Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS rootkit variant infection confirmed


  • This topic is locked This topic is locked
11 replies to this topic

#1 pushwood

pushwood

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 07 November 2009 - 02:21 PM

Hello Helpful Folk,

I am infected with a nasty tdss rootkit malware that has so far defied ALL attempts at cleanup and MOST attempts at detection. The virus was contracted from an unknown Internet site about 10 days ago. I (until now) have never used any antivirus software, no spyware detector, etc. I have always practiced care in what I was allowing to run using native operating system (Windows), browser and email client settings as well as common sense not to open up any executables or visit any dastardly sites. I always considered this the better option instead of suffering the loss of system resources dedicated to hungry protection software.

My Windows XP SP3 based computer has and did have the latest Windows Updates.

I had Windows Firewall enabled on top of the firmware firewall in my ATT 2-Wire modem/router.

This is a stand alone computer and any wireless capability is disabled in the modem.


Firefox suffers from the Google search redirection. The redirection always points first to hXXp://z43523673.cn, after which it seems to go on a click for cash run of as many as 4 hops to other search results, and oftentimes some fake anti-malware site that locks Firefox with a couple of dialog boxes to where you cannot even close Firefox without killing its process with Process Explorer. As a workaround to suffering this search redirection I have discovered that choosing to open the search result URL in an IE tab within Firefox will allow it to access the URL totally unfettered. (Must have the IE Tab plugin for Firefox installed).

The malware has edited XP's group user policy settings somehow. I am sometimes locked out of priviledges and rights for certain antivirus software.

The malware has at times taken complete control of my Prevx 3.0.5.10 antivirus software and I think hooked a prevx SYS file.

The malware recognizes most anti-malware and works tirelessly to prohibit it's use.

The malware constantly writes ####.tmp files to c:\windows\temp\. I let Prevx take care of them, and believe me, it stays busy.


I have myself developed a healthy respect for the creative coding skill that was required to write such sneaky software. I have NEVER even imagined that malware was so stealthy and tricky. This malware hasn't yet been destructive and I pray that it hasn't stolen sensitive data from my computer. The only information I am concerned with is credit card numbers that had been entered in SSL protected fields in the past. I have created decent backups of everything that matters but I have no backups of many of my software installation sets.

I have to admit, I have been toying with this malware for the last ten days just because of the challenge it presented.

Well, it won the challenge. I give up. Please guide me in beating this beast out of my box.
I have a real good general knowldege of computers and have been studying from your site since I started this battle. Hopefully that will make it easier to help me.

Thank you in Advance

Pete L. - North Little Rock, AR
***********************************************P O S T E D R E P O R T S*********************************

DDS (Ver_09-10-26.01) - NTFSx86
Run by Pete at 11:01:54.90 on Sat 11/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

============== Running Processes ===============


============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: AutorunsDisabled - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {2A541AE1-5BF6-4665-A8A3-CFA9672E4291} - No File
uRun: [Google Update] "c:\documents and settings\pete\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
uPolicies-explorer: StartMenuLogoff = 1 (0x1)
uPolicies-explorer: MaxRecentDocs = 11 (0xb)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - {cc4b2ee6-4803-11d7-8a38-00b0d0c6b814}
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
Notify: ssqpm -
STS: IE Component Categories cache daemon: {553858a7-4922-4e7e-b1c1-97140c1c16ef} - c:\windows\system32\ieframe.dll
SEH: {20d8bda1-1958-11d6-b00f-00b0d0c6b6a5} - No File
IFEO: taskmgr.exe - "c:\program files\process explorer\PROCEXP.EXE"
IFEO: AutorunsDisabled - ntsd -d

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pete\applic~1\mozilla\firefox\profiles\y7gjc8qg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\pete\application data\mozilla\firefox\profiles\y7gjc8qg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\pete\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-11-07 16:16:41 0 d-----w- c:\program files\Trend Micro
2009-11-02 08:03:31 0 d-----w- c:\program files\PhotoRescue Advanced PC
2009-11-02 07:56:16 0 d-----w- c:\program files\ContrastMaster
2009-11-01 17:14:13 0 d-----w- c:\docume~1\pete\applic~1\Malwarebytes
2009-11-01 17:13:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 17:13:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-31 16:24:03 0 d-----w- c:\program files\eyespy
2009-10-28 03:22:35 0 d-----w- c:\program files\Prevx
2009-10-28 03:22:00 0 d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-10-27 04:17:19 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-27 04:17:19 0 d-----w- c:\docume~1\pete\applic~1\SUPERAntiSpyware.com
2009-10-27 01:44:29 0 d-----w- c:\program files\a-squared Anti-Malware
2009-10-26 21:16:36 0 d-----w- c:\docume~1\pete\applic~1\HpUpdate
2009-10-18 04:55:37 0 d-----w- c:\program files\Plextor

==================== Find3M ====================

2009-11-04 12:20:40 53136 ----a-w- c:\windows\system32\PxSecure.dll
2009-11-04 12:20:39 46768 ----a-w- c:\windows\system32\drivers\pxrts.sys
2009-11-04 12:20:39 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-11-04 12:20:38 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2009-10-27 22:24:12 617472 ----a-w- c:\windows\system32\advapi32.dll
2009-10-26 21:20:02 139264 ----a-w- c:\windows\system32\hpzjrd01.dll
2009-10-26 20:12:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-25 12:11:34 77312 ----a-w- c:\windows\MBR.exe
2009-10-11 14:10:09 236544 ----a-w- c:\windows\PEV.exe
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41:26 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41:26 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41:26 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41:26 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-16 15:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 20:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 20:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 05:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2006-08-13 06:37:48 291 ----a-w- c:\program files\Shortcut to Casseopeia ©.lnk
2006-01-02 06:29:31 202 ----a-w- c:\program files\WhiteCap Prefs (Standalone).txt
2005-10-20 08:44:00 8192 --sha-w- c:\program files\Thumbs.db
2005-10-16 09:36:19 345 ----a-w- c:\program files\proc.set

