Detector and save it on your desktop.
  • Double click on mbr.exe to run it.
  • Select Run when you recieve a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe
  • Copy and paste the contents of mbr.log on your next reply.
Let me know if there were any problems

Post back with:
-Combofix log
-GMER log
-MBR Log
-New DDS logs


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 robertlasiter77

robertlasiter77
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 01 February 2009 - 01:24 PM

i apologize if i seemed to being impatient....i am not...i read my original post and someones reply that said to leave my new post at 0 replies in order to avoid being skipped over.....of course i read this after i posted a second time:).......just wasnt sure if I was doing things right.......thx for your help i will get right on this and reply....again i thank you for your help.....

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 01 February 2009 - 01:31 PM

Hi.

Yes, aviod bumping your topic otherwise you get moved back in line. Anyways, I'll await for the logs and review it once it comes in. Also tell me what kinds of problems you still have.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 robertlasiter77

robertlasiter77
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 01 February 2009 - 11:15 PM

oh quick ?......should i have my external hard drive on during these scans.....ultimately i am going to format and reinstall OS....but wanted to clear as many issues up as possible so that i don"t re-infect.....dnt know if the external drive can...cross contaminate as they say.....thx i will start scan tomorow upon your advice...good night

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 02 February 2009 - 03:31 PM

Hello.

oh quick ?......should i have my external hard drive on during these scans.....ultimately i am going to format and reinstall OS....but wanted to clear as many issues up as possible so that i don"t re-infect.....dnt know if the external drive can...cross contaminate as they say.....thx i will start scan tomorow upon your advice...good night

No. You do not need your External hard-drive attached. Also if you want to format, then please do not follow the instructions an proceed with the format. By cleaning you up and then formating is a waste of my time and yours. A format will wipe out everything and therefore there will be no malware left. You won't get re-infected unless you backed up some "bad" file and it installed itself and creates an another mess.

If you are going to format. Best to backup only file data's, music, pictures and other important work (.mp3, .jpg, .txt ,.doc, .xml etc...) Do not backup any executables such as .bat, .exe, .scr etc...

Good luck on the format if you are going to do it. Otherwise post back with the logs I requested.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 robertlasiter77

robertlasiter77
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 03 February 2009 - 03:55 PM

