Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE8 Redirect Virus


  • This topic is locked This topic is locked
37 replies to this topic

#1 David S

David S

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 AM

Posted 27 January 2010 - 07:50 PM

Hi. Running XP. When I do a search and click on a link it rediects me to another site. I have to click the back arrow and then click the link again to get in. No nasty sites, yet. Tried all the posted programs except for the heavy stuff (Combofix, etc.). It is still there. Tried to run the RootRepeal. It locked up twice so I deleted it twice. The Kapersky Webscanner is currently unavailable. Can someone please help me get rid of this redirect issue?
Thanks,
Dave

Below is the dds log and Attach.txt is attached.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Dave Stark at 19:15:34.92 on Wed 01/27/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1233 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100127-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\CRW\shwicon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\IPFax\FaxMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Dave Stark\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wwdb.com/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: CommuniKate Toolbar: {2ad46959-7ee4-47c3-b976-c0912755de1f} - c:\program files\ucietb\ucietb.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
mRun: [ShowIcon_The Company_CRW Series Driver v1.16e058] "c:\program files\crw\shwicon.exe" -t"the company\CRW Series Driver v1.16e058"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [FaxMonitor] c:\program files\ipfax\FaxMonitor.exe
mRun: [CloneCDElbyCDFL] "c:\program files\elaborate bytes\clonecd\ElbyCheck.exe" /L ElbyCDFL
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SoundMax] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvmon~1.lnk - c:\program files\nikon\nkview6\NkvMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - {2AD46959-7EE4-47C3-B976-C0912755DE1F} - c:\program files\ucietb\ucietb.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com\download
Trusted Zone: zonealarm.com\download
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01111F00-3E00-11D2-8470-0060089874ED} - hxxp://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/d/c/8/dc8362b3-f410-4e7d-b672-209d6bd8fcea/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} - hxxp://www.evga.com/Support/SyScan/SyScan.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167063204312
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - file://c:\tempei4\ei40_\msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38181.6376041667
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2004-2-13 9344]
R0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\ElbyVCD.sys [2002-11-28 22016]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-8-23 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-12 353672]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-23 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-8-23 138680]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2004-2-13 448640]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-6-6 10384]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-8-23 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-8-23 352920]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]

=============== Created Last 30 ================

2010-01-27 00:08:11 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-27 00:07:52 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-27 00:07:52 0 d-----w- c:\docume~1\davest~1\applic~1\SUPERAntiSpyware.com
2010-01-27 00:06:49 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-26 10:53:33 23158 ------w- c:\windows\hpqins15.dat.temp
2010-01-26 03:46:09 271704 ----a-r- c:\windows\system32\hpzids01.dll
2010-01-26 03:40:52 187042 ----a-w- c:\windows\hpwins23.dat
2010-01-26 03:40:52 1847 ------w- c:\windows\hpwmdl23.dat
2010-01-26 02:42:20 1847 ------w- c:\windows\hpwmdl23.dat.temp
2010-01-25 23:45:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 23:45:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-25 11:04:43 23158 ----a-w- c:\windows\hpqins15.dat
2010-01-25 04:19:44 77377 ----a-w- c:\windows\hpqins05.dat
2010-01-25 03:45:41 0 d-----w- c:\docume~1\alluse~1\applic~1\WEBREG
2010-01-25 03:33:54 0 d-----w- c:\windows\hpoj6500e709
2010-01-25 03:29:09 118272 ----a-w- c:\windows\system32\hpf3l082.dll
2010-01-25 03:28:23 966656 ----a-r- c:\windows\system32\hpwtiop4.dll
2010-01-25 03:28:23 741376 ----a-r- c:\windows\system32\hpwwiax5.dll
2010-01-25 03:28:23 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2010-01-25 03:28:23 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2010-01-25 03:28:23 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2010-01-25 03:28:23 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-01-25 03:28:23 294912 ----a-r- c:\windows\system32\hpovst11.dll
2010-01-24 00:57:05 0 dc-h--w- c:\windows\ie8
2010-01-13 11:51:24 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-02 02:48:42 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2010-01-02 02:48:41 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-06-12 10:21:00 401720 ----a-w- c:\program files\HiJackThis.exe
2008-06-19 01:26:18 581632 ----a-w- c:\program files\convert.exe
2006-10-31 16:07:48 31223 ----a-w- c:\program files\nv4_disp.cat
2004-09-26 00:45:36 3485854 ----a-w- c:\program files\InstantConverter.zip
2004-04-27 22:03:30 51535 ----a-w- c:\program files\licens32.txt
2003-10-15 14:30:28 1747 ----a-w- c:\program files\icbmftvc.lst
2003-08-15 17:39:34 527 ----a-w- c:\program files\BL_Games.htm
2003-08-15 17:34:56 1810 ----a-w- c:\program files\testgame.htm
2003-01-06 19:41:36 1457 ----a-w- c:\program files\rvappstm.lst
2001-01-30 21:04:02 1375 ----a-w- c:\program files\aimalert.gif
2001-01-30 21:03:42 1370 ----a-w- c:\program files\stockalert.gif
2008-10-02 01:26:55 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100120081002\index.dat

============= FINISH: 19:16:32.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:29 AM

Posted 04 February 2010 - 09:20 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log

Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 David S

David S
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 AM

Posted 05 February 2010 - 06:15 AM

Hi Elise,
The problem is still: Do a search on IE8. Click on a link. You get redirected to another site. Click the back arrow, sometimes you go back and sometimes you stay on the site. When you do go back you can click on the same link and it will go to the correct site.
Gmer took all night to run.
Below are all three files.
Thanks for your help.
David