============= FINISH: 11:03:30.12 ===============



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/07 11:58
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

SSDT
-------------------
#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked

#: 001 Function Name: NtAccessCheck
Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked

#: 003 Function Name: NtAccessCheckByType
Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked

#: 008 Function Name: NtAddAtom
Status: Not hooked

#: 009 Function Name: NtAddBootEntry
Status: Not hooked

#: 010 Function Name: NtAdjustGroupsToken
Status: Not hooked

#: 011 Function Name: NtAdjustPrivilegesToken
Status: Not hooked

#: 012 Function Name: NtAlertResumeThread
Status: Not hooked

#: 013 Function Name: NtAlertThread
Status: Not hooked

#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked

#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked

#: 016 Function Name: NtAllocateUuids
Status: Not hooked

#: 017 Function Name: NtAllocateVirtualMemory
Status: Not hooked

#: 018 Function Name: NtAreMappedFilesTheSame
Status: Not hooked

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f1cc

#: 020 Function Name: NtCallbackReturn
Status: Not hooked

#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked

#: 022 Function Name: NtCancelIoFile
Status: Not hooked

#: 023 Function Name: NtCancelTimer
Status: Not hooked

#: 024 Function Name: NtClearEvent
Status: Not hooked

#: 025 Function Name: NtClose
Status: Not hooked

#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Not hooked

#: 027 Function Name: NtCompactKeys
Status: Not hooked

#: 028 Function Name: NtCompareTokens
Status: Not hooked

#: 029 Function Name: NtCompleteConnectPort
Status: Not hooked

#: 030 Function Name: NtCompressKey
Status: Not hooked

#: 031 Function Name: NtConnectPort
Status: Not hooked

#: 032 Function Name: NtContinue
Status: Not hooked

#: 033 Function Name: NtCreateDebugObject
Status: Not hooked

#: 034 Function Name: NtCreateDirectoryObject
Status: Not hooked

#: 035 Function Name: NtCreateEvent
Status: Not hooked

#: 036 Function Name: NtCreateEventPair
Status: Not hooked

#: 037 Function Name: NtCreateFile
Status: Not hooked

#: 038 Function Name: NtCreateIoCompletion
Status: Not hooked

#: 039 Function Name: NtCreateJobObject
Status: Not hooked

#: 040 Function Name: NtCreateJobSet
Status: Not hooked

#: 041 Function Name: NtCreateKey
Status: Not hooked

#: 042 Function Name: NtCreateMailslotFile
Status: Not hooked

#: 043 Function Name: NtCreateMutant
Status: Not hooked

#: 044 Function Name: NtCreateNamedPipeFile
Status: Not hooked

#: 045 Function Name: NtCreatePagingFile
Status: Not hooked

#: 046 Function Name: NtCreatePort
Status: Not hooked

#: 047 Function Name: NtCreateProcess
Status: Not hooked

#: 048 Function Name: NtCreateProcessEx
Status: Not hooked

#: 049 Function Name: NtCreateProfile
Status: Not hooked

#: 050 Function Name: NtCreateSection
Status: Not hooked

#: 051 Function Name: NtCreateSemaphore
Status: Not hooked

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Not hooked

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f206

#: 054 Function Name: NtCreateTimer
Status: Not hooked

#: 055 Function Name: NtCreateToken
Status: Not hooked

#: 056 Function Name: NtCreateWaitablePort
Status: Not hooked

#: 057 Function Name: NtDebugActiveProcess
Status: Not hooked

#: 058 Function Name: NtDebugContinue
Status: Not hooked

#: 059 Function Name: NtDelayExecution
Status: Not hooked

#: 060 Function Name: NtDeleteAtom
Status: Not hooked

#: 061 Function Name: NtDeleteBootEntry
Status: Not hooked

#: 062 Function Name: NtDeleteFile
Status: Not hooked

#: 063 Function Name: NtDeleteKey
Status: Not hooked

#: 064 Function Name: NtDeleteObjectAuditAlarm
Status: Not hooked

#: 065 Function Name: NtDeleteValueKey
Status: Not hooked

#: 066 Function Name: NtDeviceIoControlFile
Status: Not hooked

#: 067 Function Name: NtDisplayString
Status: Not hooked

#: 068 Function Name: NtDuplicateObject
Status: Not hooked

#: 069 Function Name: NtDuplicateToken
Status: Not hooked

#: 070 Function Name: NtEnumerateBootEntries
Status: Not hooked

#: 071 Function Name: NtEnumerateKey
Status: Not hooked

#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Not hooked

#: 073 Function Name: NtEnumerateValueKey
Status: Not hooked

#: 074 Function Name: NtExtendSection
Status: Not hooked

#: 075 Function Name: NtFilterToken
Status: Not hooked

#: 076 Function Name: NtFindAtom
Status: Not hooked

#: 077 Function Name: NtFlushBuffersFile
Status: Not hooked

#: 078 Function Name: NtFlushInstructionCache
Status: Not hooked

#: 079 Function Name: NtFlushKey
Status: Not hooked

#: 080 Function Name: NtFlushVirtualMemory
Status: Not hooked

#: 081 Function Name: NtFlushWriteBuffer
Status: Not hooked

#: 082 Function Name: NtFreeUserPhysicalPages
Status: Not hooked

#: 083 Function Name: NtFreeVirtualMemory
Status: Not hooked

#: 084 Function Name: NtFsControlFile
Status: Not hooked

#: 085 Function Name: NtGetContextThread
Status: Not hooked

#: 086 Function Name: NtGetDevicePowerState
Status: Not hooked

#: 087 Function Name: NtGetPlugPlayEvent
Status: Not hooked

#: 088 Function Name: NtGetWriteWatch
Status: Not hooked

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Not hooked

#: 090 Function Name: NtImpersonateClientOfPort
Status: Not hooked

#: 091 Function Name: NtImpersonateThread
Status: Not hooked

#: 092 Function Name: NtInitializeRegistry
Status: Not hooked

#: 093 Function Name: NtInitiatePowerAction
