Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware problem. can't identify. please help


  • This topic is locked This topic is locked
34 replies to this topic

#1 jma12

jma12

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 08 April 2010 - 10:20 AM

Hi,

I get redirected to random webpages when clicking on search results in google.

MBAM (fully update) says i'm clean.

After a while, new malware tends to appear; MBAM gets rid of these but the underlying problem persists.

DDS and GMER logs copied below, 'attach' is attached. (GMER frose my machine a few of times, I'm not sure the scan completed properly but I've posted what it came up with).

Thanks, jma12

DDS (Ver_10-03-17.01) - NTFSx86 .
Run by AJM at 14:52:45.90 on 08/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.558 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\AJM\Local Settings\Temporary Internet Files\Content.IE5\PN06SPPI\dds[1].scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {6CBE4B52-4E7F-49E4-BEE3-B06419111A0A} = 129.67.1.180,163.1.2.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ComPlusSetup - c:\windows\system32\catsrvut.dll
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
LSA: Notification Packages = scecli fusstub

============= SERVICES / DRIVERS ===============

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2002-3-11 9216]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2008-1-29 8576]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-2-22 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-2-22 33024]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-10-18 36352]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2006-10-16 37040]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-10-18 226304]
R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S1 cmd32.sys;cmd32.sys;\??\c:\windows\system32\cmd32.sys --> c:\windows\system32\cmd32.sys [?]
S4 gupdate1c9862f1fc5b8aa;Google Update Service (gupdate1c9862f1fc5b8aa);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

=============== Created Last 30 ================

2010-04-07 19:18:18 98816 ----a-w- c:\windows\sed.exe
2010-04-07 19:18:18 77312 ----a-w- c:\windows\MBR.exe
2010-04-07 19:18:18 261632 ----a-w- c:\windows\PEV.exe
2010-04-07 19:18:18 161792 ----a-w- c:\windows\SWREG.exe
2010-04-07 11:07:25 0 d-----w- c:\program files\TrendMicro
2010-04-06 23:09:41 0 d-----w- c:\docume~1\ajm\applic~1\Trusteer
2010-04-06 22:54:42 0 d-----w- c:\program files\PartyGaming
2010-04-06 22:06:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Trusteer
2010-04-06 21:57:34 0 d-----w- c:\docume~1\ajm\applic~1\UB
2010-04-06 18:58:18 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-06 18:54:53 0 d-----w- c:\program files\Lavasoft
2010-04-06 17:17:47 120 ----a-w- c:\windows\Ofosasutiyayiyo.dat
2010-04-06 17:17:47 0 ----a-w- c:\windows\Fvafi.bin
2010-04-05 23:03:46 71680 ----a-w- c:\windows\system32\klgd.bmp
2010-04-05 23:03:46 23162 ----a-w- c:\windows\system32\enb
2010-04-01 20:20:45 0 d-----w- c:\docume~1\alluse~1\applic~1\NJStar
2010-04-01 20:17:40 397 ----a-w- c:\windows\NJCOM.INI
2010-04-01 20:17:37 0 d-----w- c:\docume~1\ajm\applic~1\NJStar
2010-04-01 20:17:32 0 d-----w- c:\program files\NJStar Communicator
2010-03-23 17:38:34 0 d-----w- c:\docume~1\ajm\applic~1\BitTorrent
2010-03-23 17:38:29 0 d-----w- c:\program files\BitTorrent
2010-03-20 16:58:34 0 d-----w- c:\docume~1\ajm\applic~1\JustVoip

==================== Find3M ====================

2010-03-29 23:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-07 14:21:20 12445 ----a-w- c:\program files\common files\kuket.exe
2009-10-07 14:21:20 12182 ----a-w- c:\program files\common files\ycatoq.pif
2009-10-07 14:13:20 19627 ----a-w- c:\program files\common files\ugunyq.db
2009-10-07 14:12:27 17977 ----a-w- c:\program files\common files\uhohoviv._dl
2007-02-01 17:02:54 313344 ----a-w- c:\program files\hjsplit.exe
2008-04-12 15:31:09 11270 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-30 18:54:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122120091228\index.dat
2009-12-30 18:54:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009123020091231\index.dat

============= FINISH: 14:53:59.65 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-08 16:06:20
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\AJM\LOCALS~1\Temp\kftorkoc.sys


---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 86F87AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----




Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:57 AM

Posted 12 April 2010 - 05:08 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 jma12

jma12
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 12 April 2010 - 06:44 AM

thanks for the reply. im still getting redirects on searches.


here are the OTL logs


OTL logfile created on: 12/04/2010 12:36:43 - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\AJM\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 622.00 Mb Available Physical Memory | 61.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): c:\pagefile.sys 1536 1600 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.16 Gb Total Space | 36.32 Gb Free Space | 38.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-B5129B968C
Current User Name: AJM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/12 12:35:45 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\AJM\Desktop\OTL.exe
PRC - [2008/08/29 13:58:20 | 001,549,080 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
PRC - [2008/08/29 13:58:16 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2008/04/14 01:12:40 | 000,073,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmplayer.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/08/21 00:24:46 | 002,068,527 | ---- | M] () -- C:\Program Files\Free Download Manager\fdm.exe
PRC - [2006/02/28 15:18:10 | 000,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2006/02/28 15:16:08 | 000,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2006/02/28 15:15:30 | 000,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2005/05/20 17:41:42 | 000,153,600 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe


========== Modules (SafeList) ==========

MOD - [2010/04/12 12:35:45 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\AJM\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (gupdate1c9862f1fc5b8aa) Google Update Service (gupdate1c9862f1fc5b8aa)
SRV - File not found [On_Demand | Stopped] -- -- (aspnet_state)
SRV - [2008/08/29 13:58:16 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2006/02/28 15:18:10 | 000,540,745 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2006/02/28 15:16:08 | 000,114,753 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2006/02/28 15:15:30 | 000,217,164 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2005/05/20 17:41:42 | 000,153,600 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)


========== Driver Services (SafeList) ==========

DRV - [2010/04/10 14:31:59 | 000,096,512 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\tsk2D.tmp -- (atapi)
DRV - [2009/02/21 16:51:50 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008/08/29 13:57:18 | 000,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2008/04/13 19:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/13 17:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/29 17:36:28 | 000,125,328 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/11/14 17:05:16 | 000,394,952 | ---- | M] (Zone Labs, LLC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2007/01/18 18:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/05/05 19:21:00 | 000,004,608 | ---- | M] (NVIDIA Corporation.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\nvport.sys -- (nvport)
DRV - [2006/03/29 08:49:26 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2006/03/07 21:26:00 | 003,643,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/02/28 16:35:56 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2006/02/26 05:43:00 | 001,428,480 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel®
DRV - [2006/02/22 18:13:12 | 000,013,440 | ---- | M] (UPEK Inc.) [File_System | Auto | Running] -- C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys -- (FdRedir)
DRV - [2006/02/22 18:13:04 | 000,033,024 | ---- | M] (UPEK Inc.) [Kernel | Auto | Running] -- C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys -- (FileDisk2)
DRV - [2006/02/22 18:05:44 | 000,028,800 | ---- | M] (UPEK Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tcusb.sys -- (TcUsb)
DRV - [2006/02/21 18:32:32 | 000,226,304 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ti21sony.sys -- (ti21sony)
DRV - [2005/12/28 23:28:08 | 000,055,680 | ---- | M] (Micro Vision Co.,Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Mvc25U870.sys -- (Mvc25U870_VID_1262&PID_25FD)
DRV - [2005/12/01 20:43:16 | 000,062,848 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfhid.sys -- (Tosrfhid)
DRV - [2005/11/24 14:37:36 | 000,047,104 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte)
DRV - [2005/11/22 22:29:58 | 000,108,800 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfbd.sys -- (Tosrfbd)
DRV - [2005/11/21 22:06:02 | 000,009,216 | ---- | M] (Sony Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\shpf.sys -- (shpf)
DRV - [2005/11/17 13:40:00 | 001,076,472 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/11/15 23:36:20 | 000,036,736 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2005/11/11 16:09:52 | 000,052,864 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfsnd.sys -- (TosRfSnd) Bluetooth Audio Device (WDM)
DRV - [2005/10/21 11:19:34 | 000,036,352 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2005/10/18 16:53:24 | 000,998,656 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/10/18 16:52:34 | 000,202,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/10/18 16:52:30 | 000,721,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/10/17 10:43:00 | 000,241,408 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/09/15 19:06:08 | 000,036,480 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (Tosrfbnp)
DRV - [2005/08/01 17:45:08 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2005/07/11 19:58:56 | 000,003,712 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\toshidpt.sys -- (toshidpt)
DRV - [2005/01/06 14:42:42 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)
DRV - [2004/11/22 12:31:00 | 000,108,767 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2001/12/19 12:45:00 | 000,008,576 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\VCdRom.sys -- (vcdrom)
DRV - [2001/08/17 13:51:22 | 000,037,040 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SonyPI.sys -- (SPI)
DRV - [2000/12/05 16:18:02 | 000,003,952 | ---- | M] (Sony Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)
DRV - [2000/11/09 19:15:08 | 000,048,896 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SonyNC.sys -- (SNC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>




IE - HKU\S-1-5-21-839522115-1123561945-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-839522115-1123561945-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-839522115-1123561945-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>