DDS (Ver_09-12-01.01) - NTFSx86
Run by Dave Stark at 18:55:10.64 on Thu 02/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1449 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100204-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\CRW\shwicon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\IPFax\FaxMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Dave Stark\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wwdb.com/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: CommuniKate Toolbar: {2ad46959-7ee4-47c3-b976-c0912755de1f} - c:\program files\ucietb\ucietb.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
mRun: [ShowIcon_The Company_CRW Series Driver v1.16e058] "c:\program files\crw\shwicon.exe" -t"the company\CRW Series Driver v1.16e058"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [FaxMonitor] c:\program files\ipfax\FaxMonitor.exe
mRun: [CloneCDElbyCDFL] "c:\program files\elaborate bytes\clonecd\ElbyCheck.exe" /L ElbyCDFL
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SoundMax] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvmon~1.lnk - c:\program files\nikon\nkview6\NkvMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - {2AD46959-7EE4-47C3-B976-C0912755DE1F} - c:\program files\ucietb\ucietb.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com\download
Trusted Zone: zonealarm.com\download
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01111F00-3E00-11D2-8470-0060089874ED} - hxxp://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/d/c/8/dc8362b3-f410-4e7d-b672-209d6bd8fcea/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} - hxxp://www.evga.com/Support/SyScan/SyScan.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167063204312
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - file://c:\tempei4\ei40_\msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38181.6376041667
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2004-2-13 9344]
R0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\ElbyVCD.sys [2002-11-28 22016]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-8-23 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-12 353672]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-23 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-8-23 138680]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2004-2-13 448640]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-6-6 10384]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-8-23 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-8-23 352920]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2010-02-01 10:54:13 77377 ------w- c:\windows\hpqins05.dat.temp
2010-01-27 00:08:11 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-27 00:07:52 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-27 00:07:52 0 d-----w- c:\docume~1\davest~1\applic~1\SUPERAntiSpyware.com
2010-01-27 00:06:49 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-26 10:53:33 23158 ------w- c:\windows\hpqins15.dat.temp
2010-01-26 03:46:09 271704 ----a-r- c:\windows\system32\hpzids01.dll
2010-01-26 03:40:52 187042 ----a-w- c:\windows\hpwins23.dat
2010-01-26 03:40:52 1847 ------w- c:\windows\hpwmdl23.dat
2010-01-26 02:42:20 1847 ------w- c:\windows\hpwmdl23.dat.temp
2010-01-25 23:45:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 23:45:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-25 11:04:43 23158 ----a-w- c:\windows\hpqins15.dat
2010-01-25 04:19:44 77377 ----a-w- c:\windows\hpqins05.dat
2010-01-25 03:45:41 0 d-----w- c:\docume~1\alluse~1\applic~1\WEBREG
2010-01-25 03:33:54 0 d-----w- c:\windows\hpoj6500e709
2010-01-25 03:29:09 118272 ----a-w- c:\windows\system32\hpf3l082.dll
2010-01-25 03:28:23 966656 ----a-r- c:\windows\system32\hpwtiop4.dll
2010-01-25 03:28:23 741376 ----a-r- c:\windows\system32\hpwwiax5.dll
2010-01-25 03:28:23 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2010-01-25 03:28:23 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2010-01-25 03:28:23 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2010-01-25 03:28:23 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-01-25 03:28:23 294912 ----a-r- c:\windows\system32\hpovst11.dll
2010-01-24 00:57:05 0 dc-h--w- c:\windows\ie8
2010-01-13 11:51:24 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-02-02 01:57:11 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2010-02-02 01:57:11 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-06-12 10:21:00 401720 ----a-w- c:\program files\HiJackThis.exe
2008-06-19 01:26:18 581632 ----a-w- c:\program files\convert.exe
2006-10-31 16:07:48 31223 ----a-w- c:\program files\nv4_disp.cat
2004-09-26 00:45:36 3485854 ----a-w- c:\program files\InstantConverter.zip
2004-04-27 22:03:30 51535 ----a-w- c:\program files\licens32.txt
2003-10-15 14:30:28 1747 ----a-w- c:\program files\icbmftvc.lst
2003-08-15 17:39:34 527 ----a-w- c:\program files\BL_Games.htm
2003-08-15 17:34:56 1810 ----a-w- c:\program files\testgame.htm
2003-01-06 19:41:36 1457 ----a-w- c:\program files\rvappstm.lst
2001-01-30 21:04:02 1375 ----a-w- c:\program files\aimalert.gif
2001-01-30 21:03:42 1370 ----a-w- c:\program files\stockalert.gif
2008-10-02 01:26:55 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100120081002\index.dat

============= FINISH: 18:55:43.20 ===============






UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/13/2004 6:06:02 PM
System Uptime: 2/4/2010 3:17:11 PM (3 hours ago)

Motherboard: Intel Corporation | | D865GLC
Processor: Intel® Pentium® 4 CPU 2.80GHz | J2E1 | 2793/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 33.034 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is CDROM ()
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Officejet 6500 E709n
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Officejet 6500 E709n
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:

