Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by the Help Assistant Trojan


  • This topic is locked This topic is locked
97 replies to this topic

#1 gabstercol

gabstercol

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:43 PM

Posted 04 February 2010 - 10:32 AM

Hi there,

I have been hijacked by a hostile unwelcomed user called Help Assistant. It is seriously taking my computer down fast. I have not been able to work off the cd or dvd drives although it looked like it was making a data disk yesterday as I tried to back up but nothing copied to the disk at all. I have been reading your instructions and downloaded some of the programs, such as dds.scr and root repeal and I have the logs of dds and attach.txt. However, I ran the test in Safe mode. In normal mode it is iffy. It works sometimes and freezes a lot and runs wild scans in the background. It has corrupted the windows firewall and constantly forces the remote desktop users to use my computer with services all enabled as allowed thru the firewall. I actually turned to microsoft pc safety to help me but they were basically worthless in this situation. It was too new for them to know how to handle it and I got passed from dept to dept and finally gave up and came to you. I appreciate that you guys have this help for us.

A problem now is that it would not run the root repeal in safe mode on my computer. It initially did a fast scan but then I realized I didn't do it right because I hit scan before report. Then after I knew the process I started the program again and now it just freezes up and does nothing even in safe mode. wacko.gif

I copied the recovery console that I found on line but only put it on a flash drive. I didn't know if that was okay to do it that way since there is no mention of a flash drive method. However the cd dvd does not work for some reason so I thought I would ask first before I would mess with the recovery console. This trojan started as a trojan dropper from just entering a website thru a google ad in their search engine. It immediately froze me up and from then on I had an unwelcomed help assistant. I barely got to save any data before it made things not work. So I am posting the dds and attach log now. Please help me work thru this problem. Thanks. Gabrielle

Attached Files



BC AdBot (Login to Remove)

 


#2 gabstercol

gabstercol
  • Topic Starter

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:43 PM

Posted 05 February 2010 - 12:46 PM

Hello.

Thank you so very much for all the wonderful support you give us for malware help. I'm anxiously awaiting my turn.

I have been reading your forum posts about other peoples malware issues and paying attention to the tools you recommend them to scan with. I downloaded and ran a dds.scr, and an OTL and then Gmer. It was finding a lot of them in the gmer scan and then suddenly it went into a diagnostic shut down of the computer on a blue screen. I have not tried to boot up to safe mode yet and run the gmer scan again but I will. It also failed yesterday in safe mode running a scan in rootkit repeal. That program just froze and never did get started at all. I ran a combofix scan in safe mode too but did not do anything to fix what it found since you guys are warning not to do it without a qualified techie present. But it did find a master boot record infection but I did not run the fix until I am in your care.

I am using a different computer now but since the infected one was used daily for my work, it has me concerned for all the financial files and programs that I use that are vulnerable to being hijacked now. In fact I was in my online banking account a couple days ago and it froze in the middle of the transaction and then gave me a popup window with my data in it and asked me for additional verification so it asked for my pin codes and the numbers on the back of the card. I never saw that window before so I immediately questioned it at the bank and they are researching it. Gosh these trojans are getting more clever by the minute aren't they. And if they created that validation
window it was amazing since I have only been infected for a couple days and did not go to my bank site at all prior to that for the last couple of weeks. I tried to get my data off the computer but it has disabled my cd rom drives. so I was working with flash drives to retrieve data. I hope there has not been any spread of it to this other computer.

As soon as someone is available I would be ever so grateful.
Thank you again and I have logs as soon as you need them.

Gabrielle

Edited by Orange Blossom, 05 February 2010 - 03:56 PM.
Merged topics. ~ OB


#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:43 PM

Posted 09 February 2010 - 11:09 AM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

#4 gabstercol

gabstercol
  • Topic Starter

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:43 PM

Posted 09 February 2010 - 12:17 PM

Thank you for responding. I'm getting ready for a doctors appt here this morning so I will do this later today. It's great that you are on with me now because this trojan is mean and all intrusive. It intercepted my on line banking on my own computer with an additional security validation window in the middle of a specific transaction. And I fell for it. Come to find out the bank has no extra validation window of any kind. I have changed my bank accounts and passwords and everything. Sheeesh! Anyway, here is a scan of combo fix I ran a few days ago, shortly before I shut the computer down from this hostile computer to wait for help. The only time I've powered it up since then is to retrieve more info off of it. I've been using flash drives to copy my files since it disabled my cd drives. I'm preparing for the worst but I'm excited to work with you. If the worst case scenario does happen, at least I'll learn something new.

One more thing. You'll see I don't have the recovery console installed and I can't get it off the cd because the cd is not working. I did manage to copy one from the internet onto a flash drive. I'm not sure if it will work but I copied it from a guy named Dave I believe it was who has a kit that comes with the recovery console and combo fix and assorted other fixes for trojans and recovery. I haven't tried it though since I wanted to get advice from you. I just downloaded the package of tools onto a flash drive.

Here is the log from a few days ago. I will do a new one for you by tomorrow. Thanks so much.