Status: Not hooked

#: 094 Function Name: NtIsProcessInJob
Status: Not hooked

#: 095 Function Name: NtIsSystemResumeAutomatic
Status: Not hooked

#: 096 Function Name: NtListenPort
Status: Not hooked

#: 097 Function Name: NtLoadDriver
Status: Not hooked

#: 098 Function Name: NtLoadKey
Status: Not hooked

#: 099 Function Name: NtLoadKey2
Status: Not hooked

#: 100 Function Name: NtLockFile
Status: Not hooked

#: 101 Function Name: NtLockProductActivationKeys
Status: Not hooked

#: 102 Function Name: NtLockRegistryKey
Status: Not hooked

#: 103 Function Name: NtLockVirtualMemory
Status: Not hooked

#: 104 Function Name: NtMakePermanentObject
Status: Not hooked

#: 105 Function Name: NtMakeTemporaryObject
Status: Not hooked

#: 106 Function Name: NtMapUserPhysicalPages
Status: Not hooked

#: 107 Function Name: NtMapUserPhysicalPagesScatter
Status: Not hooked

#: 108 Function Name: NtMapViewOfSection
Status: Not hooked

#: 109 Function Name: NtModifyBootEntry
Status: Not hooked

#: 110 Function Name: NtNotifyChangeDirectoryFile
Status: Not hooked

#: 111 Function Name: NtNotifyChangeKey
Status: Not hooked

#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Not hooked

#: 113 Function Name: NtOpenDirectoryObject
Status: Not hooked

#: 114 Function Name: NtOpenEvent
Status: Not hooked

#: 115 Function Name: NtOpenEventPair
Status: Not hooked

#: 116 Function Name: NtOpenFile
Status: Not hooked

#: 117 Function Name: NtOpenIoCompletion
Status: Not hooked

#: 118 Function Name: NtOpenJobObject
Status: Not hooked

#: 119 Function Name: NtOpenKey
Status: Not hooked

#: 120 Function Name: NtOpenMutant
Status: Not hooked

#: 121 Function Name: NtOpenObjectAuditAlarm
Status: Not hooked

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f51a

#: 123 Function Name: NtOpenProcessToken
Status: Not hooked

#: 124 Function Name: NtOpenProcessTokenEx
Status: Not hooked

#: 125 Function Name: NtOpenSection
Status: Not hooked

#: 126 Function Name: NtOpenSemaphore
Status: Not hooked

#: 127 Function Name: NtOpenSymbolicLinkObject
Status: Not hooked

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f3f6

#: 129 Function Name: NtOpenThreadToken
Status: Not hooked

#: 130 Function Name: NtOpenThreadTokenEx
Status: Not hooked

#: 131 Function Name: NtOpenTimer
Status: Not hooked

#: 132 Function Name: NtPlugPlayControl
Status: Not hooked

#: 133 Function Name: NtPowerInformation
Status: Not hooked

#: 134 Function Name: NtPrivilegeCheck
Status: Not hooked

#: 135 Function Name: NtPrivilegeObjectAuditAlarm
Status: Not hooked

#: 136 Function Name: NtPrivilegedServiceAuditAlarm
Status: Not hooked

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f292

#: 138 Function Name: NtPulseEvent
Status: Not hooked

#: 139 Function Name: NtQueryAttributesFile
Status: Not hooked

#: 140 Function Name: NtQueryBootEntryOrder
Status: Not hooked

#: 141 Function Name: NtQueryBootOptions
Status: Not hooked

#: 142 Function Name: NtQueryDebugFilterState
Status: Not hooked

#: 143 Function Name: NtQueryDefaultLocale
Status: Not hooked

#: 144 Function Name: NtQueryDefaultUILanguage
Status: Not hooked

#: 145 Function Name: NtQueryDirectoryFile
Status: Not hooked

#: 146 Function Name: NtQueryDirectoryObject
Status: Not hooked

#: 147 Function Name: NtQueryEaFile
Status: Not hooked

#: 148 Function Name: NtQueryEvent
Status: Not hooked

#: 149 Function Name: NtQueryFullAttributesFile
Status: Not hooked

#: 150 Function Name: NtQueryInformationAtom
Status: Not hooked

#: 151 Function Name: NtQueryInformationFile
Status: Not hooked

#: 152 Function Name: NtQueryInformationJobObject
Status: Not hooked

#: 153 Function Name: NtQueryInformationPort
Status: Not hooked

#: 154 Function Name: NtQueryInformationProcess
Status: Not hooked

#: 155 Function Name: NtQueryInformationThread
Status: Not hooked

#: 156 Function Name: NtQueryInformationToken
Status: Not hooked

#: 157 Function Name: NtQueryInstallUILanguage
Status: Not hooked

#: 158 Function Name: NtQueryIntervalProfile
Status: Not hooked

#: 159 Function Name: NtQueryIoCompletion
Status: Not hooked

#: 160 Function Name: NtQueryKey
Status: Not hooked

#: 161 Function Name: NtQueryMultipleValueKey
Status: Not hooked

#: 162 Function Name: NtQueryMutant
Status: Not hooked

#: 163 Function Name: NtQueryObject
Status: Not hooked

#: 164 Function Name: NtQueryOpenSubKeys
Status: Not hooked

#: 165 Function Name: NtQueryPerformanceCounter
Status: Not hooked

#: 166 Function Name: NtQueryQuotaInformationFile
Status: Not hooked

#: 167 Function Name: NtQuerySection
Status: Not hooked

#: 168 Function Name: NtQuerySecurityObject
Status: Not hooked

#: 169 Function Name: NtQuerySemaphore
Status: Not hooked

#: 170 Function Name: NtQuerySymbolicLinkObject
Status: Not hooked

#: 171 Function Name: NtQuerySystemEnvironmentValue
Status: Not hooked

#: 172 Function Name: NtQuerySystemEnvironmentValueEx
Status: Not hooked

#: 173 Function Name: NtQuerySystemInformation
Status: Not hooked

#: 174 Function Name: NtQuerySystemTime
Status: Not hooked

#: 175 Function Name: NtQueryTimer
Status: Not hooked

#: 176 Function Name: NtQueryTimerResolution
Status: Not hooked

#: 177 Function Name: NtQueryValueKey
Status: Not hooked

#: 178 Function Name: NtQueryVirtualMemory
Status: Not hooked

#: 179 Function Name: NtQueryVolumeInformationFile
Status: Not hooked

#: 180 Function Name: NtQueueApcThread
Status: Not hooked

#: 181 Function Name: NtRaiseException
Status: Not hooked

#: 182 Function Name: NtRaiseHardError