==== System Restore Points ===================

RP211: 1/1/2010 12:55:44 AM - System Checkpoint
RP212: 1/2/2010 10:07:52 AM - System Checkpoint
RP213: 1/3/2010 10:59:50 AM - System Checkpoint
RP214: 1/4/2010 11:46:42 AM - System Checkpoint
RP215: 1/5/2010 12:10:50 PM - System Checkpoint
RP216: 1/6/2010 1:45:23 PM - System Checkpoint
RP217: 1/7/2010 2:45:07 PM - System Checkpoint
RP218: 1/8/2010 2:47:47 PM - System Checkpoint
RP219: 1/9/2010 3:51:23 PM - System Checkpoint
RP220: 1/10/2010 4:57:53 PM - System Checkpoint
RP221: 1/11/2010 6:26:29 PM - System Checkpoint
RP222: 1/12/2010 8:08:05 PM - System Checkpoint
RP223: 1/13/2010 9:00:08 PM - System Checkpoint
RP224: 1/13/2010 10:00:30 PM - Software Distribution Service 3.0
RP225: 1/14/2010 10:59:41 PM - System Checkpoint
RP226: 1/15/2010 11:37:21 PM - System Checkpoint
RP227: 1/17/2010 9:36:38 AM - System Checkpoint
RP228: 1/18/2010 10:09:37 AM - System Checkpoint
RP229: 1/19/2010 12:55:16 PM - System Checkpoint
RP230: 1/20/2010 1:08:46 PM - System Checkpoint
RP231: 1/21/2010 4:52:00 PM - System Checkpoint
RP232: 1/22/2010 5:49:14 AM - Software Distribution Service 3.0
RP233: 1/23/2010 10:25:38 AM - Installed Java™ 6 Update 18
RP234: 1/23/2010 11:30:23 AM - Before Ccleaner
RP235: 1/23/2010 6:55:51 PM - Cleaned registry with Windows Live OneCare safety scanner
RP236: 1/23/2010 7:43:51 PM - Before uninstalling ie8
RP237: 1/23/2010 7:53:36 PM - Software Distribution Service 3.0
RP238: 1/23/2010 8:11:15 PM - Software Distribution Service 3.0
RP239: 1/24/2010 8:54:10 PM - System Checkpoint
RP240: 1/24/2010 10:43:07 PM - Printer Driver HP Officejet 6500 E709n Series fax Installed
RP241: 1/24/2010 11:19:36 PM - Installed MSVCSetup
RP242: 1/25/2010 10:53:00 PM - Printer Driver HP Officejet 6500 E709n Series fax Installed
RP243: 1/26/2010 7:07:51 PM - Installed SUPERAntiSpyware Free Edition
RP244: 1/27/2010 8:16:21 PM - System Checkpoint
RP245: 1/28/2010 9:22:09 PM - System Checkpoint
RP246: 1/29/2010 9:41:07 PM - System Checkpoint
RP247: 1/30/2010 2:09:17 PM - Removed Adobe Reader 7.1.0
RP248: 1/30/2010 2:10:21 PM - Removed Adobe Reader 7.0.5 Language Support
RP249: 1/30/2010 2:10:38 PM - Installed Adobe Reader 9.3.
RP250: 1/31/2010 2:25:51 PM - System Checkpoint
RP251: 2/1/2010 2:49:20 PM - System Checkpoint
RP252: 2/2/2010 3:23:56 PM - System Checkpoint
RP253: 2/3/2010 4:08:40 PM - System Checkpoint
RP254: 2/4/2010 6:02:47 PM - System Checkpoint

==== Installed Programs ======================

32 Bit HP CIO Components Installer
6500_E709_eDocs
6500_E709_Help
6500_E709n
Acrobat.com
Adobe Acrobat 5.0
Adobe AIR
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Product/Adobe Studio Update 10/2001
Adobe Reader 9.3
Adobe Shockwave Player 11
Apple Mobile Device Support
Apple Software Update
ArcSoft Panorama Maker 3
ArcSoft Software Suite
avast! Antivirus
Bonjour
bpd_scan
BPDSoftware
BPDSoftware_Ini
BufferChm
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
CDDRV_Installer
CloneCD
Compatibility Pack for the 2007 Office system
ContentSAFER for Wizmax
CreativeProjects
CRW Series Driver v1.16e058
Debugging Tools for Windows
Destination Component
DeviceDiscovery
DocMgr
DocProc
DTCLookup
DVD Shrink 3.2
eDrawings 2007
Effect3D Studio
Fax
Gear Head Garage
Google Earth
GPBaseService2
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
HP Document Manager 2.0
HP Image Zone 3.5
HP Imaging Device Functions 12.0
HP Officejet 6500 E709 Series
HP Photosmart Essential 3.5
HP Smart Web Printing 4.60
HP Solution Center 13.0
HP Update
hpmdtab
HPPhotoSmartDiscLabelContent1
HPPhotosmartEssential
HPProductAssistant
HPSystemDiagnostics
InCD (Ahead Software)
Indeo® software
Intel® PRO Network Adapters and Drivers
InterActual Player
IPFax
iTunes
Java Auto Updater
Java™ 6 Update 18
KhalInstallWrapper
Legacy 7.0
Legacy Charting 7.0
Logitech SetPoint
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft LifeCam
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft PhotoDraw 2000 V2
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
MSVCSetup
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Nero - Burning Rom
Network
Nikon Message Center
Nikon View 6
NVIDIA Display Driver
OCR Software by I.R.I.S. 12.0
OGA Notifier 2.0.0048.0
PhotoGallery
PictureProject
PictureProject In Touch Downloader 1.0
Pop-Up Stopper Free Edition
PowerDVD
ProductContext
QFolder
QuickProjects
QuickTime
Radio@Netscape
Samsung Media Studio 5
Scan
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
SierraHome Print Artist 8.0
SkinsHP1
SkinsHP2
Skype™ 4.0
SmartWebPrinting
SolutionCenter
SoundMAX
SpeedFan (remove only)
Spybot - Search & Destroy
Status
SUPERAntiSpyware Free Edition
Toolbar
Toolbox
TrayApp
Uninstall Dual Mode Camera
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb977839)
Update for Windows Internet Explorer 8 (KB975364)
VC 9.0 Runtime
WD Diagnostics
WebFldrs XP
WebReg
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
ZoneAlarm

==== Event Viewer Messages From Past Week ========

1/31/2010 8:21:17 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: bdpredir

==== End Of File ===========================




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-05 05:32:44
Windows 5.1.2600 Service Pack 3
Running: ce7ofen6.exe; Driver: C:\DOCUME~1\DAVEST~1\LOCALS~1\Temp\uwtdypob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB731A6B8]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB7436FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB7433C80]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB731A574]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB7437580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB744B900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB744BB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB744FB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB7437670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB7434210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB744E9F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB731AA52]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB744B280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB744EF10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB744EF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB7434070]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB731A64E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB744D180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB744CF40]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB731A76E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB744F6F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB744F150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB7436BE0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB731A72E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB7437190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB7434440]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB731A8AE]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB744C200]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB73D70B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 12E 804E4968 12 Bytes [80, 75, 43, B7, 00, B9, 44, ...]
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74B0780]
? srescan.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB987B340, 0x121A5F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9D6380, 0x25BA81, 0xF8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2580] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B743BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B743B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B743C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B7439E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B7439E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B743BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B743B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B743C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B743BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B7439E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B743C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B743B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B743C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B743B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B743BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B7439E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B743BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B743B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B743C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [B743C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B743B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [B7439E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [B743BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [B7454B30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B743BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B7439E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B743C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B743B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [B74348D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [B7434A80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [B74345E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [B7434980] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[772] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[772] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Udfs \UdfsCdRom BsUDF.SYS (UDF File System Driver (WindowsXP)/ahead software)
Device \FileSystem\Udfs \UdfsDisk BsUDF.SYS (UDF File System Driver (WindowsXP)/ahead software)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F74A3B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F74A3B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [F74A3B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F74A3B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F74A3B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs BsUDF.SYS (UDF File System Driver (WindowsXP)/ahead software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109A10090400000000000F01FEC\Usage@OutlookMAPI2Intl_1033 1011095491

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:29 AM

Posted 05 February 2010 - 06:30 AM

Hello David S,

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 David S

David S
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 AM

Posted 05 February 2010 - 06:46 PM

Elise,

Let's fix it first, since I've never done a reinstall and I do not have the XP Pro disc.