Gabrielle

ComboFix 10-02-03.06 - Administrator 02/04/2010 5:53.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1618 [GMT -10:00]
Running from: G:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\RKHit.sys
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RKHIT


((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-02-04 14:35 . 2010-02-04 14:35 -------- d-----w- C:\found.000
2010-02-04 14:21 . 2010-02-04 14:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-04 06:19 . 2010-02-04 06:19 -------- d-----w- c:\documents and settings\HelpAssistant\.webrenderer
2010-02-04 06:19 . 2010-02-04 06:19 -------- d-----w- c:\documents and settings\HelpAssistant\.thumbnails
2010-02-04 06:19 . 2010-02-04 06:19 -------- d-----w- c:\documents and settings\HelpAssistant\.housecall6.6
2010-02-04 06:19 . 2010-02-04 06:19 -------- d-----w- c:\documents and settings\HelpAssistant\.gimp-2.4
2010-02-04 06:19 . 2010-02-04 06:19 -------- d-----w- c:\documents and settings\HelpAssistant\.freemind
2010-02-04 06:19 . 2010-02-04 14:18 -------- d-----w- c:\documents and settings\HelpAssistant
2010-02-02 16:16 . 2010-02-02 16:16 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-02 16:01 . 2009-06-18 22:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-02-02 14:51 . 2010-02-02 14:51 -------- d-----w- c:\program files\Sophos
2010-02-02 14:13 . 2009-08-07 05:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-01 19:14 . 2010-02-01 19:18 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-01 18:47 . 2010-02-01 18:47 -------- d-----w- c:\program files\Microsoft Easy Assist
2010-02-01 18:46 . 2010-02-01 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-01-21 05:20 . 2010-01-21 05:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-21 05:15 . 2010-01-21 05:16 -------- d-----w- c:\documents and settings\Gabrielle\Local Settings\Application Data\Temp
2010-01-21 05:15 . 2010-01-21 05:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-04 13:48 . 2008-07-10 23:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-04 04:12 . 2008-11-13 08:40 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\U3
2010-02-03 13:19 . 2009-08-03 05:29 -------- d-----w- c:\program files\Ahead
2010-02-02 20:10 . 2009-05-20 12:47 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-02 06:53 . 2009-06-24 11:02 -------- d-----w- c:\program files\Exterminate It!
2010-02-01 17:47 . 2008-09-05 21:50 99624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-01 09:53 . 2009-04-03 06:19 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\Skype
2010-02-01 07:00 . 2008-05-14 20:49 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\AdobeUM
2010-01-21 05:16 . 2008-05-13 19:12 -------- d-----w- c:\program files\Google
2010-01-18 13:13 . 2008-05-13 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-09 21:53 . 2009-10-31 12:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-09 21:52 . 2009-12-04 23:04 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 02:07 . 2009-10-31 12:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 02:07 . 2009-10-31 12:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 19:14 . 2004-08-04 10:56 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 14:55 . 2008-09-02 00:44 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\Sites
2009-12-17 14:55 . 2008-09-02 00:44 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\SiteClasses
2009-12-17 00:42 . 2010-01-10 07:08 872960 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-17 00:42 . 2010-01-10 07:08 43008 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-17 00:42 . 2010-01-10 07:08 340480 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-17 00:41 . 2010-01-10 07:08 346624 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-16 13:36 . 2009-12-16 13:36 -------- d-----w- c:\program files\MIG Bank Trading Station
2009-12-15 16:23 . 2009-03-20 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-15 10:11 . 2009-12-15 10:11 -------- d-----w- c:\program files\NP Meter
2009-12-14 18:39 . 2009-12-14 18:39 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-12-10 10:17 . 2009-11-23 13:03 -------- d-----w- c:\program files\Interbank FX Trader 4
2009-11-21 15:51 . 2004-08-04 10:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-11 17:25 . 2008-05-13 07:29 99624 ----a-w- c:\documents and settings\Gabrielle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-10 12:55 . 2009-10-30 11:08 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-10-26 11:25 . 2009-10-26 11:25 216 ----a-w- c:\program files\3G80FNLF.bat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-05-13 20:07 . 2008-05-13 20:01 24 --sh--w- c:\windows\S7E4EA38E.tmp
2008-09-08 10:40 . 2008-09-08 10:40 2 --shatr- c:\windows\winstart.bat
2008-05-15 05:59 . 2008-05-15 05:59 88 --sha-r- c:\windows\system32\F20FB882EC.sys
2008-05-15 06:56 . 2008-05-15 05:59 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-14 198160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Gabrielle^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Gabrielle^Start Menu^Programs^Startup^Webshots.lnk]
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 03:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-03-27 20:03 13684736 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-07-21 01:46 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 11:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-14 03:47 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Userinit]
2008-04-14 00:12 26112 ------w- c:\windows\system32\userinit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\Nuance\PDF Professional 5\Ereg\Ereg.ini"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"Alcmtr"=ALCMTR.EXE
"CTHelper"=CTHELPER.EXE
"CTxfiHlp"=CTXFIHLP.EXE
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"PDF5 Registry Controller"=c:\program files\Nuance\PDF Professional 5\RegistryController.exe
"PDFHook"=c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe
"RTHDCPL"=RTHDCPL.EXE
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"nwiz"=nwiz.exe /install
"SkyTel"=SkyTel.EXE
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"RTHDCPL.EXE"=c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services