Status: Not hooked

#: 183 Function Name: NtReadFile
Status: Not hooked

#: 184 Function Name: NtReadFileScatter
Status: Not hooked

#: 185 Function Name: NtReadRequestData
Status: Not hooked

#: 186 Function Name: NtReadVirtualMemory
Status: Not hooked

#: 187 Function Name: NtRegisterThreadTerminatePort
Status: Not hooked

#: 188 Function Name: NtReleaseMutant
Status: Not hooked

#: 189 Function Name: NtReleaseSemaphore
Status: Not hooked

#: 190 Function Name: NtRemoveIoCompletion
Status: Not hooked

#: 191 Function Name: NtRemoveProcessDebug
Status: Not hooked

#: 192 Function Name: NtRenameKey
Status: Not hooked

#: 193 Function Name: NtReplaceKey
Status: Not hooked

#: 194 Function Name: NtReplyPort
Status: Not hooked

#: 195 Function Name: NtReplyWaitReceivePort
Status: Not hooked

#: 196 Function Name: NtReplyWaitReceivePortEx
Status: Not hooked

#: 197 Function Name: NtReplyWaitReplyPort
Status: Not hooked

#: 198 Function Name: NtRequestDeviceWakeup
Status: Not hooked

#: 199 Function Name: NtRequestPort
Status: Not hooked

#: 200 Function Name: NtRequestWaitReplyPort
Status: Not hooked

#: 201 Function Name: NtRequestWakeupLatency
Status: Not hooked

#: 202 Function Name: NtResetEvent
Status: Not hooked

#: 203 Function Name: NtResetWriteWatch
Status: Not hooked

#: 204 Function Name: NtRestoreKey
Status: Not hooked

#: 205 Function Name: NtResumeProcess
Status: Not hooked

#: 206 Function Name: NtResumeThread
Status: Not hooked

#: 207 Function Name: NtSaveKey
Status: Not hooked

#: 208 Function Name: NtSaveKeyEx
Status: Not hooked

#: 209 Function Name: NtSaveMergedKeys
Status: Not hooked

#: 210 Function Name: NtSecureConnectPort
Status: Not hooked

#: 211 Function Name: NtSetBootEntryOrder
Status: Not hooked

#: 212 Function Name: NtSetBootOptions
Status: Not hooked

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f18e

#: 214 Function Name: NtSetDebugFilterState
Status: Not hooked

#: 215 Function Name: NtSetDefaultHardErrorPort
Status: Not hooked

#: 216 Function Name: NtSetDefaultLocale
Status: Not hooked

#: 217 Function Name: NtSetDefaultUILanguage
Status: Not hooked

#: 218 Function Name: NtSetEaFile
Status: Not hooked

#: 219 Function Name: NtSetEvent
Status: Not hooked

#: 220 Function Name: NtSetEventBoostPriority
Status: Not hooked

#: 221 Function Name: NtSetHighEventPair
Status: Not hooked

#: 222 Function Name: NtSetHighWaitLowEventPair
Status: Not hooked

#: 223 Function Name: NtSetInformationDebugObject
Status: Not hooked

#: 224 Function Name: NtSetInformationFile
Status: Not hooked

#: 225 Function Name: NtSetInformationJobObject
Status: Not hooked

#: 226 Function Name: NtSetInformationKey
Status: Not hooked

#: 227 Function Name: NtSetInformationObject
Status: Not hooked

#: 228 Function Name: NtSetInformationProcess
Status: Not hooked

#: 229 Function Name: NtSetInformationThread
Status: Not hooked

#: 230 Function Name: NtSetInformationToken
Status: Not hooked

#: 231 Function Name: NtSetIntervalProfile
Status: Not hooked

#: 232 Function Name: NtSetIoCompletion
Status: Not hooked

#: 233 Function Name: NtSetLdtEntries
Status: Not hooked

#: 234 Function Name: NtSetLowEventPair
Status: Not hooked

#: 235 Function Name: NtSetLowWaitHighEventPair
Status: Not hooked

#: 236 Function Name: NtSetQuotaInformationFile
Status: Not hooked

#: 237 Function Name: NtSetSecurityObject
Status: Not hooked

#: 238 Function Name: NtSetSystemEnvironmentValue
Status: Not hooked

#: 239 Function Name: NtSetSystemEnvironmentValueEx
Status: Not hooked

#: 240 Function Name: NtSetSystemInformation
Status: Not hooked

#: 241 Function Name: NtSetSystemPowerState
Status: Not hooked

#: 242 Function Name: NtSetSystemTime
Status: Not hooked

#: 243 Function Name: NtSetThreadExecutionState
Status: Not hooked

#: 244 Function Name: NtSetTimer
Status: Not hooked

#: 245 Function Name: NtSetTimerResolution
Status: Not hooked

#: 246 Function Name: NtSetUuidSeed
Status: Not hooked

#: 247 Function Name: NtSetValueKey
Status: Not hooked

#: 248 Function Name: NtSetVolumeInformationFile
Status: Not hooked

#: 249 Function Name: NtShutdownSystem
Status: Not hooked

#: 250 Function Name: NtSignalAndWaitForSingleObject
Status: Not hooked

#: 251 Function Name: NtStartProfile
Status: Not hooked

#: 252 Function Name: NtStopProfile
Status: Not hooked

#: 253 Function Name: NtSuspendProcess
Status: Not hooked

#: 254 Function Name: NtSuspendThread
Status: Not hooked

#: 255 Function Name: NtSystemDebugControl
Status: Not hooked

#: 256 Function Name: NtTerminateJobObject
Status: Not hooked

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f64e

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f316

#: 259 Function Name: NtTestAlert
Status: Not hooked

#: 260 Function Name: NtTraceEvent
Status: Not hooked

#: 261 Function Name: NtTranslateFilePath
Status: Not hooked

#: 262 Function Name: NtUnloadDriver
Status: Not hooked

#: 263 Function Name: NtUnloadKey
Status: Not hooked

#: 264 Function Name: NtUnloadKeyEx
Status: Not hooked

#: 265 Function Name: NtUnlockFile
Status: Not hooked

#: 266 Function Name: NtUnlockVirtualMemory
Status: Not hooked

#: 267 Function Name: NtUnmapViewOfSection
Status: Not hooked

#: 268 Function Name: NtVdmControl
Status: Not hooked

#: 269 Function Name: NtWaitForDebugEvent
Status: Not hooked

#: 270 Function Name: NtWaitForMultipleObjects
Status: Not hooked

#: 271 Function Name: NtWaitForSingleObject
Status: Not hooked

#: 272 Function Name: NtWaitHighEventPair
Status: Not hooked

#: 273 Function Name: NtWaitLowEventPair