Thanks,
David


ComboFix 10-02-05.02 - Dave Stark 02/05/2010 18:20:27.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1488 [GMT -5:00]
Running from: c:\documents and settings\Dave Stark\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100205-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-02-01 10:57 . 2010-02-01 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-01-31 13:35 . 2010-01-31 13:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-01-30 19:11 . 2010-01-30 19:11 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-01-30 19:07 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Dave Stark\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-30 19:07 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-30 19:07 . 2010-01-30 19:07 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-30 19:06 . 2010-01-30 19:06 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-30 19:05 . 2010-01-30 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-30 19:05 . 2010-01-30 19:05 -------- d-----w- c:\program files\NOS
2010-01-27 00:08 . 2010-01-27 00:08 52224 ----a-w- c:\documents and settings\Dave Stark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-27 00:08 . 2010-01-27 00:08 117760 ----a-w- c:\documents and settings\Dave Stark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-27 00:08 . 2010-01-27 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-27 00:07 . 2010-01-27 00:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-27 00:07 . 2010-01-27 00:07 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\SUPERAntiSpyware.com
2010-01-27 00:06 . 2010-01-27 00:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-26 03:46 . 2008-08-22 12:24 271704 ----a-r- c:\windows\system32\hpzids01.dll
2010-01-26 03:44 . 2010-01-26 03:44 -------- d-----w- c:\program files\Hewlett-Packard
2010-01-26 03:40 . 2010-01-26 03:53 187042 ----a-w- c:\windows\hpwins23.dat
2010-01-26 03:40 . 2008-10-25 09:30 1847 ------w- c:\windows\hpwmdl23.dat
2010-01-25 23:45 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 23:45 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-25 11:04 . 2010-01-26 10:57 23158 ----a-w- c:\windows\hpqins15.dat
2010-01-25 10:50 . 2010-02-05 10:59 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\HPAppData
2010-01-25 04:19 . 2010-02-01 11:00 77377 ----a-w- c:\windows\hpqins05.dat
2010-01-25 03:45 . 2010-01-25 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-01-25 03:33 . 2010-01-25 03:33 -------- d-----w- c:\windows\hpoj6500e709
2010-01-25 03:29 . 2008-08-12 15:58 314880 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp082.dll
2010-01-25 03:29 . 2008-08-12 15:58 118272 ----a-w- c:\windows\system32\hpf3l082.dll
2010-01-25 03:28 . 2008-10-06 19:11 741376 ----a-r- c:\windows\system32\hpwwiax5.dll
2010-01-25 03:28 . 2008-10-06 19:11 966656 ----a-r- c:\windows\system32\hpwtiop4.dll
2010-01-25 03:28 . 2007-07-09 18:13 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2010-01-25 03:28 . 2007-07-09 18:13 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-01-25 03:28 . 2007-07-06 18:48 294912 ----a-r- c:\windows\system32\hpovst11.dll
2010-01-25 03:28 . 2001-08-17 18:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2010-01-25 03:28 . 2001-08-17 18:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2010-01-24 00:57 . 2010-01-24 00:59 -------- dc-h--w- c:\windows\ie8
2010-01-23 21:50 . 2010-01-23 21:53 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-23 15:27 . 2010-01-23 15:27 -------- d-----w- c:\program files\Common Files\Java
2010-01-23 15:26 . 2010-01-23 15:26 348160 ----a-w- c:\documents and settings\Dave Stark\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3887b060-n\msvcr71.dll
2010-01-23 15:26 . 2010-01-23 15:26 61440 ----a-w- c:\documents and settings\Dave Stark\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-79034259-n\decora-sse.dll
2010-01-23 15:26 . 2010-01-23 15:26 503808 ----a-w- c:\documents and settings\Dave Stark\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3887b060-n\msvcp71.dll
2010-01-23 15:26 . 2010-01-23 15:26 499712 ----a-w- c:\documents and settings\Dave Stark\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3887b060-n\jmc.dll
2010-01-23 15:26 . 2010-01-23 15:26 12800 ----a-w- c:\documents and settings\Dave Stark\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-79034259-n\decora-d3d.dll
2010-01-13 11:51 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-11 00:13 . 2010-01-11 00:13 -------- d-----w- c:\documents and settings\Dave Stark\Local Settings\Application Data\MigWiz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 09:46 . 2007-06-08 21:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-02 01:57 . 2008-01-15 19:51 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2010-02-02 01:57 . 2008-01-15 04:00 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2010-02-01 17:07 . 2004-02-15 20:23 91480 ----a-w- c:\documents and settings\Dave Stark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-01 11:00 . 2009-09-13 03:45 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\HpUpdate
2010-02-01 10:59 . 2005-06-11 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-01-30 19:11 . 2004-02-13 20:53 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-30 19:03 . 2004-09-11 03:24 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\AdobeUM
2010-01-26 03:44 . 2004-02-15 20:06 -------- d-----w- c:\program files\Common Files\HP
2010-01-25 23:45 . 2009-05-23 11:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-25 11:00 . 2005-06-11 13:43 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\HP
2010-01-24 02:14 . 2009-10-30 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-23 16:34 . 2009-05-22 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-23 15:26 . 2007-06-29 22:57 -------- d-----w- c:\program files\Java
2010-01-17 04:47 . 2008-07-13 23:21 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\Skype
2010-01-16 23:33 . 2008-07-13 23:25 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\skypePM
2010-01-16 14:44 . 2004-11-08 00:53 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\ArcSoft
2009-12-21 19:14 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 22:14 . 2008-12-16 11:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-09 01:19 . 2009-12-09 01:35 2651136 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-12-09 00:24 . 2009-12-09 00:29 1755648 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-12-07 01:27 . 2009-12-07 01:28 1751040 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-12-06 13:35 . 2009-07-15 10:07 6587412 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-11-24 23:54 . 2008-08-23 11:30 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-08-23 11:31 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:49 . 2008-08-23 11:31 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-08-23 11:31 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-08-23 11:31 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-08-23 11:31 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 15:51 . 2004-07-13 22:21 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-06-12 10:21 . 2009-06-12 10:20 401720 ----a-w- c:\program files\HiJackThis.exe
2008-06-19 01:26 . 2008-06-19 01:26 581632 ----a-w- c:\program files\convert.exe
2006-10-31 16:07 . 2006-10-31 16:07 31223 ----a-w- c:\program files\nv4_disp.cat
2004-09-26 00:45 . 2004-09-26 00:45 3485854 ----a-w- c:\program files\InstantConverter.zip
2004-04-27 22:03 . 2004-08-28 15:20 51535 ----a-w- c:\program files\licens32.txt
2003-10-15 14:30 . 2004-08-28 15:20 1747 ----a-w- c:\program files\icbmftvc.lst
2003-08-15 17:39 . 2004-08-28 15:20 527 ----a-w- c:\program files\BL_Games.htm
2003-08-15 17:34 . 2004-08-28 15:20 1810 ----a-w- c:\program files\testgame.htm
2003-01-06 19:41 . 2004-08-28 15:20 1457 ----a-w- c:\program files\rvappstm.lst
2001-01-30 21:04 . 2004-08-28 15:20 1375 ----a-w- c:\program files\aimalert.gif
2001-01-30 21:03 . 2004-08-28 15:20 1370 ----a-w- c:\program files\stockalert.gif
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowIcon_The Company_CRW Series Driver v1.16e058"="c:\program files\CRW\shwicon.exe -tThe Company\CRW Series Driver v1.16e058" [X]
"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2002-09-12 1101824]
"FaxMonitor"="c:\program files\IPFax\FaxMonitor.exe" [2002-01-21 61440]
"CloneCDElbyCDFL"="c:\program files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2002-11-02 45056]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-6 809488]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-1-14 118784]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2004-7-18 233472]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-19 04:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
2009-11-24 23:51 81000 ----a-w- c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
2009-02-16 04:10 981384 ----a-w- c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2/13/2004 6:12 PM 9344]
R0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\ElbyVCD.sys [11/28/2002 5:43 AM 22016]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/23/2008 6:31 AM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/23/2008 6:31 AM 20560]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2/13/2004 6:12 PM 448640]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [11/27/1998 3:57 PM 6144]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [6/6/2009 7:12 PM 10384]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-05 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-02-05 c:\windows\Tasks\User_Feed_Synchronization-{E82C6E2F-CF91-4FB2-A539-E25936FB53A4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wwdb.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com\download
Trusted Zone: zonealarm.com\download
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-05 18:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8A6AC8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a3b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-436374069-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(4948)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-05 18:31:37
ComboFix-quarantined-files.txt 2010-02-05 23:31
ComboFix2.txt 2009-06-04 03:16