R1 prcmondrv;prcmondrv;c:\windows\system32\drivers\prcmondrv1041.sys [5/18/2009 07:29 PM 18432]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2/2/2010 06:01 AM 18816]
S1 SDManager;SDManager; [x]
S3 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2/2/2008 02:20 AM 144672]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/20/2010 07:15 PM 135664]
S4 LMIInfo;LogMeIn Kernel Information Provider; [x]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\lmirfsdriver.sys [5/18/2009 04:10 AM 47640]
S4 MEMSWEEP2;MEMSWEEP2; [x]
S4 StatsJunky_ERService;StatsJunky_ERService;c:\program files\StatsJunky\StatsJunky_ERService.exe [3/8/2009 05:40 AM 282624]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c168950e-a0d3-11de-9f03-0019dbb7024b}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
FF - ProfilePath - c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-8287-79A187E26987} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 05:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89CD6718]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> 0x89cd6718
\Driver\atapi -> atapi.sys @ 0xb9ef1852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: NVIDIA nForce 10/100 Mbps Ethernet -> SendCompleteHandler -> 0x8986a330
PacketIndicateHandler -> NDIS.sys @ 0xb9dcda21
SendHandler -> NDIS.sys @ 0xb9dab87b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(960)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3184)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
.
**************************************************************************
.
Completion time: 2010-02-04 06:05:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-04 16:05

Pre-Run: 20,373,454,848 bytes free
Post-Run: 20,163,629,056 bytes free

- - End Of File - - FF650AA7ADBA79A65C2781B81A5CBF84


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:43 PM

Posted 09 February 2010 - 12:20 PM

In this topic:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Please perform the steps 6 and 8 and post the ark.txt log and a new combofix.log.

Thanks

#6 gabstercol

gabstercol
  • Topic Starter

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:43 PM

Posted 10 February 2010 - 10:09 AM

Hi there,

Okay I used defogger and disabled cd emulation software. I'm not sure if there was any since it did not ask to restart my computer but I restarted it anyway.

Then I ran a scan of combo fix and it successfully installed the recovery console. I will post the log below.

Then I started the gmer program. In the middle of running the gmer scan the program stopped and gave me a blue screen indicating that a problem was detected and windows was shut down to prevent damage. It had an entry showing: Driver IRQL Not Less or Equal. Then it showed a memory dump. I wrote down the Stop location in case you needed that number. So then I tried to run the gmer scan in safe mode and it too crashed with the same blue screen page as before. So then I started the computer back up and I ran Gmer this time from a previous download I did a couple days ago rather than from the download link that you sent me. It ran for a while and had many many entries in the window, but then it froze the program and the computer while scanning. However, this time I pressed the save log button before it ever started scanning and it did capture and save the log. So I am also including it here.

HERE IS MY COMBO FIX LOG

ComboFix 10-02-03.06 - Gabrielle 02/10/2010 3:08.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1556 [GMT -10:00]
Running from: c:\documents and settings\Gabrielle\Desktop\Combofix\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.

2010-02-04 14:35 . 2010-02-05 17:05 -------- d-----w- C:\found.000
2010-02-04 14:21 . 2010-02-04 14:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-02 16:16 . 2010-02-02 16:16 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-02 14:51 . 2010-02-05 17:08 -------- d-----w- c:\program files\Sophos
2010-02-02 14:13 . 2009-08-07 05:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-01 18:47 . 2010-02-01 18:47 -------- d-----w- c:\program files\Microsoft Easy Assist
2010-02-01 18:46 . 2010-02-01 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-01-21 05:20 . 2010-01-21 05:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-21 05:15 . 2010-01-21 05:16 -------- d-----w- c:\documents and settings\Gabrielle\Local Settings\Application Data\Temp
2010-01-21 05:15 . 2010-01-21 05:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-08 16:39 . 2008-09-02 00:44 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\SiteClasses
2010-02-08 16:27 . 2008-09-02 00:44 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\Sites
2010-02-05 18:38 . 2008-07-10 23:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-05 18:33 . 2009-05-20 12:47 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-04 04:12 . 2008-11-13 08:40 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\U3
2010-02-03 13:19 . 2009-08-03 05:29 -------- d-----w- c:\program files\Ahead
2010-02-02 06:53 . 2009-06-24 11:02 -------- d-----w- c:\program files\Exterminate It!
2010-02-01 17:47 . 2008-09-05 21:50 99624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-01 09:53 . 2009-04-03 06:19 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\Skype
2010-02-01 07:00 . 2008-05-14 20:49 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\AdobeUM
2010-01-21 05:16 . 2008-05-13 19:12 -------- d-----w- c:\program files\Google
2010-01-18 13:13 . 2008-05-13 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-09 21:53 . 2009-10-31 12:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-09 21:52 . 2009-12-04 23:04 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 02:07 . 2009-10-31 12:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 02:07 . 2009-10-31 12:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 19:14 . 2004-08-04 10:56 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 00:42 . 2010-01-10 07:08 872960 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-17 00:42 . 2010-01-10 07:08 43008 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-17 00:42 . 2010-01-10 07:08 340480 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-17 00:41 . 2010-01-10 07:08 346624 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-16 13:36 . 2009-12-16 13:36 -------- d-----w- c:\program files\MIG Bank Trading Station
2009-12-15 16:23 . 2009-03-20 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-15 10:11 . 2009-12-15 10:11 -------- d-----w- c:\program files\NP Meter
2009-12-14 18:39 . 2009-12-14 18:39 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-11-21 15:51 . 2004-08-04 10:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-26 11:25 . 2009-10-26 11:25 216 ----a-w- c:\program files\3G80FNLF.bat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-05-13 20:07 . 2008-05-13 20:01 24 --sh--w- c:\windows\S7E4EA38E.tmp
2008-09-08 10:40 . 2008-09-08 10:40 2 --shatr- c:\windows\winstart.bat
2008-05-15 05:59 . 2008-05-15 05:59 88 --sha-r- c:\windows\system32\F20FB882EC.sys
2008-05-15 06:56 . 2008-05-15 05:59 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-14 198160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Gabrielle^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Gabrielle^Start Menu^Programs^Startup^Webshots.lnk]
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 03:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-03-27 20:03 13684736 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-07-21 01:46 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 11:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-14 03:47 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Userinit]
2008-04-14 00:12 26112 ------w- c:\windows\system32\userinit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\Nuance\PDF Professional 5\Ereg\Ereg.ini"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"Alcmtr"=ALCMTR.EXE
"CTHelper"=CTHELPER.EXE
"CTxfiHlp"=CTXFIHLP.EXE
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"PDF5 Registry Controller"=c:\program files\Nuance\PDF Professional 5\RegistryController.exe
"PDFHook"=c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe
"RTHDCPL"=RTHDCPL.EXE
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"nwiz"=nwiz.exe /install
"SkyTel"=SkyTel.EXE
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"RTHDCPL.EXE"=c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services