O1 HOSTS File: ([2010/04/09 14:59:53 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-839522115-1123561945-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-839522115-1123561945-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-839522115-1123561945-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-839522115-1123561945-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-839522115-1123561945-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-839522115-1123561945-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKU\S-1-5-21-839522115-1123561945-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O7 - HKU\S-1-5-21-839522115-1123561945-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1270817968359 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.76.34.141
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ComPlusSetup: DllName - C:\WINDOWS\system32\catsrvut.dll - C:\WINDOWS\system32\catsrvut.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\VESWinlogon: DllName - VESWinlogon.dll - C:\WINDOWS\System32\VESWinlogon.dll (Sony Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\AJM\My Documents\BA\Wittgenstein\New Folder (2)\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\AJM\My Documents\BA\Wittgenstein\New Folder (2)\Internet Explorer Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/10/16 18:25:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/04/11 15:36:46 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-839522115-1123561945-682003330-1004\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/04/12 12:35:40 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\AJM\Desktop\OTL.exe
[2010/04/11 15:36:46 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2010/04/10 14:31:59 | 000,036,488 | ---- | C] (Kaspersky Lab, SLA) -- C:\WINDOWS\System32\drivers\klmdb.sys
[2010/04/09 15:12:56 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/09 14:17:51 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2010/04/09 14:13:57 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/04/09 14:13:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/04/09 14:02:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/04/08 16:28:46 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\AJM\Desktop\TDSSKiller.exe
[2010/04/07 20:43:58 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/04/07 12:07:25 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/04/07 00:12:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Trusteer
[2010/04/07 00:09:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AJM\Application Data\Trusteer
[2010/04/06 23:54:42 | 000,000,000 | ---D | C] -- C:\Program Files\PartyGaming
[2010/04/06 23:06:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2010/04/06 22:57:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AJM\Application Data\UB
[2010/04/06 19:58:18 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/04/06 19:54:53 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/04/06 18:41:31 | 003,939,704 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\AJM\Desktop\procexp.exe
[2010/04/06 18:17:25 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2010/04/06 18:17:16 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\browserchoice.exe
[2010/04/06 17:56:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/06 17:56:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/06 14:08:53 | 000,186,880 | ---- | C] (CEXX.ORG) -- C:\Documents and Settings\AJM\Desktop\LSPFix.exe
[2010/04/06 12:19:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/06 12:19:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/01 21:20:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NJStar
[2010/04/01 21:17:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AJM\Application Data\NJStar
[2010/04/01 21:17:32 | 000,000,000 | ---D | C] -- C:\Program Files\NJStar Communicator
[2010/03/23 18:38:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AJM\Application Data\BitTorrent
[2010/03/23 18:38:29 | 000,000,000 | ---D | C] -- C:\Program Files\BitTorrent
[2010/03/20 18:19:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AJM\Desktop\New Folder
[2010/03/20 17:58:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\AJM\Application Data\JustVoip
[2009/12/30 19:54:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/07/12 19:12:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\nagasoft
[2009/02/21 17:22:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/02/07 15:38:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2007/10/03 23:54:49 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/07/06 14:36:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Intel
[2006/10/16 18:33:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2006/10/16 18:24:58 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[3 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[11 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/12 12:35:45 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\AJM\Desktop\OTL.exe
[2010/04/12 12:05:31 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\nmvfqeok.sys
[2010/04/12 11:59:08 | 000,014,516 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\A28k41
[2010/04/12 11:59:08 | 000,014,516 | -HS- | M] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\A28k41
[2010/04/11 20:10:49 | 000,023,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mouclass.sys
[2010/04/10 23:17:45 | 008,629,224 | ---- | M] () -- C:\Documents and Settings\AJM\Desktop\P4090277.AVI
[2010/04/10 14:44:12 | 584,990,593 | ---- | M] () -- C:\Documents and Settings\AJM\Desktop\Pure.Pwnage.TV.S01E05.720p.HDTV.x264-aAF.mkv
[2010/04/10 14:32:41 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/10 14:31:59 | 000,036,488 | ---- | M] (Kaspersky Lab, SLA) -- C:\WINDOWS\System32\drivers\klmdb.sys
[2010/04/10 08:45:45 | 000,468,104 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/10 08:45:45 | 000,395,090 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/10 08:45:45 | 000,065,902 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/10 08:41:12 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/10 08:41:09 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/10 08:41:05 | 000,262,232 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/10 08:40:14 | 010,747,904 | ---- | M] () -- C:\Documents and Settings\AJM\NTUSER.DAT
[2010/04/10 08:40:14 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\AJM\ntuser.ini
[2010/04/10 08:40:07 | 005,881,648 | -H-- | M] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\IconCache.db
[2010/04/10 08:32:01 | 000,002,544 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\L8qmQ8G1Kj
[2010/04/10 08:32:01 | 000,002,544 | -HS- | M] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\L8qmQ8G1Kj
[2010/04/10 02:45:48 | 000,001,736 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\kH832332nVa32
[2010/04/10 02:45:48 | 000,001,736 | -HS- | M] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\kH832332nVa32
[2010/04/09 15:14:09 | 000,045,378 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/04/09 15:00:46 | 000,000,246 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/09 14:59:53 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/09 14:41:50 | 003,910,295 | R--- | M] () -- C:\Documents and Settings\AJM\Desktop\thehammer.exe
[2010/04/09 14:35:24 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
[2010/04/09 14:17:51 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2010/04/09 14:13:57 | 000,001,684 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/04/09 14:05:20 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/09 14:02:46 | 002,000,615 | ---- | M] () -- C:\WINDOWS\iis6.BAK
[2010/04/09 13:59:56 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/09 12:09:20 | 000,018,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\4b8ki
[2010/04/09 12:09:20 | 000,018,272 | -HS- | M] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\4b8ki
[2010/04/08 23:49:14 | 000,004,088 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\Ls4taj0t
[2010/04/08 23:49:14 | 000,004,088 | -HS- | M] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\Ls4taj0t
[2010/04/08 22:20:58 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\AJM\Desktop\tdsskiller.zip
[2010/04/08 22:00:29 | 000,000,118 | ---- | M] () -- C:\tujserrew.bat
[2010/04/08 22:00:24 | 000,001,538 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\11wK14k5eGu5f
[2010/04/08 22:00:24 | 000,001,538 | -HS- | M] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\11wK14k5eGu5f
[2010/04/08 22:00:13 | 000,071,680 | RHS- | M] () -- C:\WINDOWS\System32\keyboards.dll
[2010/04/08 21:50:31 | 000,000,745 | ---- | M] () -- C:\Documents and Settings\AJM\Desktop\xp_exe_fix.zip
[2010/04/08 21:42:21 | 000,001,692 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\RvRjj7MUCPQ0
[2010/04/08 21:42:21 | 000,001,692 | -HS- | M] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\RvRjj7MUCPQ0
[2010/04/08 14:54:44 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\AJM\Desktop\gmer.zip
[2010/04/08 14:35:19 | 000,000,319 | ---- | M] () -- C:\Documents and Settings\AJM\Desktop\trojan_fakerean_exe_fix.reg
[2010/04/08 14:20:27 | 000,002,798 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\QsAgA3xk6
[2010/04/08 14:20:27 | 000,002,798 | -HS- | M] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\QsAgA3xk6
[2010/04/08 14:02:13 | 000,002,672 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\5PYp7
[2010/04/08 14:02:13 | 000,002,672 | -HS- | M] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\5PYp7
[2010/04/07 22:36:08 | 183,804,606 | ---- | M] () -- C:\Documents and Settings\AJM\Desktop\south.park.s14e04.hdtv.xvid-fqm.avi
[2010/04/07 11:31:13 | 000,023,162 | ---- | M] () -- C:\WINDOWS\System32\enb
[2010/04/07 02:53:15 | 000,074,752 | ---- | M] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/06 20:58:19 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/06 19:58:17 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/04/06 18:17:47 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ofosasutiyayiyo.dat
[2010/04/06 18:17:47 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Fvafi.bin
[2010/04/06 17:56:27 | 000,000,980 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\7VJ5
[2010/04/06 17:09:29 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\housecall.guid.cache
[2010/04/03 12:37:52 | 000,001,838 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\XORQ
[2010/04/03 12:37:52 | 000,001,838 | -HS- | M] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\XORQ
[2010/04/01 21:21:06 | 000,000,397 | ---- | M] () -- C:\WINDOWS\NJCOM.INI
[2010/04/01 11:26:20 | 003,939,704 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\AJM\Desktop\procexp.exe
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/23 22:05:44 | 000,020,385 | ---- | M] () -- C:\Documents and Settings\AJM\Desktop\108_Philosophy_of_Logic_and_Language.pdf
[2010/03/22 10:43:42 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\AJM\Desktop\TDSSKiller.exe
[2010/03/21 19:21:17 | 000,212,206 | ---- | M] () -- C:\Documents and Settings\AJM\Desktop\lstheoremsmain.pdf
[2010/03/21 13:26:36 | 000,000,098 | ---- | M] () -- C:\WINDOWS\WirelessFTP.INI
[2010/03/18 18:24:12 | 000,420,437 | ---- | M] () -- C:\Documents and Settings\AJM\Desktop\kap.pdf
[2010/03/17 20:52:36 | 000,172,381 | ---- | M] () -- C:\Documents and Settings\AJM\Desktop\ksp.pdf
[3 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[11 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/12 12:05:31 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\nmvfqeok.sys
[2010/04/12 11:56:43 | 000,014,516 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\A28k41
[2010/04/12 11:56:43 | 000,014,516 | -HS- | C] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\A28k41
[2010/04/12 01:37:13 | 183,580,672 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 11x13 - Guitar Queer-O.avi
[2010/04/12 01:29:49 | 183,169,342 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 11x07 - Night Of The Living Homeless.avi
[2010/04/12 01:29:32 | 183,081,084 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 11x06 - D-Yikes.avi
[2010/04/12 00:33:22 | 584,990,593 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\Pure.Pwnage.TV.S01E05.720p.HDTV.x264-aAF.mkv
[2010/04/11 02:18:56 | 367,003,648 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\The Spartans - Part 3.avi
[2010/04/11 01:14:16 | 366,905,344 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\The Spartans - Part 2.avi
[2010/04/10 23:56:33 | 182,589,420 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 11x12 - Imaginationland Episode III.avi
[2010/04/10 23:34:47 | 182,615,028 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 11x11 - Imaginationland Episode II.avi