Pre-Run: 33,234,161,664 bytes free
Post-Run: 33,466,138,624 bytes free

- - End Of File - - DB29062BD1391D43C8771BA9A62CDC20


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:29 AM

Posted 06 February 2010 - 05:51 AM

Please post me also c:\qoobox\combofix2.txt (it appears you ran Combofix two times).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 David S

David S
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 AM

Posted 06 February 2010 - 09:22 AM

Elise,

ComboFix seemed to take a while to get to the small blue screen.
Gmer was run twice because I turned off the printer while Gmer was running and the computer froze. Had to restart computer.


ComboFix 09-06-01.03 - Dave Stark 06/03/2009 23:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.191 [GMT -4:00]
Running from: c:\documents and settings\Dave Stark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dave Stark\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090603-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskBarDis
c:\program files\AskBarDis\bar\bin\askBar.dll
c:\program files\AskBarDis\bar\bin\askPopStp.dll
c:\program files\AskBarDis\bar\bin\AskService.exe
c:\program files\AskBarDis\bar\bin\psvince.dll
c:\program files\AskBarDis\bar\Cache\00048B54
c:\program files\AskBarDis\bar\Cache\00048D29
c:\program files\AskBarDis\bar\Cache\00048E42.bin
c:\program files\AskBarDis\bar\Cache\00048F2C.bin
c:\program files\AskBarDis\bar\Cache\00048FB9.bin
c:\program files\AskBarDis\bar\Cache\00049075.bin
c:\program files\AskBarDis\bar\Cache\0004914F.bin
c:\program files\AskBarDis\bar\Cache\000491CC.bin
c:\program files\AskBarDis\bar\Cache\0004923A.bin
c:\program files\AskBarDis\bar\Cache\000492B7.bin
c:\program files\AskBarDis\bar\Cache\00049314.bin
c:\program files\AskBarDis\bar\Cache\000493B1.bin
c:\program files\AskBarDis\bar\Cache\files.ini
c:\program files\AskBarDis\bar\History\search
c:\program files\AskBarDis\bar\Settings\config.dat
c:\program files\AskBarDis\bar\Settings\config.dat.bak
c:\program files\AskBarDis\bar\Settings\prevcfg.htm
c:\program files\AskBarDis\unins000.dat
c:\program files\AskBarDis\unins000.exe
c:\program files\AskBarDis\zonealarm.ico

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASKSERVICE
-------\Service_ASKService


((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.