R1 prcmondrv;prcmondrv;c:\windows\system32\drivers\prcmondrv1041.sys [5/18/2009 07:29 PM 18432]
S1 SDManager;SDManager; [x]
S3 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2/2/2008 02:20 AM 144672]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/20/2010 07:15 PM 135664]
S4 LMIInfo;LogMeIn Kernel Information Provider; [x]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\lmirfsdriver.sys [5/18/2009 04:10 AM 47640]
S4 MEMSWEEP2;MEMSWEEP2; [x]
S4 StatsJunky_ERService;StatsJunky_ERService;c:\program files\StatsJunky\StatsJunky_ERService.exe [3/8/2009 05:40 AM 282624]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
FF - ProfilePath - c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-10 03:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A57E900]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> 0x8a57e900
\Driver\atapi -> atapi.sys @ 0xb9ef1852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: NVIDIA nForce 10/100 Mbps Ethernet -> SendCompleteHandler -> 0x89569330
PacketIndicateHandler -> NDIS.sys @ 0xb9dcda21
SendHandler -> NDIS.sys @ 0xb9dab87b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(436)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-10 03:11:51
ComboFix-quarantined-files.txt 2010-02-10 13:11
ComboFix2.txt 2010-02-04 16:05

Pre-Run: 20,145,627,136 bytes free
Post-Run: 20,097,159,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - A3A6CD200C0464EC7231BF2CC2B33241


HERE IS MY GMER LOG - It never did finish running since it froze in the middle.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-10 04:06:26
Windows 5.1.2600 Service Pack 3
Running: nth39gwh.exe; Driver: C:\DOCUME~1\GABRIE~1\LOCALS~1\Temp\fwrdqpog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwCreateProcess [0xB2FB1C1C]
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwCreateProcessEx [0xB2FB1C36]
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwOpenKey [0xB2FB1C6A]
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwTerminateProcess [0xB2FB1C50]

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI \Device\00000060 8997C6E8
Device \Driver\ACPI \Device\00000061 8997C6E8
Device \Driver\ACPI \Device\00000055 8997C6E8
Device \Driver\ACPI \Device\00000056 8997C6E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\ACPI \Device\00000071 8997C6E8
Device \Driver\ACPI \Device\00000058 8997C6E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\ACPI \Device\00000074 8997C6E8
Device \Driver\ACPI \Device\00000075 8997C6E8
Device \Driver\ACPI \Device\00000069 8997C6E8
Device \Driver\ACPI \Device\00000078 8997C6E8
Device \Driver\ACPI \Device\00000079 8997C6E8
Device \Driver\ACPI \Device\0000005a 8997C6E8
Device \Driver\ACPI \Device\0000005b 8997C6E8
Device \Driver\ACPI \Device\0000005c 8997C6E8
Device \Driver\ACPI \Device\0000005e 8997C6E8
Device \Driver\ACPI \Device\0000006c 8997C6E8
Device \Driver\ACPI \Device\0000007a 8997C6E8
Device \Driver\ACPI \Device\0000006d 8997C6E8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@CategoryCount 9
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll;%SystemRoot%\System32\xpsp3res.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@TypesSupported 28
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Channel 5120
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Device 4352
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Directory 4368
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Event 4384
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@File 4416
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Job 5136
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Key 4432
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Port 4464
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Process 4480
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Profile 4496
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Section 4512
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Thread 4560
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Timer 4576
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Token 4592
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Type 4608
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@TypesSupported 31
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryCount 3
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@ParameterMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventSourceFlags 1
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryCount 9
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll;%SystemRoot%\System32\xpsp3res.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@TypesSupported 28
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Channel 5120
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Device 4352
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Directory 4368
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Event 4384
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@File 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Job 5136
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Key 4432
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Port 4464
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Process 4480
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Profile 4496
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Section 4512
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Thread 4560
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Timer 4576
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Token 4592
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Type 4608
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@TypesSupported 31
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryCount 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@ParameterMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventSourceFlags 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912