Status: Not hooked

#: 274 Function Name: NtWriteFile
Status: Not hooked

#: 275 Function Name: NtWriteFileGather
Status: Not hooked

#: 276 Function Name: NtWriteRequestData
Status: Not hooked

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f34e

#: 278 Function Name: NtYieldExecution
Status: Not hooked

#: 279 Function Name: NtCreateKeyedEvent
Status: Not hooked

#: 280 Function Name: NtOpenKeyedEvent
Status: Not hooked

#: 281 Function Name: NtReleaseKeyedEvent
Status: Not hooked

#: 282 Function Name: NtWaitForKeyedEvent
Status: Not hooked

#: 283 Function Name: NtQueryPortInformationProcess
Status: Not hooked



[attachment=35926:ark.zip]
Pushwood


"What happens if i push this button? Hmmm... and this one? What about both of them toge

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:22 AM

Posted 07 November 2009 - 10:50 PM

Hello, and :( to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. :(
  • As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be two people helping you instead of just one, but responses may be somewhat delayed so please be patient!!!!
Please give me a little time to go through your logs. My instructions will be forthcoming.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 pushwood

pushwood
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 07 November 2009 - 11:11 PM

Full Rootrepeal report here...

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/07 21:58
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF57B1000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AA8000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP111.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP111.SYS
Address: 0xF7AB4000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9BE8000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f1cc

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f206

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f51a

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f3f6

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f292

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f18e

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f64e

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f316

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597f34e

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597fcc0

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597fd34

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597fc4c

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597fc0a

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597fe20

#: 404 Function Name: NtUserGetForegroundWindow
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597fb16

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597fb64

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597fb96

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597fbd8

#: 483 Function Name: NtUserQueryWindow
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597fec4

#: 508 Function Name: NtUserSetClipboardData
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597fdf0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597fe6e

#: 592 Function Name: NtUserWindowFromPoint
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xf597ff3e

==EOF==
Pushwood


"What happens if i push this button? Hmmm... and this one? What about both of them toge

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:22 AM

Posted 10 November 2009 - 12:00 AM

Hello pushwood.

I just wanted to let you know that I am still awaiting approval from my coach to begin. Once the ball gets rolling here it will be a much smoother process. Instructions should follow soon. . . so get ready! :(

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 pushwood

pushwood
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 10 November 2009 - 06:43 PM

Thanks Blade,

I'm patiently awaiting further instruction from you. I'm ready.

Pete
Pushwood


"What happens if i push this button? Hmmm... and this one? What about both of them toge

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:22 AM

Posted 12 November 2009 - 07:51 AM

Hello pushwood.

My apologies for the delay. Let's get started.

Your log indicates that you have run ComboFix!

Please note: ComboFix (CF for short) is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. When CF is run without trained assistance, it can no longer be considered a "safe" tool. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Since you already ran the tool, I need to see the log it created. Please locate this file C:\Combofix.txt and include its contents in your next reply.

***************************************************

Additionally, I would like to see the logs from the following programs: Malwarebytes Anti-Malware and SUPERAntiSpyware. Instructions on retrieving those logs are as follows.
  • Malwarebytes - Launch the Malwarebytes application. Once the program loads click on the Logs tab. Double click on the entry corresponding to the scan you wish to retrieve.
  • SUPERAntiSpyware - launch SUPERAntispyware.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • Navigate to the log you wish to retrieve and press View log. A text file will open in your default text editor.
***************************************************

Finally. . . did you install any program by the name of "Eyespy" If you do not recognize this program, please immediately disconnect the infected machine from the Internet, and use another computer to connect here.