ComboFix 09-02-02.04 - Terey 2009-02-03 13:13:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2175 [GMT -6:00]
Running from: c:\documents and settings\Terey\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
FW: Sygate Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Terey\Application Data\inst.exe
c:\windows\system\oeminfo.ini
c:\windows\system32\_003632_.tmp.dll
c:\windows\system32\_003633_.tmp.dll
c:\windows\system32\_003634_.tmp.dll
c:\windows\system32\_003635_.tmp.dll
c:\windows\system32\_003642_.tmp.dll
c:\windows\system32\_003643_.tmp.dll
c:\windows\system32\_003644_.tmp.dll
c:\windows\system32\_003646_.tmp.dll
c:\windows\system32\_003647_.tmp.dll
c:\windows\system32\_003650_.tmp.dll
c:\windows\system32\_003651_.tmp.dll
c:\windows\system32\_003653_.tmp.dll
c:\windows\system32\_003654_.tmp.dll
c:\windows\system32\_003655_.tmp.dll
c:\windows\system32\_003657_.tmp.dll
c:\windows\system32\_003660_.tmp.dll
c:\windows\system32\_003661_.tmp.dll
c:\windows\system32\_003665_.tmp.dll
c:\windows\system32\_003666_.tmp.dll
c:\windows\system32\_003668_.tmp.dll
c:\windows\system32\_003671_.tmp.dll
c:\windows\system32\_003673_.tmp.dll
c:\windows\system32\_003674_.tmp.dll
c:\windows\system32\_003675_.tmp.dll
c:\windows\system32\_003676_.tmp.dll
c:\windows\system32\_003679_.tmp.dll
c:\windows\system32\_003680_.tmp.dll
c:\windows\system32\_003681_.tmp.dll
c:\windows\system32\_003682_.tmp.dll
c:\windows\system32\_003683_.tmp.dll
c:\windows\system32\_003688_.tmp.dll
c:\windows\system32\_003690_.tmp.dll
c:\windows\system32\_003691_.tmp.dll
c:\windows\system32\_005948_.tmp.dll
c:\windows\system32\_005949_.tmp.dll
c:\windows\system32\_005950_.tmp.dll
c:\windows\system32\_005951_.tmp.dll
c:\windows\system32\_005958_.tmp.dll
c:\windows\system32\_005959_.tmp.dll
c:\windows\system32\_005960_.tmp.dll
c:\windows\system32\_005961_.tmp.dll
c:\windows\system32\_005963_.tmp.dll
c:\windows\system32\_005964_.tmp.dll
c:\windows\system32\_005967_.tmp.dll
c:\windows\system32\_005968_.tmp.dll
c:\windows\system32\_005970_.tmp.dll
c:\windows\system32\_005971_.tmp.dll
c:\windows\system32\_005972_.tmp.dll
c:\windows\system32\_005974_.tmp.dll
c:\windows\system32\_005977_.tmp.dll
c:\windows\system32\_005978_.tmp.dll
c:\windows\system32\_005982_.tmp.dll
c:\windows\system32\_005983_.tmp.dll
c:\windows\system32\_005985_.tmp.dll
c:\windows\system32\_005988_.tmp.dll
c:\windows\system32\_005990_.tmp.dll
c:\windows\system32\_005991_.tmp.dll
c:\windows\system32\_005992_.tmp.dll
c:\windows\system32\_005993_.tmp.dll
c:\windows\system32\_005994_.tmp.dll
c:\windows\system32\_005997_.tmp.dll
c:\windows\system32\_005998_.tmp.dll
c:\windows\system32\_005999_.tmp.dll
c:\windows\system32\_006000_.tmp.dll
c:\windows\system32\_006001_.tmp.dll
c:\windows\system32\_006006_.tmp.dll
c:\windows\system32\_006008_.tmp.dll
c:\windows\system32\_006009_.tmp.dll
c:\windows\system32\comife.dll
c:\windows\system32\sqlkk.dll
c:\windows\system32\tmp.reg
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZESOFT


((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-01-27 19:54 . 2009-01-27 19:54 815 --a------ C:\rtsr_eml_sr.dat
2009-01-27 19:54 . 2009-01-27 19:54 132 --a------ C:\httpdwl.dat
2009-01-27 19:54 . 2009-01-27 19:54 128 --a------ C:\dwl.dat
2009-01-27 19:24 . 2009-01-27 19:24 16 --a------ C:\asdict.dat
2009-01-25 23:24 . 2009-01-25 23:24 <DIR> d-------- c:\program files\Sygate
2009-01-25 23:24 . 2004-10-15 18:32 83,096 --a------ c:\windows\SYSTEM32\SSSensor.dll
2009-01-25 23:24 . 2004-10-15 18:17 60,496 --a------ c:\windows\SYSTEM32\DRIVERS\Teefer.sys
2009-01-25 23:24 . 2004-10-15 18:18 21,075 --a------ c:\windows\SYSTEM32\DRIVERS\wpsdrvnt.sys
2009-01-25 23:24 . 2004-10-15 18:32 14,568 --a------ c:\windows\SYSTEM32\DRIVERS\wg6n.sys
2009-01-25 23:24 . 2004-10-15 18:32 14,568 --a------ c:\windows\SYSTEM32\DRIVERS\wg5n.sys
2009-01-25 23:24 . 2004-10-15 18:32 14,568 --a------ c:\windows\SYSTEM32\DRIVERS\wg4n.sys
2009-01-25 23:24 . 2004-10-15 18:32 14,568 --a------ c:\windows\SYSTEM32\DRIVERS\wg3n.sys
2009-01-25 23:23 . 2009-01-25 23:23 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-21 14:28 . 2009-01-21 14:28 578,560 --a--c--- c:\windows\SYSTEM32\DLLCACHE\user32.dll
2009-01-21 14:25 . 2009-01-21 14:25 <DIR> d-------- c:\windows\ERUNT
2009-01-21 14:18 . 2009-01-21 15:02 <DIR> d-------- C:\SDFix
2009-01-16 15:16 . 2004-05-04 11:53 1,645,320 --a------ c:\windows\gdiplus.dll
2009-01-16 15:16 . 2006-05-20 16:16 1,184,984 --a------ c:\windows\SYSTEM32\wvc1dmod.dll
2009-01-16 15:16 . 2006-05-11 19:21 626,688 --a------ c:\windows\SYSTEM32\vp7vfw.dll
2009-01-16 15:16 . 2007-03-18 20:37 65,602 --a------ c:\windows\SYSTEM32\cook3260.dll
2009-01-16 14:28 . 2009-01-16 14:28 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 14:28 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-16 14:28 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-15 08:41 . 2009-01-15 08:41 127 --a------ c:\windows\SYSTEM32\MRT.INI
2009-01-12 09:17 . 2009-01-28 20:03 642 --a------ c:\windows\SYSTEM32\BDUpdateV1.xml
2009-01-06 09:30 . 2009-01-31 04:09 <DIR> d-------- c:\program files\eMule
2009-01-04 23:05 . 2005-03-11 18:37 1,986,560 --a------ c:\windows\SYSTEM32\AudFile.dll
2009-01-04 23:05 . 2005-02-24 13:11 1,212,416 --a------ c:\windows\SYSTEM32\AudioInfos.dll
2009-01-04 23:05 . 2005-02-24 12:51 348,160 --a------ c:\windows\SYSTEM32\WMAFile.dll
2009-01-04 23:05 . 1998-07-12 22:00 141,312 --a------ c:\windows\SYSTEM32\MSCMCFR.DLL
2009-01-04 23:05 . 2000-10-01 18:00 119,568 --a------ c:\windows\SYSTEM32\VB6FR.DLL
2009-01-04 23:05 . 2005-01-10 13:54 116,296 --a------ c:\windows\SYSTEM32\NCTWMAProfiles.prx
2009-01-04 23:05 . 2003-04-18 15:29 44,544 --a------ c:\windows\SYSTEM32\msxml4a.dll
2009-01-04 23:05 . 2003-01-26 12:41 40,960 --a------ c:\windows\SYSTEM32\SSubTmr6.dll
2009-01-04 23:05 . 1998-07-12 18:00 32,768 --a------ c:\windows\SYSTEM32\CMDLGFR.DLL
2009-01-04 23:05 . 1998-07-12 22:00 15,360 --a------ c:\windows\SYSTEM32\inetfr.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 19:17 81,984 ----a-w c:\windows\SYSTEM32\bdod.bin
2009-02-02 03:33 --------- d-----w c:\documents and settings\Terey\Application Data\Azureus
2009-02-02 03:19 --------- d-----w c:\documents and settings\Terey\Application Data\Vso
2009-01-29 00:12 --------- d-----w c:\program files\Vuze
2009-01-26 00:18 --------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2009-01-22 20:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-16 21:17 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-01-16 21:17 47,360 ----a-w c:\documents and settings\Terey\Application Data\pcouffin.sys
2009-01-16 21:16 --------- d-----w c:\program files\VSO
2009-01-15 15:20 242,184 ----a-w c:\windows\system32\drivers\bdfsfltr.sys
2008-12-31 15:52 --------- d-----w c:\program files\AC3Filter
2008-12-31 01:54 --------- d-----w c:\program files\DivX
2008-12-27 16:12 --------- d-----w c:\documents and settings\Terey\Application Data\Uniblue
2008-12-27 16:12 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-26 18:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-24 03:10 --------- d-----w c:\program files\Realtek
2008-12-24 03:09 --------- d-----w c:\documents and settings\Terey\Application Data\InstallShield
2008-12-22 03:14 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2008-12-22 02:38 --------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2008-12-22 02:36 --------- d-----w c:\program files\Common Files\BitDefender
2008-12-22 02:36 --------- d-----w c:\documents and settings\Terey\Application Data\BitDefender
2008-12-22 02:35 --------- d-----w c:\program files\BitDefender
2008-12-19 02:28 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-12-19 02:28 --------- d-----w c:\program files\Windows Live
2008-12-19 02:22 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-19 02:18 --------- d-----w c:\program files\Citrix
2008-12-18 23:58 --------- d-----w c:\documents and settings\Terey\Application Data\MSN6
2008-12-18 22:18 66,360 ----a-w c:\documents and settings\Terey\g2ax_customer_downloadhelper_win32_x86.exe
2008-12-17 06:20 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-16 23:59 66,360 ----a-w c:\documents and settings\Administrator.ROBERT\g2ax_customer_downloadhelper_win32_x86.exe
2008-12-15 22:31 --------- d-----w c:\program files\Windows Live Safety Center
2008-12-15 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\Applications
2008-12-14 00:27 --------- d-----w c:\program files\Ahead
2008-12-14 00:26 --------- d-----w c:\program files\Common Files\Ahead
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-06 00:20 --------- d-----w c:\documents and settings\Terey\Application Data\Malwarebytes
2008-12-06 00:11 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-21 21:47 524,288 ----a-w c:\windows\SYSTEM32\DivXsm.exe
2008-11-21 21:47 3,596,288 ----a-w c:\windows\SYSTEM32\qt-dx331.dll
2008-11-21 21:46 200,704 ----a-w c:\windows\SYSTEM32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\SYSTEM32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w c:\windows\SYSTEM32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 ----a-w c:\windows\SYSTEM32\DivXWMPExtType.dll
2006-11-02 15:18 81,920 ----a-w c:\documents and settings\Terey\Application Data\ezpinst.exe
2009-01-15 15:20 61,440 ----a-w c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 44032]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-01-26 741376]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2008-10-17 69632]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\SYSTEM32\Ati2mdxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-04-10 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ugorty.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Terey^Start Menu^Programs^Startup^Folding@home 4.00.lnk]
backup=c:\windows\pss\Folding@home 4.00.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2234:TCP"= 2234:TCP:soulseek
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)