Thank you for your help with this problem. It looks like a nasty one.

Gabrielle


Hi there,

Okay I used defogger and disabled cd emulation software. I'm not sure if there was any since it did not ask to restart my computer but I restarted it anyway.

Then I ran a scan of combo fix and it successfully installed the recovery console. I will post the log below.

Then I started the gmer program. In the middle of running the gmer scan the program stopped and gave me a blue screen indicating that a problem was detected and windows was shut down to prevent damage. It had an entry showing: Driver IRQL Not Less or Equal. Then it showed a memory dump. I wrote down the Stop location in case you needed that number. So then I tried to run the gmer scan in safe mode and it too crashed with the same blue screen page as before. So then I started the computer back up and I ran Gmer this time from a previous download I did a couple days ago rather than from the download link that you sent me. It ran for a while and had many many entries in the window, but then it froze the program and the computer while scanning. However, this time I pressed the save log button before it ever started scanning and it did capture and save the log. So I am also including it here.

HERE IS MY COMBO FIX LOG

ComboFix 10-02-03.06 - Gabrielle 02/10/2010 3:08.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1556 [GMT -10:00]
Running from: c:\documents and settings\Gabrielle\Desktop\Combofix\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.

2010-02-04 14:35 . 2010-02-05 17:05 -------- d-----w- C:\found.000
2010-02-04 14:21 . 2010-02-04 14:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-02 16:16 . 2010-02-02 16:16 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-02 14:51 . 2010-02-05 17:08 -------- d-----w- c:\program files\Sophos
2010-02-02 14:13 . 2009-08-07 05:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-01 18:47 . 2010-02-01 18:47 -------- d-----w- c:\program files\Microsoft Easy Assist
2010-02-01 18:46 . 2010-02-01 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-01-21 05:20 . 2010-01-21 05:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-21 05:15 . 2010-01-21 05:16 -------- d-----w- c:\documents and settings\Gabrielle\Local Settings\Application Data\Temp
2010-01-21 05:15 . 2010-01-21 05:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-08 16:39 . 2008-09-02 00:44 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\SiteClasses
2010-02-08 16:27 . 2008-09-02 00:44 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\Sites
2010-02-05 18:38 . 2008-07-10 23:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-05 18:33 . 2009-05-20 12:47 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-04 04:12 . 2008-11-13 08:40 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\U3
2010-02-03 13:19 . 2009-08-03 05:29 -------- d-----w- c:\program files\Ahead
2010-02-02 06:53 . 2009-06-24 11:02 -------- d-----w- c:\program files\Exterminate It!
2010-02-01 17:47 . 2008-09-05 21:50 99624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-01 09:53 . 2009-04-03 06:19 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\Skype
2010-02-01 07:00 . 2008-05-14 20:49 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\AdobeUM
2010-01-21 05:16 . 2008-05-13 19:12 -------- d-----w- c:\program files\Google
2010-01-18 13:13 . 2008-05-13 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-09 21:53 . 2009-10-31 12:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-09 21:52 . 2009-12-04 23:04 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 02:07 . 2009-10-31 12:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 02:07 . 2009-10-31 12:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 19:14 . 2004-08-04 10:56 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 00:42 . 2010-01-10 07:08 872960 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-17 00:42 . 2010-01-10 07:08 43008 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-17 00:42 . 2010-01-10 07:08 340480 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-17 00:41 . 2010-01-10 07:08 346624 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-16 13:36 . 2009-12-16 13:36 -------- d-----w- c:\program files\MIG Bank Trading Station
2009-12-15 16:23 . 2009-03-20 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-15 10:11 . 2009-12-15 10:11 -------- d-----w- c:\program files\NP Meter
2009-12-14 18:39 . 2009-12-14 18:39 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-11-21 15:51 . 2004-08-04 10:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-26 11:25 . 2009-10-26 11:25 216 ----a-w- c:\program files\3G80FNLF.bat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-05-13 20:07 . 2008-05-13 20:01 24 --sh--w- c:\windows\S7E4EA38E.tmp
2008-09-08 10:40 . 2008-09-08 10:40 2 --shatr- c:\windows\winstart.bat
2008-05-15 05:59 . 2008-05-15 05:59 88 --sha-r- c:\windows\system32\F20FB882EC.sys
2008-05-15 06:56 . 2008-05-15 05:59 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-14 198160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Gabrielle^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Gabrielle^Start Menu^Programs^Startup^Webshots.lnk]
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 03:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-03-27 20:03 13684736 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-07-21 01:46 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 11:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-14 03:47 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Userinit]
2008-04-14 00:12 26112 ------w- c:\windows\system32\userinit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\Nuance\PDF Professional 5\Ereg\Ereg.ini"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"Alcmtr"=ALCMTR.EXE
"CTHelper"=CTHELPER.EXE
"CTxfiHlp"=CTXFIHLP.EXE
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"PDF5 Registry Controller"=c:\program files\Nuance\PDF Professional 5\RegistryController.exe
"PDFHook"=c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe
"RTHDCPL"=RTHDCPL.EXE
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"nwiz"=nwiz.exe /install
"SkyTel"=SkyTel.EXE
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"RTHDCPL.EXE"=c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services