~Blade


In your next reply, please include the following:
ComboFix log
Malwarebytes log
SUPERAntiSpyware log
Answer to the above question

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 pushwood

pushwood
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 12 November 2009 - 07:11 PM

Hello Blade,

You asked about EyeSpy. I installed it a couple of weeks ago in an effort to see network activity. I uninstalled it today because it didn't work very well. Here are the requested logs. I did not have the old combofix report so I re-ran and posted the newest one. Combofix would not run until I put a copy of regedit.exe into c:\windows from c:\windows\system32\.
*********************************************************************************

ComboFix 09-11-13.04 - Pete 11/12/2009 17:14.1.1 - NTFSx86
Running from: m:\ultimate fix collection\combofix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\MabryObj.dll
c:\windows\system32\regedit.exe
c:\windows\system32\twain.dll

Infected copy of c:\windows\System32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BROWSERCTL
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-12 23:08 . 2001-08-17 18:52 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2009-11-12 23:08 . 2001-08-17 18:52 36736 ----a-w- c:\windows\system32\drivers\ultra.sys
2009-11-12 22:58 . 2004-08-04 06:56 146432 -c--a-w- c:\windows\system32\dllcache\regedit.exe
2009-11-12 22:58 . 2004-08-04 06:56 146432 ----a-w- c:\windows\regedit.exe
2009-11-12 20:14 . 2009-11-12 20:14 117760 ----a-w- c:\documents and settings\Pete\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-12 20:13 . 2009-11-12 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-12 15:37 . 2009-11-12 15:37 -------- d-----w- c:\program files\WinPcap
2009-11-12 15:36 . 2009-11-12 15:46 -------- d-----w- c:\program files\revealed
2009-11-12 14:35 . 2009-11-12 14:35 -------- d-----w- c:\documents and settings\Pete\Application Data\FM Settings
2009-11-12 14:23 . 2009-11-12 14:23 -------- d-----w- c:\documents and settings\Pete\Application Data\NeatImage PS
2009-11-12 13:21 . 2009-11-12 13:23 -------- d-----w- c:\documents and settings\Pete\Local Settings\Application Data\Search and Replace
2009-11-12 13:17 . 2009-11-12 13:17 -------- d-----w- c:\program files\Search and Replace
2009-11-10 04:06 . 2009-11-10 04:06 152576 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-10 02:26 . 2009-11-10 02:27 79488 ----a-w- c:\documents and settings\Pete\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-07 17:23 . 2009-11-07 17:23 905440 ----a-w- c:\documents and settings\All Users\Application Data\PrevxCSI\~PrevxCSIUpdate.exe
2009-11-07 16:16 . 2009-11-07 16:16 -------- d-----w- c:\program files\Trend Micro
2009-11-06 16:05 . 2009-11-06 16:05 -------- d-----w- C:\Autoruns
2009-11-04 12:20 . 2009-11-07 17:24 53136 ----a-w- c:\windows\system32\PxSecure.dll
2009-11-03 02:34 . 2009-11-03 03:34 -------- d-----w- c:\documents and settings\Pete\DoctorWeb
2009-11-03 00:52 . 2009-11-03 00:52 -------- d-sh--w- c:\documents and settings\Pete\IECompatCache
2009-11-02 08:03 . 2009-11-12 13:09 -------- d-----w- c:\program files\PhotoRescue Advanced PC
2009-11-02 07:56 . 2009-11-02 07:56 -------- d-----w- c:\program files\ContrastMaster
2009-11-02 03:24 . 2009-07-02 23:31 4087813 ----a-w- c:\windows\installler.exe
2009-11-02 03:23 . 2009-11-02 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-01 17:14 . 2009-11-01 17:14 -------- d-----w- c:\documents and settings\Pete\Application Data\Malwarebytes
2009-11-01 17:13 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 17:13 . 2009-11-12 19:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 17:13 . 2009-11-01 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-01 17:13 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 13:07 . 2001-08-18 12:00 13312 -c--a-w- c:\windows\system32\dllcache\htrn_jis.dll
2009-10-31 16:27 . 2009-11-12 15:40 -------- d-----w- c:\documents and settings\Pete\.matplotlib
2009-10-31 16:25 . 2004-05-14 22:11 86016 ----a-w- c:\windows\system32\GeoIpComEx.dll
2009-10-31 16:24 . 2009-11-05 18:24 -------- d-----w- c:\program files\eyespy
2009-10-28 03:22 . 2009-11-07 17:24 46768 ----a-w- c:\windows\system32\drivers\pxrts.sys
2009-10-28 03:22 . 2009-11-07 17:24 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-10-28 03:22 . 2009-11-07 17:24 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2009-10-28 03:22 . 2009-11-07 17:23 -------- d-----w- c:\program files\Prevx
2009-10-28 03:22 . 2009-11-12 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-10-27 21:02 . 2009-10-27 21:02 1961720 ----a-w- c:\documents and settings\Pete\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-10-27 04:17 . 2009-11-12 20:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-27 04:17 . 2009-11-12 20:13 -------- d-----w- c:\documents and settings\Pete\Application Data\SUPERAntiSpyware.com
2009-10-27 03:47 . 2009-10-27 03:47 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-10-27 01:44 . 2009-10-27 02:47 -------- d-----w- c:\program files\a-squared Anti-Malware
2009-10-26 21:57 . 2009-11-01 16:23 101832 ----a-w- c:\documents and settings\Pete\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-26 21:21 . 2009-10-26 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-10-26 21:16 . 2009-10-26 21:21 -------- d-----w- c:\documents and settings\Pete\Application Data\HpUpdate
2009-10-26 21:16 . 2009-10-26 21:16 -------- d-----w- c:\windows\Hewlett-Packard
2009-10-24 08:48 . 2009-09-16 15:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-24 08:48 . 2009-09-16 15:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-24 08:48 . 2009-09-16 15:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-24 08:44 . 2009-09-16 15:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-24 04:33 . 2009-10-24 04:33 -------- d-sh--w- c:\documents and settings\Pete\IETldCache
2009-10-23 15:51 . 2009-10-23 15:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-23 05:23 . 2009-11-12 11:22 -------- d-----w- c:\documents and settings\Pete\Application Data\vlc
2009-10-18 04:55 . 2009-10-18 04:55 -------- d-----w- c:\windows\PlexUTILITIES
2009-10-18 04:55 . 2009-10-18 04:55 -------- d-----w- c:\program files\Plextor
2009-10-17 05:59 . 2009-10-17 05:59 -------- d-----w- c:\documents and settings\Pete\Local Settings\Application Data\Motive
2009-10-16 23:12 . 2009-10-16 23:14 -------- d-----w- C:\dvdsanta