R2 SVKP;SVKP;c:\windows\SYSTEM32\SVKP.sys [2007-03-16 2368]
R3 bdfm;BDFM;c:\windows\SYSTEM32\DRIVERS\bdfm.sys [2008-09-18 111112]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 MagixASIODrv;MAGIX_ASIO_BoostDriver;c:\program files\Magix\samplitude7_pro\mxasio.sys [2004-04-21 4899]
S3 Perfdatr;Perfdatr;c:\windows\SYSTEM32\DRIVERS\ati2mtag.sys [2003-12-12 595456]
S3 ps_1394;ps_1394;c:\windows\SYSTEM32\DRIVERS\ps_1394.sys [2008-03-03 97152]
S3 ps_avs;ps_avs;c:\windows\SYSTEM32\DRIVERS\ps_avs.sys [2008-03-03 24576]
S4 SDTHOOK;SDTHOOK;c:\windows\SYSTEM32\DRIVERS\SDTHOOK.SYS [2007-12-27 44928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-02-03 c:\windows\Tasks\vvculsjg.job
- c:\windows\system32\hgGabBrR.dll []
.
- - - - ORPHANS REMOVED - - - -

BHO-{2D87E553-BFA4-4923-949D-3F98214EFAF0} - (no file)
BHO-{559FF676-9B38-4FCF-A8EC-1C3D11444895} - (no file)
BHO-{6B7E770D-A4DD-4F62-BB43-AD6992763BF8} - (no file)
BHO-{cd7ce864-2e76-4227-b0d6-7dc347f93bd7} - (no file)
BHO-{DDFDD282-5BD1-41D5-A02E-AF61A2109543} - (no file)
BHO-{F58E9862-A2E1-46D0-9F43-A29A4FCE12A1} - c:\windows\system32\fccyaATN.dll
HKCU-Run-Sonic RecordNow! - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Terey\Application Data\Mozilla\Firefox\Profiles\8dexcyyk.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 13:20:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3111455903-2278412001-43774650-1007\Software\Corel\WordPerfect\11\Power Bar\Power Bar Last Selected - \
* |*]
"0ZapfEllipt BT"=hex(80000006):30
"1GoudyOlSt BT"=hex(80000006):30
"2BankGothic Md BT"=hex(80000006):30
"3@DotumChe"=hex(80000006):30
"4Benguiat Bk BT"=hex(80000006):30
"5Batang"=hex(80000006):30