R1 prcmondrv;prcmondrv;c:\windows\system32\drivers\prcmondrv1041.sys [5/18/2009 07:29 PM 18432]
S1 SDManager;SDManager; [x]
S3 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2/2/2008 02:20 AM 144672]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/20/2010 07:15 PM 135664]
S4 LMIInfo;LogMeIn Kernel Information Provider; [x]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\lmirfsdriver.sys [5/18/2009 04:10 AM 47640]
S4 MEMSWEEP2;MEMSWEEP2; [x]
S4 StatsJunky_ERService;StatsJunky_ERService;c:\program files\StatsJunky\StatsJunky_ERService.exe [3/8/2009 05:40 AM 282624]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
FF - ProfilePath - c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-10 03:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A57E900]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> 0x8a57e900
\Driver\atapi -> atapi.sys @ 0xb9ef1852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: NVIDIA nForce 10/100 Mbps Ethernet -> SendCompleteHandler -> 0x89569330
PacketIndicateHandler -> NDIS.sys @ 0xb9dcda21
SendHandler -> NDIS.sys @ 0xb9dab87b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(436)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-10 03:11:51
ComboFix-quarantined-files.txt 2010-02-10 13:11
ComboFix2.txt 2010-02-04 16:05

Pre-Run: 20,145,627,136 bytes free
Post-Run: 20,097,159,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - A3A6CD200C0464EC7231BF2CC2B33241


HERE IS MY GMER LOG - It never did finish running since it froze in the middle.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-10 04:06:26
Windows 5.1.2600 Service Pack 3
Running: nth39gwh.exe; Driver: C:\DOCUME~1\GABRIE~1\LOCALS~1\Temp\fwrdqpog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwCreateProcess [0xB2FB1C1C]
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwCreateProcessEx [0xB2FB1C36]
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwOpenKey [0xB2FB1C6A]
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwTerminateProcess [0xB2FB1C50]

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI \Device\00000060 8997C6E8
Device \Driver\ACPI \Device\00000061 8997C6E8
Device \Driver\ACPI \Device\00000055 8997C6E8
Device \Driver\ACPI \Device\00000056 8997C6E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\ACPI \Device\00000071 8997C6E8
Device \Driver\ACPI \Device\00000058 8997C6E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\ACPI \Device\00000074 8997C6E8
Device \Driver\ACPI \Device\00000075 8997C6E8
Device \Driver\ACPI \Device\00000069 8997C6E8
Device \Driver\ACPI \Device\00000078 8997C6E8
Device \Driver\ACPI \Device\00000079 8997C6E8
Device \Driver\ACPI \Device\0000005a 8997C6E8
Device \Driver\ACPI \Device\0000005b 8997C6E8
Device \Driver\ACPI \Device\0000005c 8997C6E8
Device \Driver\ACPI \Device\0000005e 8997C6E8
Device \Driver\ACPI \Device\0000006c 8997C6E8
Device \Driver\ACPI \Device\0000007a 8997C6E8
Device \Driver\ACPI \Device\0000006d 8997C6E8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@CategoryCount 9
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll;%SystemRoot%\System32\xpsp3res.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@TypesSupported 28
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Channel 5120
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Device 4352
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Directory 4368
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Event 4384
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@File 4416
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Job 5136
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Key 4432
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Port 4464
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Process 4480
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Profile 4496
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Section 4512
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Thread 4560
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Timer 4576
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Token 4592
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Type 4608
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@TypesSupported 31
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryCount 3
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@ParameterMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventSourceFlags 1
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryCount 9
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll;%SystemRoot%\System32\xpsp3res.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@TypesSupported 28
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Channel 5120
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Device 4352
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Directory 4368
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Event 4384
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@File 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Job 5136
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Key 4432
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Port 4464
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Process 4480
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Profile 4496
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Section 4512
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Thread 4560
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Timer 4576
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Token 4592
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Type 4608
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@TypesSupported 31
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryCount 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@ParameterMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventSourceFlags 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912



Thank you for your help with this problem. It looks like a nasty one.

Gabrielle

Attached Files



#7 gabstercol

gabstercol
  • Topic Starter

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:43 PM

Posted 10 February 2010 - 10:21 AM

Sorry it looks like it posted that message twice with my logs. It was running really slow while I was trying to send it and I must have clicked it a second time. So sorry. whistling.gif

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:43 PM

Posted 10 February 2010 - 10:40 AM

First, download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it and it will create a mbr.log on your desktop.