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-12 20:11 . 2005-04-16 08:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-12 06:35 . 2009-07-21 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-10 05:42 . 2005-03-27 04:27 -------- d-----w- c:\program files\G-spot Codec ID
2009-11-10 04:08 . 2005-03-29 13:45 -------- d-----w- c:\program files\Java
2009-11-07 15:33 . 2008-03-18 22:47 -------- d-----w- c:\documents and settings\Pete\Application Data\U3
2009-11-06 14:58 . 2005-05-19 13:29 -------- d-----w- c:\program files\Anim-FX
2009-11-05 18:03 . 2007-05-18 05:37 -------- d-----w- c:\documents and settings\Pete\Application Data\Notepad++
2009-11-05 17:52 . 2007-05-18 05:37 -------- d-----w- c:\program files\Notepad++
2009-11-03 07:56 . 2008-03-07 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-02 07:58 . 2009-09-06 16:38 -------- d-----w- c:\program files\Neat Image
2009-11-01 13:20 . 2009-11-01 13:09 142732 ----a-w- c:\windows\PCHEALTH\HELPCTR\Config\Cache\Personal_32_1033.dat
2009-10-31 22:12 . 2008-01-23 23:59 -------- d-----w- c:\documents and settings\Pete\Application Data\Apple Computer
2009-10-29 03:04 . 2005-03-27 02:53 -------- d-----w- c:\program files\FlaskMPEG
2009-10-27 22:24 . 2001-08-23 12:00 617472 ----a-w- c:\windows\system32\advapi32.dll
2009-10-27 22:11 . 2007-09-24 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-26 23:08 . 2008-12-26 04:57 -------- d-----w- c:\program files\Kids Cam Center
2009-10-26 23:08 . 2007-09-24 00:12 -------- d-----w- c:\program files\SBC Self Support Tool
2009-10-26 23:08 . 2006-10-10 07:24 -------- d-----w- c:\program files\Winnov
2009-10-26 23:08 . 2006-08-17 07:55 -------- d-----w- c:\program files\HP
2009-10-26 23:08 . 2005-08-13 08:47 -------- d-----w- c:\program files\Google
2009-10-26 23:08 . 2005-05-11 13:42 -------- d-----w- c:\program files\DivX
2009-10-26 23:08 . 2005-03-30 19:00 -------- d-----w- c:\program files\QuickTime
2009-10-26 23:08 . 2005-07-11 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-10-26 23:08 . 2005-03-29 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-10-26 21:20 . 2005-01-24 15:30 139264 ----a-w- c:\windows\system32\hpzjrd01.dll
2009-10-26 14:44 . 2005-03-26 07:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-23 01:40 . 2005-03-26 10:46 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-21 00:54 . 2007-03-07 10:52 -------- d-----w- c:\program files\Winnov Videum NT
2009-10-18 17:25 . 2009-04-03 04:49 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-17 06:01 . 2007-10-05 05:22 -------- d-----w- c:\documents and settings\Pete\Application Data\Motive
2009-10-16 23:14 . 2007-08-27 02:16 -------- d-----w- c:\program files\dvdSanta
2009-10-14 05:16 . 2005-10-25 17:39 -------- d-----w- c:\documents and settings\Pete\Application Data\dvdcss
2009-10-11 10:17 . 2008-12-31 03:41 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-24 09:51 . 2009-07-21 21:06 -------- d-----w- c:\program files\Microsoft Works
2009-09-21 06:22 . 2009-09-21 06:22 -------- d-----w- c:\program files\Windows Sidebar
2009-09-21 06:05 . 2008-12-24 15:42 -------- d-----w- c:\program files\Common Files\Nero
2009-09-21 05:52 . 2008-12-24 11:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-09-17 21:49 . 2009-09-24 05:50 872960 ----a-w- c:\documents and settings\Pete\Application Data\Mozilla\Firefox\Profiles\y7gjc8qg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-09-17 21:48 . 2009-09-24 05:50 43008 ----a-w- c:\documents and settings\Pete\Application Data\Mozilla\Firefox\Profiles\y7gjc8qg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-09-17 21:48 . 2009-09-24 05:50 340480 ----a-w- c:\documents and settings\Pete\Application Data\Mozilla\Firefox\Profiles\y7gjc8qg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-09-17 21:48 . 2009-09-24 05:50 346624 ----a-w- c:\documents and settings\Pete\Application Data\Mozilla\Firefox\Profiles\y7gjc8qg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-09-16 15:22 . 2009-09-16 15:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-11 14:18 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2001-08-23 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 02:52 . 2009-08-25 02:52 3584 ----a-r- c:\documents and settings\Pete\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-08-25 01:42 . 2005-03-26 07:12 76487 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-08-18 05:33 . 2009-08-18 05:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2006-08-13 06:37 . 2006-08-13 06:37 291 ----a-w- c:\program files\Shortcut to Casseopeia ©.lnk
2006-01-02 06:29 . 2006-01-02 06:19 202 ----a-w- c:\program files\WhiteCap Prefs (Standalone).txt
2005-10-20 08:44 . 2005-10-20 08:44 8192 --sha-w- c:\program files\Thumbs.db
2005-10-16 09:36 . 2005-10-16 03:56 345 ----a-w- c:\program files\proc.set
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-11 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
AutoCAD LT Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-25 10872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIXER8"=WnvMxr.dll
"WAVE8"=WnvWav32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\.nvsvc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Watchdog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"NOD32krn"=2 (0x2)
"SandraTheSrv"=3 (0x3)
"iPod Service"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"McODS"=3 (0x3)
"YahooAUService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Winnov Status"="c:\program files\Winnov Videum NT\WvStatus.Exe"
"Winnov Remote"="c:\program files\Winnov Videum NT\WnvRsvr.Exe" -AutoStart
"Winnov Menu"="c:\program files\Winnov Videum NT\WnvMenu.Exe"
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"Motive SmartBridge"=c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SoundSpectrum\\G-Force\\G-Force Standalone.exe"=
"c:\\Program Files\\SoundSpectrum\\G-Force\\G-Force Toolbar.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Agent\\agent.exe"=
"c:\\Program Files\\Winnov Videum NT\\WnvRsvr.EXE"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\WS_FTP Pro\\wsftpgui.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\WINDOWS\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\WINDOWS\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\WINDOWS\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\WINDOWS\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\WINDOWS\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\WINDOWS\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\WINDOWS\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\WINDOWS\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\WINDOWS\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\WINDOWS\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\WINDOWS\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\WINDOWS\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\WS_FTP Pro\\wsftppro.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"119:TCP"= 119:TCP:Newsgroups
"5100:TCP"= 5100:TCP:Yahoo Webcam