[2010/04/10 23:17:45 | 008,629,224 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\P4090277.AVI
[2010/04/10 22:44:14 | 183,519,666 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 11x10 - Imaginationland.avi
[2010/04/10 22:10:03 | 152,217,600 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 10x06 - Manbearpig.avi
[2010/04/10 21:49:17 | 143,280,128 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 09x04 - Best Friends Forever.avi
[2010/04/10 20:19:42 | 147,822,592 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 05x11 - The Entity.avi
[2010/04/10 19:18:38 | 148,760,576 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 08x01 - Good Times With Weapons.avi
[2010/04/10 19:18:28 | 184,264,704 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 06x17 - Red Sleigh Down.avi
[2010/04/10 19:05:54 | 184,244,224 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 06x11 - Child Abduction Is Not Funny.avi
[2010/04/10 18:25:53 | 184,264,704 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 06x14 - The Death Camp Of Tolerance.avi
[2010/04/10 16:24:26 | 367,417,344 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\TopGear10.1.avi
[2010/04/10 16:14:19 | 184,061,952 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 06x16 - My Future Self N' Me.avi
[2010/04/10 16:13:53 | 367,230,976 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\The Spartans - Part 1.avi
[2010/04/10 16:08:08 | 367,191,708 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\TopGear.10.9.avi
[2010/04/10 10:23:16 | 184,244,224 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 06x15 - The Biggest Douche In The Universe.avi
[2010/04/10 08:31:29 | 000,002,544 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\L8qmQ8G1Kj
[2010/04/10 08:31:29 | 000,002,544 | -HS- | C] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\L8qmQ8G1Kj
[2010/04/10 03:21:59 | 183,131,424 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 11x03 - Lice Capades.avi
[2010/04/10 02:54:55 | 182,249,472 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 07x10 - Grey Dawn.avi
[2010/04/10 02:46:31 | 182,245,376 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 07x09 - Christian Rock Hard.avi
[2010/04/10 02:44:04 | 000,001,736 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\kH832332nVa32
[2010/04/10 02:44:04 | 000,001,736 | -HS- | C] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\kH832332nVa32
[2010/04/10 02:31:55 | 184,254,464 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 06x13 - The Return Of The Fellowship Of The Ring To The Two Towers.avi
[2010/04/10 02:30:43 | 184,291,328 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 06x12 - A Ladder To Heaven.avi
[2010/04/09 14:42:52 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/09 14:42:52 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/09 14:41:50 | 003,910,295 | R--- | C] () -- C:\Documents and Settings\AJM\Desktop\thehammer.exe
[2010/04/09 14:35:24 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
[2010/04/09 14:14:07 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/09 14:13:57 | 000,001,684 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/04/09 12:07:22 | 000,018,272 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4b8ki
[2010/04/09 12:07:22 | 000,018,272 | -HS- | C] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\4b8ki
[2010/04/08 23:48:43 | 000,004,088 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\Ls4taj0t
[2010/04/08 23:48:43 | 000,004,088 | -HS- | C] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\Ls4taj0t
[2010/04/08 22:54:14 | 183,971,840 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 11x08 - Le Petit Tourette.avi
[2010/04/08 22:54:03 | 183,804,606 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\south.park.s14e04.hdtv.xvid-fqm.avi
[2010/04/08 22:34:53 | 183,059,582 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\South Park - 11x14 - The List.avi
[2010/04/08 22:20:58 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\tdsskiller.zip
[2010/04/08 22:00:29 | 000,000,118 | ---- | C] () -- C:\tujserrew.bat
[2010/04/08 22:00:13 | 000,071,680 | RHS- | C] () -- C:\WINDOWS\System32\keyboards.dll
[2010/04/08 22:00:04 | 000,001,538 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\11wK14k5eGu5f
[2010/04/08 22:00:04 | 000,001,538 | -HS- | C] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\11wK14k5eGu5f
[2010/04/08 21:50:43 | 000,002,600 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\xp_exe_fix.reg
[2010/04/08 21:50:36 | 000,000,745 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\xp_exe_fix.zip
[2010/04/08 21:41:07 | 000,001,692 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\RvRjj7MUCPQ0
[2010/04/08 21:41:07 | 000,001,692 | -HS- | C] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\RvRjj7MUCPQ0
[2010/04/08 14:54:41 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\gmer.zip
[2010/04/08 14:35:23 | 000,000,319 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\trojan_fakerean_exe_fix.reg
[2010/04/08 14:02:24 | 000,002,798 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\QsAgA3xk6
[2010/04/08 14:02:24 | 000,002,798 | -HS- | C] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\QsAgA3xk6
[2010/04/08 14:01:44 | 000,002,672 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\5PYp7
[2010/04/08 14:01:44 | 000,002,672 | -HS- | C] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\5PYp7
[2010/04/06 18:17:47 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Ofosasutiyayiyo.dat
[2010/04/06 18:17:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Fvafi.bin
[2010/04/06 17:56:26 | 000,000,980 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\7VJ5
[2010/04/06 17:56:26 | 000,000,980 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\7VJ5
[2010/04/06 17:09:29 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\housecall.guid.cache
[2010/04/06 00:03:46 | 000,023,162 | ---- | C] () -- C:\WINDOWS\System32\enb
[2010/04/03 10:39:17 | 000,001,838 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\XORQ
[2010/04/03 10:39:17 | 000,001,838 | -HS- | C] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\XORQ
[2010/04/01 21:17:40 | 000,000,397 | ---- | C] () -- C:\WINDOWS\NJCOM.INI
[2010/03/23 22:05:44 | 000,020,385 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\108_Philosophy_of_Logic_and_Language.pdf
[2010/03/21 19:21:17 | 000,212,206 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\lstheoremsmain.pdf
[2010/03/18 18:24:12 | 000,420,437 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\kap.pdf
[2010/03/17 20:52:36 | 000,172,381 | ---- | C] () -- C:\Documents and Settings\AJM\Desktop\ksp.pdf
[2009/10/07 15:21:20 | 000,017,602 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\esaqyl.com
[2009/10/07 15:21:20 | 000,015,306 | ---- | C] () -- C:\Documents and Settings\AJM\Application Data\zijydunol.dl
[2009/10/07 15:21:20 | 000,013,455 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\nyziwuma.db
[2009/10/07 15:21:20 | 000,012,445 | ---- | C] () -- C:\Program Files\Common Files\kuket.exe
[2009/10/07 15:21:20 | 000,012,182 | ---- | C] () -- C:\Program Files\Common Files\ycatoq.pif
[2009/10/07 15:21:20 | 000,012,137 | ---- | C] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\avykija.dll
[2009/10/07 15:21:20 | 000,012,036 | ---- | C] () -- C:\Documents and Settings\AJM\Application Data\dycogowafa.scr
[2009/10/07 15:21:20 | 000,011,965 | ---- | C] () -- C:\Documents and Settings\AJM\Application Data\asimanaj.bin
[2009/10/07 15:21:20 | 000,011,190 | ---- | C] () -- C:\Documents and Settings\AJM\Application Data\ehumo.sys
[2009/10/07 15:13:20 | 000,019,627 | ---- | C] () -- C:\Program Files\Common Files\ugunyq.db
[2009/10/07 15:13:20 | 000,015,397 | ---- | C] () -- C:\Documents and Settings\AJM\Application Data\evuromovy.dl
[2009/10/07 15:13:20 | 000,014,489 | ---- | C] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\unuj.bin
[2009/10/07 15:13:20 | 000,013,376 | ---- | C] () -- C:\Documents and Settings\AJM\Application Data\poxyp.sys
[2009/10/07 15:13:20 | 000,011,844 | ---- | C] () -- C:\WINDOWS\System32\osivuferom.dll
[2009/10/07 15:12:27 | 000,019,248 | ---- | C] () -- C:\Documents and Settings\AJM\Application Data\tymyla.dl
[2009/10/07 15:12:27 | 000,017,977 | ---- | C] () -- C:\Program Files\Common Files\uhohoviv._dl
[2009/10/07 15:12:27 | 000,017,886 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\umiro.ban
[2009/10/07 15:12:27 | 000,015,114 | ---- | C] () -- C:\Documents and Settings\AJM\Application Data\oneqylyk._dl
[2009/10/07 15:12:27 | 000,013,303 | ---- | C] () -- C:\Documents and Settings\AJM\Application Data\lubapybas.ban
[2009/10/07 15:12:27 | 000,010,360 | ---- | C] () -- C:\WINDOWS\xykanup.sys
[2009/09/25 15:26:29 | 000,347,136 | ---- | C] () -- C:\WINDOWS\System32\binkw32.dll
[2009/09/06 23:05:40 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/01/20 15:44:37 | 000,000,378 | ---- | C] () -- C:\WINDOWS\kaillera.ini
[2008/12/04 15:35:13 | 000,000,972 | ---- | C] () -- C:\Documents and Settings\AJM\x.log
[2008/11/11 02:10:09 | 000,000,064 | ---- | C] () -- C:\Documents and Settings\AJM\Emulator.ini
[2008/11/04 21:32:07 | 000,065,552 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\Desktop.lnk
[2008/10/16 16:43:57 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2008/09/19 22:55:10 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/09/19 22:55:10 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/09/19 22:54:18 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/08/29 13:58:26 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2008/08/29 13:58:16 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2008/08/05 23:02:12 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/07/05 23:11:39 | 000,313,344 | ---- | C] () -- C:\Program Files\hjsplit.exe
[2008/06/29 19:30:00 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\AJM\NTUSER.DAT_TU_66590.LOG
[2008/06/14 12:05:54 | 000,000,363 | ---- | C] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\AutobahnAcceleratorInstall.txt
[2008/04/06 19:41:25 | 000,001,933 | ---- | C] () -- C:\Documents and Settings\AJM\Application Data\autobahn.log
[2008/02/26 22:10:21 | 000,011,270 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2008/02/11 17:09:50 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/01/31 22:25:28 | 000,000,319 | ---- | C] () -- C:\WINDOWS\game.ini
[2008/01/30 15:34:30 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\fusioncache.dat
[2008/01/29 20:39:05 | 000,022,328 | ---- | C] () -- C:\Documents and Settings\AJM\Application Data\PnkBstrK.sys
[2007/12/23 17:28:49 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\AJM\NTUSER.DAT_TU_59251.LOG
[2007/11/17 15:03:29 | 000,000,841 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/11/17 14:38:00 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\msguppi.dll
[2007/08/29 23:01:42 | 000,000,098 | ---- | C] () -- C:\WINDOWS\WirelessFTP.INI
[2007/08/04 00:05:51 | 000,001,753 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/07/11 14:25:38 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/07/08 23:58:00 | 000,074,752 | ---- | C] () -- C:\Documents and Settings\AJM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/07/08 19:03:42 | 000,029,752 | ---- | C] () -- C:\WINDOWS\System32\InstHelper.dll
[2007/07/07 16:10:10 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\AJM\ntuser.ini
[2007/07/07 16:10:09 | 010,747,904 | ---- | C] () -- C:\Documents and Settings\AJM\NTUSER.DAT
[2007/07/07 16:10:09 | 006,553,600 | ---- | C] () -- C:\Documents and Settings\AJM\NTUSER.DAT_BAK_66590
[2007/07/07 16:10:09 | 005,505,024 | -H-- | C] () -- C:\Documents and Settings\AJM\NTUSER.DAT_BAK_59251
[2007/07/07 16:10:09 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\AJM\ntuser.dat.LOG
[2007/07/06 14:10:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\RCCustomSetup.ini
[2006/10/18 21:30:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2006/10/18 20:16:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\svconfig.ini
[2006/10/18 20:02:33 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/10/18 19:52:23 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\ntuser.dat
[2006/10/18 19:52:23 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG
[2005/09/02 14:44:08 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/07/22 21:30:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2005/01/01 01:11:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VAIOUpdt.INI
[2005/01/01 00:55:09 | 000,055,808 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2004/07/20 17:04:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 14:43:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[2002/10/15 23:54:04 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[1996/04/03 20:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
< End of report >