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

QUOTE
Suspect::[3]
c:\program files\3G80FNLF.bat
c:\windows\S7E4EA38E.tmp
c:\windows\winstart.bat
c:\windows\system32\F20FB882EC.sys


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt and the mbr.log in your next reply.

#9 gabstercol

gabstercol
  • Topic Starter

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:43 PM

Posted 11 February 2010 - 01:31 AM

Here is the mbr Log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x8a918410
NDIS: NVIDIA nForce 10/100 Mbps Ethernet -> SendCompleteHandler -> 0x8954a330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.



Here is the Combo Fix Log.

ComboFix 10-02-03.06 - Gabrielle 02/10/2010 20:27:18.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1507 [GMT -10:00]
Running from: c:\documents and settings\Gabrielle\Desktop\Combofix\ComboFix.exe
Command switches used :: c:\documents and settings\Gabrielle\Desktop\CFScript.txt

file zipped: c:\program files\3G80FNLF.bat
file zipped: c:\windows\S7E4EA38E.tmp
file zipped: c:\windows\system32\F20FB882EC.sys
file zipped: c:\windows\winstart.bat
.

((((((((((((((((((((((((( Files Created from 2010-01-11 to 2010-02-11 )))))))))))))))))))))))))))))))
.

2010-02-04 14:35 . 2010-02-05 17:05 -------- d-----w- C:\found.000
2010-02-04 14:21 . 2010-02-04 14:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-02 16:16 . 2010-02-02 16:16 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-02 14:51 . 2010-02-05 17:08 -------- d-----w- c:\program files\Sophos
2010-02-02 14:13 . 2009-08-07 05:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-01 18:47 . 2010-02-01 18:47 -------- d-----w- c:\program files\Microsoft Easy Assist
2010-02-01 18:46 . 2010-02-01 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-01-21 05:20 . 2010-01-21 05:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-21 05:15 . 2010-01-21 05:16 -------- d-----w- c:\documents and settings\Gabrielle\Local Settings\Application Data\Temp
2010-01-21 05:15 . 2010-01-21 05:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-08 16:39 . 2008-09-02 00:44 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\SiteClasses
2010-02-08 16:27 . 2008-09-02 00:44 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\Sites
2010-02-05 18:38 . 2008-07-10 23:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-05 18:33 . 2009-05-20 12:47 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-04 04:12 . 2008-11-13 08:40 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\U3
2010-02-03 13:19 . 2009-08-03 05:29 -------- d-----w- c:\program files\Ahead
2010-02-02 06:53 . 2009-06-24 11:02 -------- d-----w- c:\program files\Exterminate It!
2010-02-01 17:47 . 2008-09-05 21:50 99624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-01 09:53 . 2009-04-03 06:19 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\Skype
2010-02-01 07:00 . 2008-05-14 20:49 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\AdobeUM
2010-01-21 05:16 . 2008-05-13 19:12 -------- d-----w- c:\program files\Google
2010-01-18 13:13 . 2008-05-13 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-09 21:53 . 2009-10-31 12:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-09 21:52 . 2009-12-04 23:04 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 02:07 . 2009-10-31 12:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 02:07 . 2009-10-31 12:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 19:14 . 2004-08-04 10:56 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 00:42 . 2010-01-10 07:08 872960 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-17 00:42 . 2010-01-10 07:08 43008 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-17 00:42 . 2010-01-10 07:08 340480 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-17 00:41 . 2010-01-10 07:08 346624 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-16 13:36 . 2009-12-16 13:36 -------- d-----w- c:\program files\MIG Bank Trading Station
2009-12-15 16:23 . 2009-03-20 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-15 10:11 . 2009-12-15 10:11 -------- d-----w- c:\program files\NP Meter
2009-12-14 18:39 . 2009-12-14 18:39 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-11-21 15:51 . 2004-08-04 10:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-26 11:25 . 2009-10-26 11:25 216 ----a-w- c:\program files\3G80FNLF.bat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-05-13 20:07 . 2008-05-13 20:01 24 --sh--w- c:\windows\S7E4EA38E.tmp
2008-09-08 10:40 . 2008-09-08 10:40 2 --shatr- c:\windows\winstart.bat
2008-05-15 05:59 . 2008-05-15 05:59 88 --sha-r- c:\windows\system32\F20FB882EC.sys
2008-05-15 06:56 . 2008-05-15 05:59 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-02-10_13.10.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-13 18:39 . 2010-02-10 14:02 3817984 c:\windows\Installer\b9e8ad.msi
- 2008-05-13 18:39 . 2010-02-04 03:45 3817984 c:\windows\Installer\b9e8ad.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-14 198160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Gabrielle^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Gabrielle^Start Menu^Programs^Startup^Webshots.lnk]
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 03:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-03-27 20:03 13684736 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-07-21 01:46 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 11:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-14 03:47 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Userinit]
2008-04-14 00:12 26112 ------w- c:\windows\system32\userinit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\Nuance\PDF Professional 5\Ereg\Ereg.ini"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"Alcmtr"=ALCMTR.EXE
"CTHelper"=CTHELPER.EXE
"CTxfiHlp"=CTXFIHLP.EXE
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"PDF5 Registry Controller"=c:\program files\Nuance\PDF Professional 5\RegistryController.exe
"PDFHook"=c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe
"RTHDCPL"=RTHDCPL.EXE
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"nwiz"=nwiz.exe /install
"SkyTel"=SkyTel.EXE
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"RTHDCPL.EXE"=c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"9487:TCP"= 9487:TCP:Services