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-20 16:24]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1229272821-725345543-1004Core1ca5b9622bc388.job
- c:\documents and settings\Pete\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-11 22:22]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: mcafee.com
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Pete\Application Data\Mozilla\Firefox\Profiles\y7gjc8qg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\Pete\Application Data\Mozilla\Firefox\Profiles\y7gjc8qg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Pete\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
ShellExecuteHooks-{20d8bda1-1958-11d6-b00f-00b0d0c6b6a5} - (no file)
Notify-ssqpm -
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-Winnov Videum - c:\program files\Winnov Videum NT\WvUninst



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 17:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1960408961-1229272821-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1960408961-1229272821-725345543-1004\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1960408961-1229272821-725345543-1004)
@Allowed: (Read) (S-1-5-21-1960408961-1229272821-725345543-1004)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1820)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-11-12 17:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-12 23:35

Pre-Run: 10,777,878,528 bytes free
Post-Run: 10,653,237,248 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect=OptIn /Execute=OptIn

- - End Of File - - FC08109094456EE4480F659FC891839E

***************************************************************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/12/2009 at 03:22 PM

Application Version : 4.30.1004

Core Rules Database Version : 4266
Trace Rules Database Version: 2150

Scan type : Complete Scan
Total Scan Time : 00:47:14

Memory items scanned : 335
Memory threats detected : 0
Registry items scanned : 8308
Registry threats detected : 0
File items scanned : 27000
File threats detected : 0

*********************************************************************************************

Malwarebytes' Anti-Malware 1.41
Database version: 3155
Windows 5.1.2600 Service Pack 3

11/12/2009 1:28:16 PM
mbam-log-2009-11-12 (13-28-01).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|J:\|K:\|L:\|M:\|)
Objects scanned: 244715
Time elapsed: 1 hour(s), 18 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{69CC7A00-414D-4D4D-8D83-5637CA36CC84}\RP1\A0001399.sys (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{69CC7A00-414D-4D4D-8D83-5637CA36CC84}\RP1\A0001468.sys (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{69CC7A00-414D-4D4D-8D83-5637CA36CC84}\RP1\A0001537.sys (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{69CC7A00-414D-4D4D-8D83-5637CA36CC84}\RP1\A0001607.sys (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{69CC7A00-414D-4D4D-8D83-5637CA36CC84}\RP5\A0003980.sys (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{69CC7A00-414D-4D4D-8D83-5637CA36CC84}\RP5\A0004059.sys (Rootkit.Agent) -> No action taken.
Pushwood


"What happens if i push this button? Hmmm... and this one? What about both of them toge

#8 pushwood

pushwood
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 12 November 2009 - 07:14 PM

The order in which they were run is MBAM, SAS and lastly Combofix.
Pushwood


"What happens if i push this button? Hmmm... and this one? What about both of them toge

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:22 AM

Posted 13 November 2009 - 10:22 PM

Hello pushwood.

You are missing one critical kind of program on your computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as possible and run a complete scan of the computer. Without an antivirus you will become infected on a regular basis. A good antivirus program free for non-commercial home use is Avira
  • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it.
  • In the left pane click Status. In the right pane click Scan system now.
  • After the scan finished let it remove what it finds and then Click Report.
  • You can get the last report also by clicking on Reports on the left pane.
  • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
  • A window opens, click on Report file.
  • Copy and paste the content of the report into your next reply.
~Blade

In your next reply, please include the following:
Avira Antivir Scan Log
How is your computer running now?

Edited by Blade Zephon, 13 November 2009 - 10:23 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 pushwood

pushwood
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 13 November 2009 - 11:13 PM

I do have an Antivirus software called Prevx 3.0 that is installed and protecting my box. At least is has been keeping my rootkit infection suppressed. Maybe it didn't show because I disabled it for the scans logged above. Did you not want me to take any manual action or run combofix and let it take action against rootkit files found in those system-restore set as seen above.

I will now run Avira and post the results.

Thanks - push'dwood
Pushwood


"What happens if i push this button? Hmmm... and this one? What about both of them toge

#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:22 AM

Posted 16 November 2009 - 02:57 PM

Hi pushwood.

Still waiting on the results from Avira. Do you still require assistance?

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:22 PM

Posted 18 November 2009 - 04:58 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users