OTL Extras logfile created on: 12/04/2010 12:36:43 - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\AJM\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 622.00 Mb Available Physical Memory | 61.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): c:\pagefile.sys 1536 1600 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.16 Gb Total Space | 36.32 Gb Free Space | 38.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-B5129B968C
Current User Name: AJM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-839522115-1123561945-682003330-1004\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{055FEF8E-4B86-400F-A5C6-8FAC0042DCD9}" = NVIDIA PureVideo Decoder
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{1356AA68-77E3-47C3-8BAA-E5EBE227AB3C}" = Mirar
"{1417F599-1DBD-4499-9375-B2813E9F890C}" = VAIO Camera Utility
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 14
"{2A0F3EF9-68EE-49E9-A05B-ED5B82DF63E5}" = Wireless Switch Setting Utility
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation
"{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}" = Cisco Systems VPN Client 5.0.04.0300
"{548EAC70-EE00-11DD-908C-005056806466}" = Google Earth
"{59452470-A902-477F-9338-9B88101681BD}" = Setting Utility Series
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{68BD9036-0952-4849-AE7A-963BB53EDB71}" = GGPO
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{85B90D8C-70F3-4E84-BD31-5E9489C0F9FB}" = iTunes
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{8DF4C627-4AF3-4245-9F13-3518FC8584DC}" = Protector Suite QL 5.3
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9B5F85CA-90D4-4AFC-BB37-32477FD0D2B9}" = SmartWi Connection Utility
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B502B428-3386-40A9-98DB-079AAB72E64F}" = mEoU
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{EF3D45BB-2260-4008-88EA-492E7744A9DF}" = Sony Utilities DLL
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0D85ADD-DD61-4B43-87A0-6DA52A211A8B}" = VAIO Event Service
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"AC3Filter" = AC3Filter (remove only)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"BitTorrent" = BitTorrent
"BlueSquare Poker" = BlueSquare Poker
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_20030003" = HDAUDIO SoftV92 Data Fax Modem with SmartCP
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"Foxit PDF Editor" = Foxit PDF Editor
"Free Download Manager_is1" = Free Download Manager 2.1
"HijackThis" = HijackThis 2.0.2
"HitmanPro35" = Hitman Pro 3.5
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"JabRef 2.3.1" = JabRef 2.3.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MiKTeX 2.6" = MiKTeX 2.6
"NJStar Communicator" = NJStar Communicator
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"ProInst" = Intel® PROSet/Wireless Software
"Sony Ericsson Wireless Modem" = Sony Ericsson Wireless Modem
"SystemRequirementsLab" = System Requirements Lab
"TeXnicCenter_is1" = TeXnicCenter Version 1 Beta 7.01 (Greengrass)
"VLC media player" = VideoLAN VLC media player 0.8.6c
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-839522115-1123561945-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"JabRef" = JabRef