[HKEY_USERS\S-1-5-21-3111455903-2278412001-43774650-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,e6,09,fc,77,0d,
78,99,70,c8,28,51,af,b0,29,a3,98,c4,f2,ff,fd,55,1e,83,a3,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,3a,47,fe,11,6f,
1f,69,c3,71,3b,04,66,8b,46,0d,96,4e,4c,02,d3,a8,2e,62,b4,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,64,de,3e,db,1d,
95,a3,94,25,da,ec,7e,55,20,c9,26,a6,5c,d3,ba,d4,13,73,f2,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,0f,78,3e,3f,8e,
58,1b,8c,3e,1e,9e,e0,57,5a,93,61,6a,6f,a2,cb,91,3b,76,ff,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,96,77,7a,11,3d,
9a,3d,48,cd,44,cd,b9,a6,33,6c,cd,41,4c,15,1b,00,da,08,f1,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,36,a0,29,b8,63,
b5,1e,62,b0,18,ed,a7,3f,8d,37,a4,9b,58,42,e9,3b,73,6e,e0,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,48,ff,96,a9,56,
68,3b,02,31,77,e1,ba,b1,f8,68,02,95,df,30,5c,9e,d4,03,f7,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,76,8d,c8,03,63,
4a,a4,57,83,6c,56,8b,a0,85,96,ab,a1,5a,cf,0b,8c,ae,7e,cb,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,62,d3,73,e9,ed,
7a,c3,21,51,fa,6e,91,28,9e,14,cc,f4,41,3a,df,2a,e0,fe,d7,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,bd,8d,4f,df,ca,
9b,f4,e8,b1,cd,45,5a,a8,c4,f8,b9,3a,66,e1,08,17,ca,dd,a3,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,6d,b3,5f,e3,fe,
a1,f2,5e,e3,0e,66,d5,eb,bc,2f,6b,55,92,17,2b,a9,5e,af,41,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,37,2e,3c,3a,45,
6c,84,87,fa,ea,66,7f,d4,3b,6b,70,de,75,87,6a,ba,de,0c,10,6c,43,2d,1e,aa,22,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\savedump.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\program files\Sygate\SPF\Smc.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
.
**************************************************************************
.
Completion time: 2009-02-03 13:23:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-03 19:23:30

Pre-Run: 51,713,478,656 bytes free
Post-Run: 51,771,502,592 bytes free

380 --- E O F --- 2009-01-15 14:44:26
======================================================================================================================

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-03 14:19:48
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xBAA3BB30]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xBAA3B6F0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xBAA3B470]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenProcess [0xA8863BCE]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenThread [0xA8863CBC]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xBAA3BC50]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xBAA3B990]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateProcess [0xA8863B32]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xBAA3BD60]