2009-05-31 22:25 . 2009-05-31 22:25 8854 ----a-r- c:\documents and settings\Dave Stark\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\Uninstall_WD_Diagnos_0AB76F69E7614CFAB9B0A1906B4E9E4B.exe
2009-05-31 22:25 . 2009-05-31 22:25 40960 ----a-r- c:\documents and settings\Dave Stark\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2009-05-31 22:25 . 2009-05-31 22:25 10134 ----a-r- c:\documents and settings\Dave Stark\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\ARPPRODUCTICON.exe
2009-05-23 11:05 . 2009-05-23 11:05 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\Malwarebytes
2009-05-23 11:05 . 2009-04-06 19:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-23 11:05 . 2009-04-06 19:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-23 11:05 . 2009-05-23 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-23 11:05 . 2009-05-23 11:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-22 22:17 . 2009-05-28 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-22 22:17 . 2009-05-22 22:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-19 10:26 . 2009-05-19 10:26 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-05-19 10:25 . 2009-02-16 04:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-05-19 10:25 . 2009-02-16 04:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-05-19 10:25 . 2009-05-19 10:26 -------- d-----w- c:\windows\system32\ZoneLabs
2009-05-19 10:25 . 2009-02-16 04:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-05-19 01:51 . 2009-05-19 01:51 -------- d-----w- c:\program files\Zone Labs
2009-05-19 01:51 . 2009-06-04 03:03 -------- d-----w- c:\windows\Internet Logs
2009-05-16 16:15 . 2009-05-16 16:15 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\Yahoo!
2009-05-12 01:39 . 2009-05-12 01:39 -------- d-sh--w- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-02 01:45 . 2007-06-08 21:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-30 21:31 . 2008-01-15 19:51 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-05-30 21:31 . 2008-01-15 04:00 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2009-05-28 21:12 . 2007-12-13 22:00 664 ----a-w- c:\documents and settings\Rebecca\Local Settings\Application Data\d3d9caps.tmp
2009-05-28 10:05 . 2009-05-21 10:10 1459871 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-05-21 22:17 . 2009-05-21 22:18 1398784 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-05-18 23:14 . 2004-11-06 02:44 -------- d-----w- c:\program files\Yahoo!
2009-05-18 23:12 . 2004-09-14 19:02 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\Aim
2009-05-16 16:15 . 2007-04-07 14:19 -------- d-----w- c:\program files\Ccleaner
2009-05-15 02:18 . 2008-02-16 21:06 -------- d-----w- c:\documents and settings\Rebecca\Application Data\Nikon
2009-05-06 02:57 . 2008-07-13 23:21 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\Skype
2009-05-06 01:57 . 2008-07-13 23:25 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\skypePM
2009-04-26 12:59 . 2009-04-26 12:59 -------- d-----w- c:\program files\Common Files\Logitech
2009-04-26 12:59 . 2004-02-13 20:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-20 21:44 . 2008-12-25 18:36 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\CameraWindowDC
2009-04-20 21:43 . 2008-12-25 18:23 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\ZoomBrowser EX
2009-04-02 23:27 . 2009-04-02 23:27 152576 ----a-w- c:\documents and settings\Dave Stark\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-09 09:19 . 2008-12-16 11:17 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-07-13 22:23 284160 ----a-w- c:\windows\system32\pdh.dll
2008-06-19 01:26 . 2008-06-19 01:26 581632 ----a-w- c:\program files\convert.exe
2006-10-31 16:07 . 2006-10-31 16:07 31223 ----a-w- c:\program files\nv4_disp.cat
2004-09-26 00:45 . 2004-09-26 00:45 3485854 ----a-w- c:\program files\InstantConverter.zip
2004-04-27 22:03 . 2004-08-28 15:20 51535 ----a-w- c:\program files\licens32.txt
2003-10-15 14:30 . 2004-08-28 15:20 1747 ----a-w- c:\program files\icbmftvc.lst
2003-08-15 17:39 . 2004-08-28 15:20 527 ----a-w- c:\program files\BL_Games.htm
2003-08-15 17:34 . 2004-08-28 15:20 1810 ----a-w- c:\program files\testgame.htm
2003-01-06 19:41 . 2004-08-28 15:20 1457 ----a-w- c:\program files\rvappstm.lst
2001-01-30 21:04 . 2004-08-28 15:20 1375 ----a-w- c:\program files\aimalert.gif
2001-01-30 21:03 . 2004-08-28 15:20 1370 ----a-w- c:\program files\stockalert.gif
.

((((((((((((((((((((((((((((( SnapShot@2009-06-03_02.24.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-04 03:08 . 2009-06-04 03:08 16384 c:\windows\Temp\Perflib_Perfdata_77c.dat
+ 2009-06-04 03:08 . 2009-06-04 03:08 16384 c:\windows\Temp\Perflib_Perfdata_4b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"ShowIcon_The Company_CRW Series Driver v1.16e058"="c:\program files\CRW\shwicon.exe" [2002-11-06 69632]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2002-09-12 1101824]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"FaxMonitor"="c:\program files\IPFax\FaxMonitor.exe" [2002-01-21 61440]
"CloneCDElbyCDFL"="c:\program files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2002-11-02 45056]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"HostManager"="c:\program files\Common Files\AOL\1147485870\ee\AOLSoftware.exe" [2006-05-10 50760]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-1-15 118784]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2004-7-18 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147485870\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1147485870\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2/13/2004 7:12 PM 9344]
R0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\ElbyVCD.sys [11/28/2002 6:43 AM 22016]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/23/2008 7:31 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/23/2008 7:31 AM 20560]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2/13/2004 7:12 PM 448640]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [11/27/1998 4:57 PM 6144]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [7/11/2004 8:49 PM 14095]
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-15 c:\windows\Tasks\HP DArC Task 2003-12-22 03:05ewlett-Packard2003-12-22 03:05p psc 1300 series9A58A86F12EB0B2AE9BFB4180B4FD9D5B2D22980076875768.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-12-22 12:38]

2009-06-04 c:\windows\Tasks\User_Feed_Synchronization-{E82C6E2F-CF91-4FB2-A539-E25936FB53A4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wwdb.com/login.aspx?ReturnUrl=%2fHome.aspx
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
IE: Spell Check Options... - c:\program files\ucietb\Speller.dll/RUNOPTIONS.HTM
IE: Spell Check this page... - c:\program files\ucietb\Speller.dll/RUNSPELLER.HTM
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com\download
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} - hxxp://www.evga.com/Support/SyScan/SyScan.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-03 23:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-436374069-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(404)
c:\program files\Logitech\iTouch\iTchHk.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\mshtml.dll
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-04 23:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-04 03:16
ComboFix2.txt 2009-06-03 03:09
ComboFix3.txt 2009-06-03 02:27