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 09/03/2010 19:49:51 | Computer Name = USER-B5129B968C | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 09/03/2010 19:49:51 | Computer Name = USER-B5129B968C | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 20/03/2010 16:25:36 | Computer Name = USER-B5129B968C | Source = MsiInstaller | ID = 1013
Description = Product: The Official DSA Theory Test for Car Drivers -- 1: This installation
cannot be run by directly launching the MSI package. You must run setup.exe.

Error - 26/03/2010 18:03:48 | Computer Name = USER-B5129B968C | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 06/04/2010 13:14:51 | Computer Name = USER-B5129B968C | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x76f2345a.

Error - 06/04/2010 14:57:33 | Computer Name = USER-B5129B968C | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 06/04/2010 15:58:12 | Computer Name = USER-B5129B968C | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 06/04/2010 18:55:06 | Computer Name = USER-B5129B968C | Source = Application Error | ID = 1000
Description = Faulting application pprekop.exe, version 4.2.0.172, faulting module
ole32.dll, version 5.1.2600.2182, fault address 0x10017bed.

Error - 08/04/2010 16:59:39 | Computer Name = USER-B5129B968C | Source = Application Error | ID = 1000
Description = Faulting application nwoecmrsax.tmp, version 0.0.0.0, faulting module
nwoecmrsax.tmp, version 0.0.0.0, fault address 0x00017d69.

Error - 08/04/2010 17:00:22 | Computer Name = USER-B5129B968C | Source = Application Error | ID = 1000
Description = Faulting application ecasmwrxno.tmp, version 0.0.0.0, faulting module
msvcrt.dll, version 7.0.2600.5512, fault address 0x000370dc.

[ System Events ]
Error - 06/04/2010 13:02:48 | Computer Name = USER-B5129B968C | Source = SAM | ID = 12291
Description = SAM failed to start the TCP/IP or SPX/IPX listening thread

Error - 06/04/2010 13:02:59 | Computer Name = USER-B5129B968C | Source = sptd | ID = 262148
Description = Driver detected an internal error in its data structures for .

Error - 08/04/2010 08:52:13 | Computer Name = USER-B5129B968C | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 10.0.202.74 on
the Network Card with network address 001302A22F5B.

Error - 08/04/2010 09:29:04 | Computer Name = USER-B5129B968C | Source = SAM | ID = 12291
Description = SAM failed to start the TCP/IP or SPX/IPX listening thread

Error - 08/04/2010 15:52:49 | Computer Name = USER-B5129B968C | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 10.0.202.74 on
the Network Card with network address 001302A22F5B.