---- Kernel code sections - GMER 1.0.14 ----

PAGE CLASSPNP.SYS!ClassInitialize + F4 F765E42C 4 Bytes [ 56, 37, BA, 89 ]
PAGE CLASSPNP.SYS!ClassInitialize + FF F765E437 4 Bytes [ AC, F1, B9, 89 ]
PAGE CLASSPNP.SYS!ClassInitialize + 10A F765E442 4 Bytes [ 68, 37, BA, 89 ]
PAGE CLASSPNP.SYS!ClassInitialize + 111 F765E449 4 Bytes [ 5C, 37, BA, 89 ]
PAGE CLASSPNP.SYS!ClassInitialize + 118 F765E450 4 Bytes [ 62, 37, BA, 89 ]
PAGE ...
.text tcpip.sys!IPTransmit + 10FC A9290D3A 6 Bytes CALL BAF1AE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 A9292690 6 Bytes CALL BAF1AE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 A92A8454 6 Bytes CALL BAF1AE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys F750C3FD 7 Bytes CALL BAF1AFA0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[2544] ADVAPI32.dll!CryptDestroyKey 77DE9E9C 7 Bytes JMP 00FE2C73
.text C:\WINDOWS\Explorer.EXE[2544] ADVAPI32.dll!CryptDecrypt 77DEA109 7 Bytes JMP 00FE2C30
.text C:\WINDOWS\Explorer.EXE[2544] ADVAPI32.dll!CryptEncrypt 77DEE340 7 Bytes JMP 00FE2BF4
.text C:\WINDOWS\Explorer.EXE[2544] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FE2BD9
.text C:\WINDOWS\Explorer.EXE[2544] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FE2A65
.text C:\WINDOWS\Explorer.EXE[2544] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FE2B57
.text C:\WINDOWS\Explorer.EXE[2544] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FE2A9D
.text C:\WINDOWS\Explorer.EXE[2544] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FE2AD5
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3040] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Windows Live Messenger/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BAF1BC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BAF1BBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [BAF1BB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BAF1B8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [BAF1B8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [BAF1BBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [BAF1BC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [BAF1BB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [BAF1BB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [BAF1B8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [BAF1BBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [BAF1BC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BAF1B8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BAF1BB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BAF1BC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BAF1BBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BAF1BC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BAF1BBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BAF1B8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisRegisterProtocol] [BAF1B8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisDeregisterProtocol] [BAF1BB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisCloseAdapter] [BAF1BC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisOpenAdapter] [BAF1BBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BAF1BB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BAF1B8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BAF1BBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BAF1BC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\Cdrom \Device\CdRom0 89BA3756
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\Disk \Device\Harddisk0\DR0 89BA3756
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \FileSystem\Fastfat \Fat kmixer.sys (Kernel Mode Audio Mixer/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.14 ----

Thread 4:3392 89BE28D0
Thread 4:3396 89BCFBE0
Thread 4:3400 89C17D00
Thread 4:3324 89BB0110

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xE9 0x02 0x6C 0xFA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x37 0xA4 0xAA 0xC3 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xF8 0x31 0x0F 0xA9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; malicious code @ sector 0xdf83cbd size 0x1fe
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.14 ----
========================================================================================================================


Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0xdf83cbd size 0x1fe !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
===========================================================================================================================


DDS (Ver_09-01-19.01) - NTFSx86
Run by Terey at 14:42:16.14 on Tue 02/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2119 [GMT -6:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated)
FW: Sygate Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Documents and Settings\Terey\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - No File
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15015/CTSUEng.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} - hxxp://download.zonelabs.com/bin/free/cm/ICSCM.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120083082046
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129731338796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab31267.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15021/CTPID.cab
AppInit_DLLs: ugorty.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\terey\applic~1\mozilla\firefox\profiles\8dexcyyk.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\mozilla firefox\components\FFComm.dll