Pre-Run: 49,072,930,816 bytes free
Post-Run: 48,950,624,256 bytes free

241 --- E O F --- 2009-05-14 02:29


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:29 AM

Posted 06 February 2010 - 02:23 PM

Your logs are somehow contradicting each other. Can you please let me know if you still are getting redirected when browsing?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 David S

David S
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 AM

Posted 06 February 2010 - 03:14 PM

Unfortunately, it is still redirecting. If it wasn't, I would definitely tell you.
In what way are they contradicting?
David

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:29 AM

Posted 06 February 2010 - 03:23 PM

Hello David S,

Your GMER log shows a rootkit, the oldest Combofix log doesn't show it, neither does the second, but the second log shows problems with the MBR (which might be an indication for the rootkit). I tend to go with GMER in this case, which you confirm by telling me you are getting redirected (symptom of this infection).

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

In your next reply, please include the following:
  • SystemLook.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 David S

David S
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 AM

Posted 06 February 2010 - 04:16 PM

Hi Elise,
Here you go.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:12 on 06/02/2010 by Dave Stark (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [00:59 02/10/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [23:29 05/02/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [22:22 13/07/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [13:02 02/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys --a--- 86912 bytes [13:01 02/08/2004] [08:27 29/08/2002] 95B858761A00E1D4F81F79A0DA019ACA
C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys --a--- 86912 bytes [13:02 02/08/2004] [08:27 29/08/2002] 95B858761A00E1D4F81F79A0DA019ACA

-=End Of File=-

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:29 AM

Posted 06 February 2010 - 04:20 PM

Can you please post me also a new GMER log? If it was taking a lot of time you can run the scan with only a check mark placed in front of "kernel code section".

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 David S

David S
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 AM

Posted 06 February 2010 - 04:51 PM

Hi Elise,
Here is gmer1.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-06 16:47:35
Windows 5.1.2600 Service Pack 3
Running: ludlhncz.exe; Driver: C:\DOCUME~1\DAVEST~1\LOCALS~1\Temp\uwtdypob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 12E 804E4968 12 Bytes [80, F5, 52, B7, 00, 39, 54, ...]
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74B0780]
? srescan.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB997D340, 0x121A5F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9D6380, 0x25BA81, 0xF8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2652] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:29 AM

Posted 07 February 2010 - 05:23 AM

Hello David S,

Well, that couldn't be more clear. Although all copies of the file look fine on first sight, GMER says its not. Lets replace it with Combofix. Afterwards, please let me know how the redirects are.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
FCopy::
c:\windows\servicepackfiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • Combofix.txt

Edited by elise025, 07 February 2010 - 05:24 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 David S

David S
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 AM

Posted 07 February 2010 - 09:06 AM

Good morning Elise,

Can you highlight exactly what you found?
After running ComboFix the computer restarted itself before producing the log file. I did not notice this the first time.
Both times after running ComboFix, it created a IE8 shortcut on the desktop.


ComboFix 10-02-05.02 - Dave Stark 02/07/2010 8:33.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1500 [GMT -5:00]
Running from: c:\documents and settings\Dave Stark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dave Stark\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100206-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\servicepackfiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-01-07 to 2010-02-07 )))))))))))))))))))))))))))))))
.