Error - 09/04/2010 11:06:25 | Computer Name = USER-B5129B968C | Source = PlugPlayManager | ID = 11
Description = The device Root\LEGACY_CATCHME\0000 disappeared from the system without
first being prepared for removal.


< End of report >



this is the most i can get out of gmer----it crashes my computer every time (even in safe mode etc.)



---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 86F87AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----





also, ddr logs are attachedtp my original post. thanks again.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:57 AM

Posted 12 April 2010 - 06:54 AM

Hello jma12,

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 jma12

jma12
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 12 April 2010 - 07:39 AM

here's the combofix log:


ComboFix 10-04-11.06 - AJM 12/04/2010 13:06:05.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.748 [GMT 1:00]
Running from: c:\documents and settings\AJM\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\tsk2D.tmp . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-09 13:17 . 2010-04-09 13:17 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-09 13:14 . 2010-04-10 13:32 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-09 13:13 . 2010-04-09 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-09 13:13 . 2010-04-09 13:13 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-09 13:02 . 2010-04-09 13:05 -------- d-----w- c:\windows\ie8updates
2010-04-08 21:00 . 2010-04-08 21:00 118 ----a-w- C:\tujserrew.bat
2010-04-08 21:00 . 2010-04-08 21:00 71680 --sha-r- c:\windows\system32\keyboards.dll
2010-04-07 11:07 . 2010-04-07 11:07 388096 ----a-r- c:\documents and settings\AJM\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-07 11:07 . 2010-04-07 11:07 -------- d-----w- c:\program files\TrendMicro
2010-04-06 23:12 . 2010-04-06 23:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trusteer
2010-04-06 23:09 . 2010-04-06 23:09 -------- d-----w- c:\documents and settings\AJM\Application Data\Trusteer
2010-04-06 22:54 . 2010-04-07 19:42 -------- d-----w- c:\program files\PartyGaming
2010-04-06 22:06 . 2010-04-06 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-04-06 21:57 . 2010-04-06 22:23 -------- d-----w- c:\documents and settings\AJM\Application Data\UB
2010-04-06 20:03 . 2010-04-06 20:03 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-06 18:58 . 2010-04-06 18:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-06 18:54 . 2010-04-07 19:43 -------- d-----w- c:\program files\Lavasoft
2010-04-06 17:17 . 2010-04-06 17:17 120 ----a-w- c:\windows\Ofosasutiyayiyo.dat
2010-04-06 17:17 . 2010-04-06 17:17 0 ----a-w- c:\windows\Fvafi.bin
2010-04-06 17:17 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-06 17:17 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-06 17:17 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-06 17:17 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-06 17:15 . 2010-04-06 17:15 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-06 16:56 . 2010-04-06 16:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-03 10:16 . 2010-04-03 10:16 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-03 10:03 . 2010-04-03 10:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-01 20:20 . 2010-04-01 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NJStar
2010-04-01 20:17 . 2010-04-01 20:17 -------- d-----w- c:\documents and settings\AJM\Application Data\NJStar
2010-04-01 20:17 . 2010-04-01 20:17 -------- d-----w- c:\program files\NJStar Communicator
2010-03-23 17:38 . 2010-03-24 12:46 -------- d-----w- c:\documents and settings\AJM\Application Data\BitTorrent
2010-03-23 17:38 . 2010-03-23 17:38 -------- d-----w- c:\program files\BitTorrent
2010-03-20 20:34 . 2010-03-20 20:34 -------- d-----w- c:\documents and settings\fei\Application Data\TSO
2010-03-20 16:58 . 2010-03-20 16:59 -------- d-----w- c:\documents and settings\AJM\Application Data\JustVoip
2010-03-20 13:03 . 2010-03-20 13:42 -------- d-----w- c:\documents and settings\fei\Application Data\JustVoip
2010-03-20 12:29 . 2010-03-20 12:29 -------- d-----w- c:\documents and settings\fei\Application Data\skypePM
2010-03-20 12:28 . 2010-03-20 13:58 -------- d-----w- c:\documents and settings\fei\Application Data\Skype
2010-03-20 11:46 . 2010-03-20 11:46 -------- d-----w- c:\documents and settings\fei\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 12:02 . 2010-04-09 14:13 96512 ----a-w- c:\windows\system32\drivers\tsk9.tmp
2010-04-12 12:00 . 2010-04-12 12:00 96512 ----a-w- c:\windows\system32\drivers\tsk2D.tmp
2010-04-12 11:57 . 2007-07-22 00:04 -------- d-----w- c:\documents and settings\AJM\Application Data\Free Download Manager
2010-04-11 22:09 . 2009-08-31 23:11 -------- d-----w- c:\documents and settings\AJM\Application Data\Skype
2010-04-11 19:10 . 2004-08-03 22:58 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-04-10 21:35 . 2009-08-31 23:12 -------- d-----w- c:\documents and settings\AJM\Application Data\skypePM
2010-04-09 15:10 . 2006-10-18 20:32 67672 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-09 13:45 . 2010-04-09 13:45 96512 ----a-w- c:\windows\system32\drivers\tsk6.tmp
2010-04-07 19:43 . 2008-07-23 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-06 22:18 . 2009-08-24 23:09 -------- d-----w- c:\program files\UltimateBet
2010-04-06 21:57 . 2009-08-23 00:42 -------- d-----w- c:\program files\_uninstallation_info
2010-04-06 19:58 . 2008-10-25 18:18 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-03 11:36 . 2009-12-04 23:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 11:34 . 2010-01-19 16:52 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-31 17:45 . 2006-10-18 18:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-29 23:46 . 2009-12-05 12:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2009-12-05 12:35 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-20 11:39 . 2010-03-20 11:39 -------- d-----w- c:\documents and settings\fei\Application Data\Intel
2010-03-20 11:39 . 2010-03-20 11:39 -------- d-----w- c:\documents and settings\fei\Application Data\Malwarebytes
2010-02-26 18:24 . 2007-10-03 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-25 06:24 . 2004-08-03 22:56 916480 ------w- c:\windows\system32\wininet.dll
2010-02-23 13:50 . 2008-06-13 20:01 -------- d-----w- c:\program files\MSECache
2010-02-15 16:16 . 2009-09-18 18:03 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-15 16:16 . 2010-03-20 11:39 38784 ----a-w- c:\documents and settings\fei\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-15 16:16 . 2009-09-18 18:03 38784 ----a-w- c:\documents and settings\AJM\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-15 16:16 . 2009-09-18 18:03 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-07 14:21 . 2009-10-07 14:21 12445 ----a-w- c:\program files\Common Files\kuket.exe
2009-10-07 14:21 . 2009-10-07 14:21 12182 ----a-w- c:\program files\Common Files\ycatoq.pif
2009-10-07 14:13 . 2009-10-07 14:13 19627 ----a-w- c:\program files\Common Files\ugunyq.db
2009-10-07 14:12 . 2009-10-07 14:12 17977 ----a-w- c:\program files\Common Files\uhohoviv._dl
2007-02-01 17:02 . 2008-07-05 22:11 313344 ----a-w- c:\program files\hjsplit.exe
2008-04-12 15:31 . 2008-02-26 21:10 11270 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 667718]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-07 7557120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup]
2008-04-14 00:11 625664 ----a-w- c:\windows\system32\catsrvut.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 16:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli fusstub

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cmd32.sys]
@="cmd32"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-06-28 08:14 270648 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-03-07 20:26 7557120 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"wuauserv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe"
"ISBMgr.exe"=c:\program files\Sony\ISB Utility\ISBMgr.exe
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe"
"Biomenu"="c:\program files\Protector Suite QL\menusw.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [11/03/2002 07:55 9216]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [29/01/2008 20:21 8576]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [22/02/2006 18:13 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [22/02/2006 18:13 33024]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [18/10/2006 20:21 36352]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [16/10/2006 19:07 37040]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [18/10/2006 19:56 226304]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [03/10/2007 18:49 717296]
S1 cmd32.sys;cmd32.sys;\??\c:\windows\system32\cmd32.sys --> c:\windows\system32\cmd32.sys [?]
S4 gupdate1c9862f1fc5b8aa;Google Update Service (gupdate1c9862f1fc5b8aa);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 13:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F99AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7628f28
\Driver\ACPI -> ACPI.sys @ 0xf749bcb8
\Driver\atapi -> tsk2D.tmp @ 0xf731d852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7216bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7205a0d
SendHandler -> NDIS.sys @ 0xf7219b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\atapi]
"ImagePath"="system32\drivers\tsk2D.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-1123561945-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:80,61,a9,58,e5,c6,93,cf,83,49,62,9a,4c,ea,1a,8a,8b,04,cf,ca,7a,
16,b8,7a,10,c2,f7,60,2c,40,dc,9a,63,50,3e,12,6c,0a,48,46,34,04,85,b3,e1,00,\
"rkeysecu"=hex:f8,28,c1,24,62,a6,57,7c,53,2a,00,1e,d5,ab,ad,c8
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1516)
c:\windows\system32\WININET.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'lsass.exe'(1576)
c:\windows\system32\WININET.dll
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll

- - - - - - - > 'explorer.exe'(3816)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\Apntex.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2010-04-12 13:37:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-12 12:37

Pre-Run: 39,415,447,552 bytes free
Post-Run: 39,575,498,752 bytes free

Current=5 Default=5 Failed=2 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 0488482AD14222E1419512C518C0ECAE


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:57 AM

Posted 12 April 2010 - 08:23 AM

Hello again,
  • Please download TDSSKiller.zip and save it to your desktop.
  • Extract the zip file to your desktop (important, before continuing, make sure the file is located on your desktop, otherwise the following steps will not work!). Do NOT run the file yet!
  • Click Start > Run and copy paste the following bolded text in the run box
    "%userprofile%\desktop\tdsskiller.exe" -l report.txt
  • When it finished press any key to continue.
  • If needed reboot the computer.
A logfile (report.txt) will be created on your desktop. Please post its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 jma12

jma12
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 12 April 2010 - 08:29 AM

Hi, thanks for the quick replies. I'm still getting the redirects. Here's the TDSSkiller rpt:

14:25:37:375 3248 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
14:25:37:375 3248 ================================================================================
14:25:37:375 3248 SystemInfo:

14:25:37:375 3248 OS Version: 5.1.2600 ServicePack: 3.0
14:25:37:375 3248 Product type: Workstation
14:25:37:375 3248 ComputerName: USER-B5129B968C
14:25:37:375 3248 UserName: AJM
14:25:37:375 3248 Windows directory: C:\WINDOWS
14:25:37:375 3248 Processor architecture: Intel x86
14:25:37:375 3248 Number of processors: 2
14:25:37:375 3248 Page size: 0x1000
14:25:37:375 3248 Boot type: Normal boot
14:25:37:375 3248 ================================================================================
14:25:37:437 3248 UnloadDriverW: NtUnloadDriver error 2
14:25:37:437 3248 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:25:37:625 3248 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
14:25:37:625 3248 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:25:37:625 3248 wfopen_ex: Trying to KLMD file open
14:25:37:625 3248 wfopen_ex: File opened ok (Flags 2)
14:25:37:625 3248 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
14:25:37:625 3248 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:25:37:625 3248 wfopen_ex: Trying to KLMD file open
14:25:37:625 3248 wfopen_ex: File opened ok (Flags 2)
14:25:37:625 3248 Initialize success
14:25:37:625 3248
14:25:37:625 3248 Scanning Services ...
14:25:38:125 3248 Raw services enum returned 351 services
14:25:38:140 3248
14:25:38:140 3248 Scanning Kernel memory ...
14:25:38:140 3248 Devices to scan: 6
14:25:38:140 3248
14:25:38:140 3248 Driver Name: Disk
14:25:38:140 3248 IRP_MJ_CREATE : F762ABB0
14:25:38:140 3248 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
14:25:38:140 3248 IRP_MJ_CLOSE : F762ABB0
14:25:38:140 3248 IRP_MJ_READ : F7624D1F
14:25:38:140 3248 IRP_MJ_WRITE : F7624D1F
14:25:38:140 3248 IRP_MJ_QUERY_INFORMATION : 804F4562
14:25:38:140 3248 IRP_MJ_SET_INFORMATION : 804F4562
14:25:38:140 3248 IRP_MJ_QUERY_EA : 804F4562
14:25:38:140 3248 IRP_MJ_SET_EA : 804F4562
14:25:38:140 3248 IRP_MJ_FLUSH_BUFFERS : F76252E2
14:25:38:140 3248 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
14:25:38:140 3248 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
14:25:38:140 3248 IRP_MJ_DIRECTORY_CONTROL : 804F4562
14:25:38:140 3248 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
14:25:38:140 3248 IRP_MJ_DEVICE_CONTROL : F76253BB
14:25:38:140 3248 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7628F28
14:25:38:140 3248 IRP_MJ_SHUTDOWN : F76252E2
14:25:38:140 3248 IRP_MJ_LOCK_CONTROL : 804F4562
14:25:38:140 3248 IRP_MJ_CLEANUP : 804F4562
14:25:38:140 3248 IRP_MJ_CREATE_MAILSLOT : 804F4562
14:25:38:140 3248 IRP_MJ_QUERY_SECURITY : 804F4562
14:25:38:140 3248 IRP_MJ_SET_SECURITY : 804F4562
14:25:38:140 3248 IRP_MJ_POWER : F7626C82
14:25:38:140 3248 IRP_MJ_SYSTEM_CONTROL : F762B99E
14:25:38:140 3248 IRP_MJ_DEVICE_CHANGE : 804F4562
14:25:38:140 3248 IRP_MJ_QUERY_QUOTA : 804F4562
14:25:38:140 3248 IRP_MJ_SET_QUOTA : 804F4562
14:25:38:171 3248 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:25:38:171 3248
14:25:38:171 3248 Driver Name: Disk
14:25:38:171 3248 IRP_MJ_CREATE : F762ABB0
14:25:38:171 3248 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
14:25:38:171 3248 IRP_MJ_CLOSE : F762ABB0
14:25:38:171 3248 IRP_MJ_READ : F7624D1F
14:25:38:171 3248 IRP_MJ_WRITE : F7624D1F
14:25:38:171 3248 IRP_MJ_QUERY_INFORMATION : 804F4562
14:25:38:171 3248 IRP_MJ_SET_INFORMATION : 804F4562
14:25:38:171 3248 IRP_MJ_QUERY_EA : 804F4562
14:25:38:171 3248 IRP_MJ_SET_EA : 804F4562
14:25:38:171 3248 IRP_MJ_FLUSH_BUFFERS : F76252E2
14:25:38:171 3248 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
14:25:38:171 3248 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
14:25:38:171 3248 IRP_MJ_DIRECTORY_CONTROL : 804F4562
14:25:38:171 3248 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
14:25:38:171 3248 IRP_MJ_DEVICE_CONTROL : F76253BB
14:25:38:171 3248 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7628F28
14:25:38:171 3248 IRP_MJ_SHUTDOWN : F76252E2
14:25:38:171 3248 IRP_MJ_LOCK_CONTROL : 804F4562
14:25:38:171 3248 IRP_MJ_CLEANUP : 804F4562
14:25:38:171 3248 IRP_MJ_CREATE_MAILSLOT : 804F4562
14:25:38:171 3248 IRP_MJ_QUERY_SECURITY : 804F4562
14:25:38:171 3248 IRP_MJ_SET_SECURITY : 804F4562
14:25:38:171 3248 IRP_MJ_POWER : F7626C82
14:25:38:171 3248 IRP_MJ_SYSTEM_CONTROL : F762B99E
14:25:38:171 3248 IRP_MJ_DEVICE_CHANGE : 804F4562
14:25:38:171 3248 IRP_MJ_QUERY_QUOTA : 804F4562
14:25:38:171 3248 IRP_MJ_SET_QUOTA : 804F4562
14:25:38:187 3248 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:25:38:187 3248
14:25:38:187 3248 Driver Name: ti21sony
14:25:38:187 3248 IRP_MJ_CREATE : F64DF196
14:25:38:187 3248 IRP_MJ_CREATE_NAMED_PIPE : F64AE6B2
14:25:38:187 3248 IRP_MJ_CLOSE : F64DF204
14:25:38:187 3248 IRP_MJ_READ : F64DF40C
14:25:38:187 3248 IRP_MJ_WRITE : F64DF65E
14:25:38:187 3248 IRP_MJ_QUERY_INFORMATION : F64AE6B2
14:25:38:187 3248 IRP_MJ_SET_INFORMATION : F64AE6B2
14:25:38:187 3248 IRP_MJ_QUERY_EA : F64AE6B2
14:25:38:187 3248 IRP_MJ_SET_EA : F64AE6B2
14:25:38:187 3248 IRP_MJ_FLUSH_BUFFERS : F64DF2FE
14:25:38:187 3248 IRP_MJ_QUERY_VOLUME_INFORMATION : F64AE6B2
14:25:38:187 3248 IRP_MJ_SET_VOLUME_INFORMATION : F64AE6B2
14:25:38:187 3248 IRP_MJ_DIRECTORY_CONTROL : F64AE6B2
14:25:38:187 3248 IRP_MJ_FILE_SYSTEM_CONTROL : F64AE6B2
14:25:38:187 3248 IRP_MJ_DEVICE_CONTROL : F64DF248
14:25:38:187 3248 IRP_MJ_INTERNAL_DEVICE_CONTROL : F64DF272
14:25:38:187 3248 IRP_MJ_SHUTDOWN : F64DF4D2
14:25:38:187 3248 IRP_MJ_LOCK_CONTROL : F64AE6B2
14:25:38:187 3248 IRP_MJ_CLEANUP : F64DF0FC
14:25:38:187 3248 IRP_MJ_CREATE_MAILSLOT : F64AE6B2
14:25:38:187 3248 IRP_MJ_QUERY_SECURITY : F64AE6B2
14:25:38:187 3248 IRP_MJ_SET_SECURITY : F64AE6B2
14:25:38:187 3248 IRP_MJ_POWER : F64DF364
14:25:38:187 3248 IRP_MJ_SYSTEM_CONTROL : F64DF596
14:25:38:187 3248 IRP_MJ_DEVICE_CHANGE : F64AE6B2
14:25:38:187 3248 IRP_MJ_QUERY_QUOTA : F64AE6B2
14:25:38:187 3248 IRP_MJ_SET_QUOTA : F64AE6B2
14:25:38:218 3248 C:\WINDOWS\system32\drivers\ti21sony.sys - Verdict: 1
14:25:38:218 3248
14:25:38:218 3248 Driver Name: ti21sony
14:25:38:218 3248 IRP_MJ_CREATE : F64DF196
14:25:38:218 3248 IRP_MJ_CREATE_NAMED_PIPE : F64AE6B2
14:25:38:218 3248 IRP_MJ_CLOSE : F64DF204
14:25:38:218 3248 IRP_MJ_READ : F64DF40C
14:25:38:218 3248 IRP_MJ_WRITE : F64DF65E
14:25:38:218 3248 IRP_MJ_QUERY_INFORMATION : F64AE6B2
14:25:38:218 3248 IRP_MJ_SET_INFORMATION : F64AE6B2
14:25:38:218 3248 IRP_MJ_QUERY_EA : F64AE6B2
14:25:38:218 3248 IRP_MJ_SET_EA : F64AE6B2
14:25:38:218 3248 IRP_MJ_FLUSH_BUFFERS : F64DF2FE
14:25:38:218 3248 IRP_MJ_QUERY_VOLUME_INFORMATION : F64AE6B2
14:25:38:218 3248 IRP_MJ_SET_VOLUME_INFORMATION : F64AE6B2
14:25:38:218 3248 IRP_MJ_DIRECTORY_CONTROL : F64AE6B2
14:25:38:218 3248 IRP_MJ_FILE_SYSTEM_CONTROL : F64AE6B2
14:25:38:218 3248 IRP_MJ_DEVICE_CONTROL : F64DF248
14:25:38:218 3248 IRP_MJ_INTERNAL_DEVICE_CONTROL : F64DF272
14:25:38:218 3248 IRP_MJ_SHUTDOWN : F64DF4D2
14:25:38:218 3248 IRP_MJ_LOCK_CONTROL : F64AE6B2
14:25:38:218 3248 IRP_MJ_CLEANUP : F64DF0FC
14:25:38:218 3248 IRP_MJ_CREATE_MAILSLOT : F64AE6B2
14:25:38:218 3248 IRP_MJ_QUERY_SECURITY : F64AE6B2
14:25:38:218 3248 IRP_MJ_SET_SECURITY : F64AE6B2
14:25:38:218 3248 IRP_MJ_POWER : F64DF364
14:25:38:218 3248 IRP_MJ_SYSTEM_CONTROL : F64DF596
14:25:38:218 3248 IRP_MJ_DEVICE_CHANGE : F64AE6B2
14:25:38:218 3248 IRP_MJ_QUERY_QUOTA : F64AE6B2
14:25:38:218 3248 IRP_MJ_SET_QUOTA : F64AE6B2
14:25:38:234 3248 C:\WINDOWS\system32\drivers\ti21sony.sys - Verdict: 1
14:25:38:234 3248
14:25:38:234 3248 Driver Name: Disk
14:25:38:234 3248 IRP_MJ_CREATE : F762ABB0
14:25:38:234 3248 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
14:25:38:234 3248 IRP_MJ_CLOSE : F762ABB0
14:25:38:234 3248 IRP_MJ_READ : F7624D1F
14:25:38:234 3248 IRP_MJ_WRITE : F7624D1F
14:25:38:234 3248 IRP_MJ_QUERY_INFORMATION : 804F4562
14:25:38:234 3248 IRP_MJ_SET_INFORMATION : 804F4562
14:25:38:234 3248 IRP_MJ_QUERY_EA : 804F4562
14:25:38:234 3248 IRP_MJ_SET_EA : 804F4562
14:25:38:234 3248 IRP_MJ_FLUSH_BUFFERS : F76252E2
14:25:38:234 3248 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
14:25:38:234 3248 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
14:25:38:234 3248 IRP_MJ_DIRECTORY_CONTROL : 804F4562
14:25:38:234 3248 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
14:25:38:234 3248 IRP_MJ_DEVICE_CONTROL : F76253BB
14:25:38:234 3248 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7628F28
14:25:38:234 3248 IRP_MJ_SHUTDOWN : F76252E2
14:25:38:234 3248 IRP_MJ_LOCK_CONTROL : 804F4562
14:25:38:234 3248 IRP_MJ_CLEANUP : 804F4562
14:25:38:234 3248 IRP_MJ_CREATE_MAILSLOT : 804F4562
14:25:38:234 3248 IRP_MJ_QUERY_SECURITY : 804F4562
14:25:38:234 3248 IRP_MJ_SET_SECURITY : 804F4562
14:25:38:234 3248 IRP_MJ_POWER : F7626C82
14:25:38:234 3248 IRP_MJ_SYSTEM_CONTROL : F762B99E
14:25:38:234 3248 IRP_MJ_DEVICE_CHANGE : 804F4562
14:25:38:234 3248 IRP_MJ_QUERY_QUOTA : 804F4562
14:25:38:234 3248 IRP_MJ_SET_QUOTA : 804F4562
14:25:38:234 3248 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:25:38:234 3248
14:25:38:234 3248 Driver Name: atapi
14:25:38:234 3248 IRP_MJ_CREATE : 86F99AC8
14:25:38:234 3248 IRP_MJ_CREATE_NAMED_PIPE : 86F99AC8
14:25:38:234 3248 IRP_MJ_CLOSE : 86F99AC8
14:25:38:234 3248 IRP_MJ_READ : 86F99AC8
14:25:38:234 3248 IRP_MJ_WRITE : 86F99AC8
14:25:38:234 3248 IRP_MJ_QUERY_INFORMATION : 86F99AC8
14:25:38:234 3248 IRP_MJ_SET_INFORMATION : 86F99AC8
14:25:38:234 3248 IRP_MJ_QUERY_EA : 86F99AC8
14:25:38:234 3248 IRP_MJ_SET_EA : 86F99AC8
14:25:38:234 3248 IRP_MJ_FLUSH_BUFFERS : 86F99AC8
14:25:38:234 3248 IRP_MJ_QUERY_VOLUME_INFORMATION : 86F99AC8
14:25:38:234 3248 IRP_MJ_SET_VOLUME_INFORMATION : 86F99AC8
14:25:38:234 3248 IRP_MJ_DIRECTORY_CONTROL : 86F99AC8
14:25:38:234 3248 IRP_MJ_FILE_SYSTEM_CONTROL : 86F99AC8
14:25:38:234 3248 IRP_MJ_DEVICE_CONTROL : 86F99AC8
14:25:38:234 3248 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86F99AC8
14:25:38:234 3248 IRP_MJ_SHUTDOWN : 86F99AC8
14:25:38:234 3248 IRP_MJ_LOCK_CONTROL : 86F99AC8
14:25:38:234 3248 IRP_MJ_CLEANUP : 86F99AC8
14:25:38:234 3248 IRP_MJ_CREATE_MAILSLOT : 86F99AC8
14:25:38:234 3248 IRP_MJ_QUERY_SECURITY : 86F99AC8
14:25:38:234 3248 IRP_MJ_SET_SECURITY : 86F99AC8
14:25:38:234 3248 IRP_MJ_POWER : 86F99AC8
14:25:38:234 3248 IRP_MJ_SYSTEM_CONTROL : 86F99AC8
14:25:38:234 3248 IRP_MJ_DEVICE_CHANGE : 86F99AC8
14:25:38:234 3248 IRP_MJ_QUERY_QUOTA : 86F99AC8
14:25:38:234 3248 IRP_MJ_SET_QUOTA : 86F99AC8
14:25:38:234 3248 Driver "atapi" infected by TDSS rootkit!
14:25:38:281 3248 C:\WINDOWS\system32\drivers\tsk2D.tmp - Verdict: 1
14:25:38:281 3248 File "C:\WINDOWS\system32\drivers\tsk2D.tmp" infected by TDSS rootkit ... 14:25:38:281 3248 Processing driver file: C:\WINDOWS\system32\drivers\tsk2D.tmp
14:25:38:281 3248 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
14:25:38:484 3248 vfvi6
14:25:38:703 3248 !dsvbh1
14:25:39:890 3248 dsvbh2
14:25:39:890 3248 fdfb2
14:25:39:890 3248 Backup copy found, using it..
14:25:39:937 3248 will be cured on next reboot
14:25:39:937 3248 Reboot required for cure complete..
14:25:40:000 3248 Cure on reboot scheduled successfully
14:25:40:000 3248
14:25:40:000 3248 Completed
14:25:40:000 3248
14:25:40:000 3248 Results:
14:25:40:000 3248 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
14:25:40:000 3248 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:25:40:000 3248 File objects infected / cured / cured on reboot: 1 / 0 / 1
14:25:40:000 3248
14:25:40:000 3248 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
14:25:40:000 3248 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
14:25:40:000 3248 UnloadDriverW: NtUnloadDriver error 1
14:25:40:015 3248 KLMD(ARK) unloaded successfully


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:57 AM

Posted 12 April 2010 - 08:51 AM

Can you rerun Combofix now and post me the log.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 jma12

jma12
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 12 April 2010 - 10:19 AM

here's the new combofix loig. sorry that it took so long.