============= SERVICES / DRIVERS ===============

R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2007-3-16 2368]
S3 a2free;a-squared Free Service;"c:\program files\a-squared free\a2service.exe" --> c:\program files\a-squared free\a2service.exe [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 MagixASIODrv;MAGIX_ASIO_BoostDriver;c:\program files\magix\samplitude7_pro\mxasio.sys [2004-4-21 4899]
S3 Perfdatr;Perfdatr;c:\windows\system32\drivers\ati2mtag.sys [2003-12-12 595456]
S3 ps_1394;ps_1394;c:\windows\system32\drivers\ps_1394.sys [2008-3-3 97152]
S3 ps_avs;ps_avs;c:\windows\system32\drivers\ps_avs.sys [2008-3-3 24576]
S4 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2007-12-27 44928]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2009-02-03 13:58 345 a------- c:\windows\gmer.ini
2009-01-27 19:54 815 a------- C:\rtsr_eml_sr.dat
2009-01-27 19:54 132 a------- C:\httpdwl.dat
2009-01-27 19:54 128 a------- C:\dwl.dat
2009-01-27 19:24 16 a------- C:\asdict.dat
2009-01-25 23:24 14,568 a------- c:\windows\system32\drivers\wg6n.sys
2009-01-25 23:24 14,568 a------- c:\windows\system32\drivers\wg5n.sys
2009-01-25 23:24 14,568 a------- c:\windows\system32\drivers\wg4n.sys
2009-01-25 23:24 14,568 a------- c:\windows\system32\drivers\wg3n.sys
2009-01-25 23:24 60,496 a------- c:\windows\system32\drivers\Teefer.sys
2009-01-25 23:24 21,075 a------- c:\windows\system32\drivers\wpsdrvnt.sys
2009-01-25 23:24 83,096 a------- c:\windows\system32\SSSensor.dll
2009-01-25 23:24 <DIR> --d----- c:\program files\Sygate
2009-01-25 23:23 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-21 14:28 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-21 14:25 <DIR> --d----- c:\windows\ERUNT
2009-01-21 14:18 <DIR> --d----- C:\SDFix
2009-01-16 15:16 1,645,320 a------- c:\windows\gdiplus.dll
2009-01-16 15:16 1,184,984 a------- c:\windows\system32\wvc1dmod.dll
2009-01-16 15:16 626,688 a------- c:\windows\system32\vp7vfw.dll
2009-01-16 15:16 65,602 a------- c:\windows\system32\cook3260.dll
2009-01-16 14:28 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-16 14:28 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 14:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-15 08:41 127 a------- c:\windows\system32\MRT.INI
2009-01-12 09:17 642 a------- c:\windows\system32\BDUpdateV1.xml
2009-01-06 09:30 <DIR> --d----- c:\program files\eMule
2009-01-04 23:05 1,212,416 a------- c:\windows\system32\AudioInfos.dll
2009-01-04 23:05 348,160 a------- c:\windows\system32\WMAFile.dll
2009-01-04 23:05 116,296 a------- c:\windows\system32\NCTWMAProfiles.prx
2009-01-04 23:05 1,986,560 a------- c:\windows\system32\AudFile.dll
2009-01-04 23:05 119,568 a------- c:\windows\system32\VB6FR.DLL
2009-01-04 23:05 40,960 a------- c:\windows\system32\SSubTmr6.dll
2009-01-04 23:05 15,360 a------- c:\windows\system32\inetfr.DLL
2009-01-04 23:05 141,312 a------- c:\windows\system32\MSCMCFR.DLL
2009-01-04 23:05 32,768 a------- c:\windows\system32\CMDLGFR.DLL
2009-01-04 23:05 44,544 a------- c:\windows\system32\msxml4a.dll

==================== Find3M ====================

2009-02-03 14:40 81,984 a------- c:\windows\system32\bdod.bin
2009-01-25 23:01 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-01-16 15:17 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-01-16 15:17 47,360 a------- c:\docume~1\terey\applic~1\pcouffin.sys
2009-01-15 09:20 242,184 a------- c:\windows\system32\drivers\bdfsfltr.sys
2008-12-21 21:38 88,901 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-18 16:18 66,360 a------- c:\documents and settings\terey\g2ax_customer_downloadhelper_win32_x86.exe
2008-12-16 23:27 23,348 a------- c:\windows\system32\emptyregdb.dat
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-21 15:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 15:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 15:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 15:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 15:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 15:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2006-11-02 09:18 81,920 a------- c:\docume~1\terey\applic~1\ezpinst.exe

============= FINISH: 14:42:54.87 ===============

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 03 February 2009 - 05:44 PM

Hello again.

Very nasty infection you have here. The MBR rootkit it still active let's see what we can do with it. Alot of things we need to do in this post, so take your time and do not rush it. Follow the instructions exactly how I have provided it for you. Any questions, feel free to ask. Ready? Let's begin :thumbup2:

Fix MBR Rootkit using MBR.exe

Please copy and paste MBR.exe to your C:\ directory so it will easier to work with when I tell you the instructions. Then you may delete the MBR.exe on your desktop and the MBR.log log file on your desktop.
  • Go to Start>>Run>> In the Open field copy and paste the following (do not copy the word Code):
    c:\mbr.exe -f
  • Click Ok
  • You will get a security Warning please allow it to Run
  • MBR.exe will now begin to fix it. A black window will appear then disappear, this is normal.
  • Now go to your C:\ directory, please rename mbr.log into mbr2.log
    To rename, right-click on the log and select rename, input the name I requested above.
  • After you renamed it, please reboot your computer.
  • Once you reboot, please go to Start>>Run>> In the Open field copy and paste the following (do not copy the word Code):
    c:\mbr.exe
  • You will get a security warning once again, please allow it to run
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will then be created at C:\mbr.log
  • Please post the contents of both C:\mbr2.log and C:\mbr.log log files in your next reply.
Let me know if there were any problems