2010-02-01 10:57 . 2010-02-01 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-01-31 13:35 . 2010-01-31 13:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-01-30 19:11 . 2010-01-30 19:11 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-01-30 19:07 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Dave Stark\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-30 19:07 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-30 19:07 . 2010-01-30 19:07 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-30 19:06 . 2010-01-30 19:06 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-30 19:05 . 2010-01-30 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-30 19:05 . 2010-01-30 19:05 -------- d-----w- c:\program files\NOS
2010-01-27 00:08 . 2010-01-27 00:08 52224 ----a-w- c:\documents and settings\Dave Stark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-27 00:08 . 2010-01-27 00:08 117760 ----a-w- c:\documents and settings\Dave Stark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-27 00:08 . 2010-01-27 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-27 00:07 . 2010-01-27 00:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-27 00:07 . 2010-01-27 00:07 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\SUPERAntiSpyware.com
2010-01-27 00:06 . 2010-01-27 00:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-26 03:46 . 2008-08-22 12:24 271704 ----a-r- c:\windows\system32\hpzids01.dll
2010-01-26 03:44 . 2010-01-26 03:44 -------- d-----w- c:\program files\Hewlett-Packard
2010-01-26 03:40 . 2010-01-26 03:53 187042 ----a-w- c:\windows\hpwins23.dat
2010-01-26 03:40 . 2008-10-25 09:30 1847 ------w- c:\windows\hpwmdl23.dat
2010-01-25 23:45 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 23:45 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-25 11:04 . 2010-01-26 10:57 23158 ----a-w- c:\windows\hpqins15.dat
2010-01-25 10:50 . 2010-02-07 12:57 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\HPAppData
2010-01-25 04:19 . 2010-02-01 11:00 77377 ----a-w- c:\windows\hpqins05.dat
2010-01-25 03:45 . 2010-01-25 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-01-25 03:33 . 2010-01-25 03:33 -------- d-----w- c:\windows\hpoj6500e709
2010-01-25 03:29 . 2008-08-12 15:58 314880 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp082.dll
2010-01-25 03:29 . 2008-08-12 15:58 118272 ----a-w- c:\windows\system32\hpf3l082.dll
2010-01-25 03:28 . 2008-10-06 19:11 741376 ----a-r- c:\windows\system32\hpwwiax5.dll
2010-01-25 03:28 . 2008-10-06 19:11 966656 ----a-r- c:\windows\system32\hpwtiop4.dll
2010-01-25 03:28 . 2007-07-09 18:13 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2010-01-25 03:28 . 2007-07-09 18:13 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-01-25 03:28 . 2007-07-06 18:48 294912 ----a-r- c:\windows\system32\hpovst11.dll
2010-01-25 03:28 . 2001-08-17 18:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2010-01-25 03:28 . 2001-08-17 18:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2010-01-24 00:57 . 2010-01-24 00:59 -------- dc-h--w- c:\windows\ie8
2010-01-23 21:50 . 2010-01-23 21:53 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-23 15:27 . 2010-01-23 15:27 -------- d-----w- c:\program files\Common Files\Java
2010-01-23 15:26 . 2010-01-23 15:26 348160 ----a-w- c:\documents and settings\Dave Stark\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3887b060-n\msvcr71.dll
2010-01-23 15:26 . 2010-01-23 15:26 61440 ----a-w- c:\documents and settings\Dave Stark\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-79034259-n\decora-sse.dll
2010-01-23 15:26 . 2010-01-23 15:26 503808 ----a-w- c:\documents and settings\Dave Stark\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3887b060-n\msvcp71.dll
2010-01-23 15:26 . 2010-01-23 15:26 499712 ----a-w- c:\documents and settings\Dave Stark\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3887b060-n\jmc.dll
2010-01-23 15:26 . 2010-01-23 15:26 12800 ----a-w- c:\documents and settings\Dave Stark\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-79034259-n\decora-d3d.dll
2010-01-13 11:51 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-11 00:13 . 2010-01-11 00:13 -------- d-----w- c:\documents and settings\Dave Stark\Local Settings\Application Data\MigWiz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 09:46 . 2007-06-08 21:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-02 01:57 . 2008-01-15 19:51 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2010-02-02 01:57 . 2008-01-15 04:00 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2010-02-01 17:07 . 2004-02-15 20:23 91480 ----a-w- c:\documents and settings\Dave Stark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-01 11:00 . 2009-09-13 03:45 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\HpUpdate
2010-02-01 10:59 . 2005-06-11 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-01-30 19:11 . 2004-02-13 20:53 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-30 19:03 . 2004-09-11 03:24 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\AdobeUM
2010-01-26 03:44 . 2004-02-15 20:06 -------- d-----w- c:\program files\Common Files\HP
2010-01-25 23:45 . 2009-05-23 11:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-25 11:00 . 2005-06-11 13:43 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\HP
2010-01-24 02:14 . 2009-10-30 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-23 16:34 . 2009-05-22 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-23 15:26 . 2007-06-29 22:57 -------- d-----w- c:\program files\Java
2010-01-17 04:47 . 2008-07-13 23:21 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\Skype
2010-01-16 23:33 . 2008-07-13 23:25 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\skypePM
2010-01-16 14:44 . 2004-11-08 00:53 -------- d-----w- c:\documents and settings\Dave Stark\Application Data\ArcSoft
2009-12-21 19:14 . 2004-02-06 22:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 22:14 . 2008-12-16 11:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-09 01:19 . 2009-12-09 01:35 2651136 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-12-09 00:24 . 2009-12-09 00:29 1755648 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-12-07 01:27 . 2009-12-07 01:28 1751040 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-12-06 13:35 . 2009-07-15 10:07 6587412 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-11-24 23:54 . 2008-08-23 11:30 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-08-23 11:31 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:49 . 2008-08-23 11:31 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-08-23 11:31 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-08-23 11:31 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-08-23 11:31 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 15:51 . 2004-07-13 22:21 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-06-12 10:21 . 2009-06-12 10:20 401720 ----a-w- c:\program files\HiJackThis.exe
2008-06-19 01:26 . 2008-06-19 01:26 581632 ----a-w- c:\program files\convert.exe
2006-10-31 16:07 . 2006-10-31 16:07 31223 ----a-w- c:\program files\nv4_disp.cat
2004-09-26 00:45 . 2004-09-26 00:45 3485854 ----a-w- c:\program files\InstantConverter.zip
2004-04-27 22:03 . 2004-08-28 15:20 51535 ----a-w- c:\program files\licens32.txt
2003-10-15 14:30 . 2004-08-28 15:20 1747 ----a-w- c:\program files\icbmftvc.lst
2003-08-15 17:39 . 2004-08-28 15:20 527 ----a-w- c:\program files\BL_Games.htm
2003-08-15 17:34 . 2004-08-28 15:20 1810 ----a-w- c:\program files\testgame.htm
2003-01-06 19:41 . 2004-08-28 15:20 1457 ----a-w- c:\program files\rvappstm.lst
2001-01-30 21:04 . 2004-08-28 15:20 1375 ----a-w- c:\program files\aimalert.gif
2001-01-30 21:03 . 2004-08-28 15:20 1370 ----a-w- c:\program files\stockalert.gif
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowIcon_The Company_CRW Series Driver v1.16e058"="c:\program files\CRW\shwicon.exe -tThe Company\CRW Series Driver v1.16e058" [X]
"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2002-09-12 1101824]
"FaxMonitor"="c:\program files\IPFax\FaxMonitor.exe" [2002-01-21 61440]
"CloneCDElbyCDFL"="c:\program files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2002-11-02 45056]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-6 809488]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-1-14 118784]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2004-7-18 233472]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-19 04:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
2009-11-24 23:51 81000 ----a-w- c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
2009-02-16 04:10 981384 ----a-w- c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2/13/2004 6:12 PM 9344]
R0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\ElbyVCD.sys [11/28/2002 5:43 AM 22016]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/23/2008 6:31 AM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/23/2008 6:31 AM 20560]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2/13/2004 6:12 PM 448640]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [11/27/1998 3:57 PM 6144]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [6/6/2009 7:12 PM 10384]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-02-07 c:\windows\Tasks\User_Feed_Synchronization-{E82C6E2F-CF91-4FB2-A539-E25936FB53A4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wwdb.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com\download
Trusted Zone: zonealarm.com\download
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-07 08:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8A67C8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a3b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-436374069-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2780)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\CRW\shwicon.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-02-07 08:55:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-07 13:55
ComboFix2.txt 2010-02-05 23:31
ComboFix3.txt 2009-06-04 03:16

Pre-Run: 33,356,070,912 bytes free
Post-Run: 33,319,858,176 bytes free

- - End Of File - - A0889B6AE9F7572819B67225BED017A2





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users