R1 prcmondrv;prcmondrv;c:\windows\system32\drivers\prcmondrv1041.sys [5/18/2009 07:29 PM 18432]
S1 SDManager;SDManager; [x]
S3 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2/2/2008 02:20 AM 144672]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/20/2010 07:15 PM 135664]
S4 LMIInfo;LogMeIn Kernel Information Provider; [x]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\lmirfsdriver.sys [5/18/2009 04:10 AM 47640]
S4 MEMSWEEP2;MEMSWEEP2; [x]
S4 StatsJunky_ERService;StatsJunky_ERService;c:\program files\StatsJunky\StatsJunky_ERService.exe [3/8/2009 05:40 AM 282624]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
FF - ProfilePath - c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> 0x8a918410
\Driver\atapi -> atapi.sys @ 0xb9ef1852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: NVIDIA nForce 10/100 Mbps Ethernet -> SendCompleteHandler -> 0x8954a330
PacketIndicateHandler -> NDIS.sys @ 0xb9dafa0d
SendHandler -> NDIS.sys @ 0xb9dc3b40
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3256)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-10 20:32:10
ComboFix-quarantined-files.txt 2010-02-11 06:32
ComboFix2.txt 2010-02-10 13:11
ComboFix3.txt 2010-02-04 16:05

Pre-Run: 19,985,018,880 bytes free
Post-Run: 19,935,809,536 bytes free

- - End Of File - - A56FC8BF8C2060DD55629CC7DB7C1F68


#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:43 PM

Posted 11 February 2010 - 04:15 PM

Click on the Start button and then select Run. In the open field enter:

%UserProfile%\desktop\mbr.exe -f

The program will run. When it is done post a copy of the mbr.log again.

On your desktop you should have a file called CF-Submit.htm. Please click on that file and follow the directions it displays when it loads in your web browser.

#11 gabstercol

gabstercol
  • Topic Starter

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:43 PM

Posted 11 February 2010 - 06:30 PM

Please clarify for me where the CF-submit.htm is coming from? AT this point it is not on the computer. Will it appear after I do the fix for today?
The reason I'm asking is because all along, I have been downloading these programs that you want me to use on that computer, to my other computer and then I'm copying them to a flash drive and then I am installing them in the sick machine. This allows me to use that computer the least amount of time on the internet so my hijacked info did not get any further than my computer.
Please advise how to get to this file?

thank you.

Gabrielle

#12 gabstercol

gabstercol
  • Topic Starter

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:43 PM

Posted 11 February 2010 - 07:48 PM

when I typed in the command to the Run box: of


%UserProfile%\desktop\mbr.exe -f

it comes up with a window that saysL: Windows cannot find 'C:\Documents'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button and then click search.

What do I do next?

thanks, Gabrielle

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:43 PM

Posted 11 February 2010 - 08:09 PM

Try this in the run box:

"%userprofile%\desktop\mbr.exe" -f

We need the quotes.

#14 gabstercol

gabstercol
  • Topic Starter

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:43 PM

Posted 11 February 2010 - 10:33 PM

Hi,

Okay I ran it with your second instruction, with quotes, and it worked. I then ran the command one time and wasn't sure where the mbr log went since there is no date on those logs so I wanted to make sure I wasn't mixing them up. So I ran it again. After
comparing them to yesterdays, I realize that they each say different things. So I will post here the two different runs of the command that I ran.


HERE IS THE FIRST RUN OF THE COMMAND

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x8a5e7c30
NDIS: NVIDIA nForce 10/100 Mbps Ethernet -> SendCompleteHandler -> 0x894c7330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !



HERE IS THE NEXT RUN OF THE COMMAND A FEW MINUTES LATER

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x8a5e7c30
NDIS: NVIDIA nForce 10/100 Mbps Ethernet -> SendCompleteHandler -> 0x894c7330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
Use "Recovery Console" command "fixmbr" to clear infection !


As far as the CF-Submit.htm there is no file I am finding called that. Please tell me where it should have been made from and I can run the tool again to get it? was it supposed to be made when I copied that code to drop it on combofix?

thank you for all you are doing to help my sick computer.

Gabrielle

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:43 PM

Posted 12 February 2010 - 11:35 AM

The cf-submit.htm should be in the C:\ folder.

Download the following file to your desktop:

http://download.bleepingcomputer.com/spyware/getservice.zip

Once downloaded, right-click on it and extract it to your desktop.

Double-click on the new getservice folder keep opening the folders till you see getservice.bat. Double-click on that and then post the resulting logfile as a reply to this topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users