Download and Run Scan with Prevex CSI Scan
  • Please download Prevex CSI and save it to your desktop.
  • Double click on the installation file package you just downloaded.
  • You will get a Security Warning, allow it to run
  • It will now begin to install itself.
    The installation process is automatic and should only take a few seconds
  • After the installation is complete, it will automatically begin to scan for rootkits.
  • The scan shouldn't take too long, so let it run while you have a drink of coffe or something. (Approximately 2-5 minutes).
  • Once it's complete, please go to Tools and Settings>>Save Scan Results
  • Save the scan result as PCSI.txt onto your desktop
  • Notepad will then open, please close it.
  • Please attach PCSI.txt on your next reply please.
    Do Not post it, because it is too big
Note: If the scan area was clean, then no need to attach the log back to me, just tell me the scan was clean please.
Let me know if there were any problems


Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    File::
    c:\windows\SYSTEM32\bdod.bin
    c:\windows\Tasks\vvculsjg.job 
    c:\windows\system32\hgGabBrR.dll 
    DirLook::
    c:\documents and settings\All Users\Application Data\vsosdk
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "2234:TCP"=-
    "3587:TCP"=- 
    "3540:UDP"=- 
    "1723:TCP"=- 
    "1701:UDP"=- 
    "500:UDP"=-
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
    DDS:
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    Drivers::
    vsdatant
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and Run DrWebCureIt in Safe Mode

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to start the program.
  • Cancel any prompts to download the latest CureIt version and click Start.
  • At the prompt to "Start scan now", click OK. Allow the setup.exe/driver to load if asked by any of your security programs.
  • The Express scan will automatically begin.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck Heuristic analysis under the Scanning tab, then click OK.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Yes to all if asked to cure or move the file(s) and select Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Post back with:
-MBR.log
-MBR2.log
-Combofix log
-New GMER log
-How is your computer running so far?


Attach back with:
-PCSI.txt
-DRWeb CureIt log
'

With Regards,
Extremeboy

Edited by extremeboy, 03 February 2009 - 05:58 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 robertlasiter77

robertlasiter77
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 03 February 2009 - 07:41 PM

i copied and pasted but i got this ERROR: Windows cannot find c:\mbr.exe. please make sure you typed it correctly..............

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 03 February 2009 - 07:45 PM

Hello.

Check if mbr.exe is indeed in your C:\ directory. Tell me if it's there.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 robertlasiter77

robertlasiter77
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 03 February 2009 - 08:00 PM

unless im overlooking it...i dont see it.......if you need a screen shot i'll be glad to do that...ecept i dont know how:)....thx

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 03 February 2009 - 08:08 PM

Hello.

Nope, no need for the screenshot. Let's try this again please.

Download MBR and save it to your C:\ Directory
  • Please download MBR Rootkit Detector and save it on your C:\ directory.
  • Click on the link and a security warning shall appear
  • Select Save
  • A browser window shall then appear
  • Click My Computer on your left hand side
  • Then Double click on your (C:) drive
  • Now click Save on your bottom right-corner
  • After done saving, please continue to follow my instructions in my previous post from top to bottom one at a time.
  • Any problems or question ask before continuing like what you did now :thumbup2:
With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 robertlasiter77

robertlasiter77
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 03 February 2009 - 08:41 PM

hi again......well i click on save file but it doesnt give an option for where to save it too......it just downloads directly to desktop....thruogh firefox downloader. should i just move the original MBR from desktop to the c drive? sorry if i am being stubborn.....and thx for your patience!!!!!!! with me

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 03 February 2009 - 09:08 PM

Hello.

Oh I see you are using Firefox, I thought you were using IE. I'm not exactly sure how Firefox works. Right-click on mbr.exe and select copy. Go to your C:\ drive and right click on any free space and select paste. Once you hit paste make sure you see mbr.exe in your C:\ drive. After it's in your C:\drive follow the instructions in my previous posts located over here (post #9)

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users