ComboFix 10-04-11.06 - AJM 12/04/2010 15:09:21.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.742 [GMT 1:00]
Running from: c:\documents and settings\AJM\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\sdra64.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-09 13:17 . 2010-04-09 13:17 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-09 13:14 . 2010-04-10 13:32 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-09 13:13 . 2010-04-09 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-09 13:13 . 2010-04-09 13:13 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-09 13:02 . 2010-04-09 13:05 -------- d-----w- c:\windows\ie8updates
2010-04-08 21:00 . 2010-04-08 21:00 118 ----a-w- C:\tujserrew.bat
2010-04-08 21:00 . 2010-04-08 21:00 71680 --sha-r- c:\windows\system32\keyboards.dll
2010-04-07 11:07 . 2010-04-07 11:07 388096 ----a-r- c:\documents and settings\AJM\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-07 11:07 . 2010-04-07 11:07 -------- d-----w- c:\program files\TrendMicro
2010-04-06 23:12 . 2010-04-06 23:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trusteer
2010-04-06 23:09 . 2010-04-06 23:09 -------- d-----w- c:\documents and settings\AJM\Application Data\Trusteer
2010-04-06 22:54 . 2010-04-07 19:42 -------- d-----w- c:\program files\PartyGaming
2010-04-06 22:06 . 2010-04-06 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-04-06 21:57 . 2010-04-06 22:23 -------- d-----w- c:\documents and settings\AJM\Application Data\UB
2010-04-06 20:03 . 2010-04-06 20:03 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-06 18:58 . 2010-04-06 18:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-06 18:54 . 2010-04-12 13:10 -------- d-----w- c:\program files\Lavasoft
2010-04-06 17:17 . 2010-04-06 17:17 120 ----a-w- c:\windows\Ofosasutiyayiyo.dat
2010-04-06 17:17 . 2010-04-06 17:17 0 ----a-w- c:\windows\Fvafi.bin
2010-04-06 17:17 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-06 17:17 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-06 17:17 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-06 17:17 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-06 17:15 . 2010-04-06 17:15 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-06 16:56 . 2010-04-06 16:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-03 10:16 . 2010-04-03 10:16 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-03 10:03 . 2010-04-03 10:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-01 20:20 . 2010-04-01 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NJStar
2010-04-01 20:17 . 2010-04-01 20:17 -------- d-----w- c:\documents and settings\AJM\Application Data\NJStar
2010-04-01 20:17 . 2010-04-01 20:17 -------- d-----w- c:\program files\NJStar Communicator
2010-03-23 17:38 . 2010-03-24 12:46 -------- d-----w- c:\documents and settings\AJM\Application Data\BitTorrent
2010-03-23 17:38 . 2010-03-23 17:38 -------- d-----w- c:\program files\BitTorrent
2010-03-20 20:34 . 2010-03-20 20:34 -------- d-----w- c:\documents and settings\fei\Application Data\TSO
2010-03-20 16:58 . 2010-03-20 16:59 -------- d-----w- c:\documents and settings\AJM\Application Data\JustVoip
2010-03-20 13:03 . 2010-03-20 13:42 -------- d-----w- c:\documents and settings\fei\Application Data\JustVoip
2010-03-20 12:29 . 2010-03-20 12:29 -------- d-----w- c:\documents and settings\fei\Application Data\skypePM
2010-03-20 12:28 . 2010-03-20 13:58 -------- d-----w- c:\documents and settings\fei\Application Data\Skype
2010-03-20 11:46 . 2010-03-20 11:46 -------- d-----w- c:\documents and settings\fei\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 14:02 . 2007-07-22 00:04 -------- d-----w- c:\documents and settings\AJM\Application Data\Free Download Manager
2010-04-12 13:26 . 2010-04-12 12:00 96512 ----a-w- c:\windows\system32\drivers\tsk2D.tmp
2010-04-12 13:12 . 2007-08-06 15:15 -------- d-----w- c:\program files\Java
2010-04-12 12:02 . 2010-04-09 14:13 96512 ----a-w- c:\windows\system32\drivers\tsk9.tmp
2010-04-11 22:09 . 2009-08-31 23:11 -------- d-----w- c:\documents and settings\AJM\Application Data\Skype
2010-04-11 19:10 . 2004-08-03 22:58 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-04-10 21:35 . 2009-08-31 23:12 -------- d-----w- c:\documents and settings\AJM\Application Data\skypePM
2010-04-09 15:10 . 2006-10-18 20:32 67672 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-09 13:45 . 2010-04-09 13:45 96512 ----a-w- c:\windows\system32\drivers\tsk6.tmp
2010-04-07 19:43 . 2008-07-23 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-06 22:18 . 2009-08-24 23:09 -------- d-----w- c:\program files\UltimateBet
2010-04-06 21:57 . 2009-08-23 00:42 -------- d-----w- c:\program files\_uninstallation_info
2010-04-06 19:58 . 2008-10-25 18:18 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-03 11:36 . 2009-12-04 23:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 11:34 . 2010-01-19 16:52 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-31 17:45 . 2006-10-18 18:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-29 23:46 . 2009-12-05 12:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2009-12-05 12:35 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-20 11:39 . 2010-03-20 11:39 -------- d-----w- c:\documents and settings\fei\Application Data\Intel
2010-03-20 11:39 . 2010-03-20 11:39 -------- d-----w- c:\documents and settings\fei\Application Data\Malwarebytes
2010-02-26 18:24 . 2007-10-03 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-25 06:24 . 2004-08-03 22:56 916480 ------w- c:\windows\system32\wininet.dll
2010-02-23 13:50 . 2008-06-13 20:01 -------- d-----w- c:\program files\MSECache
2010-02-15 16:16 . 2009-09-18 18:03 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-15 16:16 . 2010-03-20 11:39 38784 ----a-w- c:\documents and settings\fei\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-15 16:16 . 2009-09-18 18:03 38784 ----a-w- c:\documents and settings\AJM\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-15 16:16 . 2009-09-18 18:03 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-07 14:21 . 2009-10-07 14:21 12445 ----a-w- c:\program files\Common Files\kuket.exe
2009-10-07 14:21 . 2009-10-07 14:21 12182 ----a-w- c:\program files\Common Files\ycatoq.pif
2009-10-07 14:13 . 2009-10-07 14:13 19627 ----a-w- c:\program files\Common Files\ugunyq.db
2009-10-07 14:12 . 2009-10-07 14:12 17977 ----a-w- c:\program files\Common Files\uhohoviv._dl
2007-02-01 17:02 . 2008-07-05 22:11 313344 ----a-w- c:\program files\hjsplit.exe
2008-04-12 15:31 . 2008-02-26 21:10 11270 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-04-12_12.31.44 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 01:07 . 2010-04-12 12:33 65902 c:\windows\system32\perfc009.dat
+ 2004-08-04 01:07 . 2010-04-12 14:13 65902 c:\windows\system32\perfc009.dat
- 2006-10-16 17:34 . 2010-04-08 20:48 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-10-16 17:34 . 2010-04-12 14:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-10-16 17:34 . 2010-04-12 14:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-16 17:34 . 2010-04-08 20:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-04-12 12:39 . 2010-04-12 14:04 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 01:07 . 2010-04-12 14:13 395090 c:\windows\system32\perfh009.dat
- 2004-08-04 01:07 . 2010-04-12 12:33 395090 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 667718]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-07 7557120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup]
2008-04-14 00:11 625664 ----a-w- c:\windows\system32\catsrvut.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 16:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli fusstub

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cmd32.sys]
@="cmd32"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-06-28 08:14 270648 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-03-07 20:26 7557120 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"wuauserv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe"
"ISBMgr.exe"=c:\program files\Sony\ISB Utility\ISBMgr.exe
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe"
"Biomenu"="c:\program files\Protector Suite QL\menusw.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [11/03/2002 07:55 9216]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [29/01/2008 20:21 8576]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [22/02/2006 18:13 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [22/02/2006 18:13 33024]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [18/10/2006 20:21 36352]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [16/10/2006 19:07 37040]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [18/10/2006 19:56 226304]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [03/10/2007 18:49 717296]
S1 cmd32.sys;cmd32.sys;\??\c:\windows\system32\cmd32.sys --> c:\windows\system32\cmd32.sys [?]
S4 gupdate1c9862f1fc5b8aa;Google Update Service (gupdate1c9862f1fc5b8aa);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
.
- - - - ORPHANS REMOVED - - - -

AddRemove-JabRef - c:\windows\system32\javaws.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 15:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F8BAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7628f28
\Driver\ACPI -> ACPI.sys @ 0xf749bcb8
\Driver\atapi -> tsk2D.tmp @ 0xf731d852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7216bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7205a0d
SendHandler -> NDIS.sys @ 0xf7219b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\atapi]
"ImagePath"="system32\drivers\tsk2D.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-1123561945-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:80,61,a9,58,e5,c6,93,cf,83,49,62,9a,4c,ea,1a,8a,8b,04,cf,ca,7a,
16,b8,7a,10,c2,f7,60,2c,40,dc,9a,63,50,3e,12,6c,0a,48,46,34,04,85,b3,e1,00,\
"rkeysecu"=hex:f8,28,c1,24,62,a6,57,7c,53,2a,00,1e,d5,ab,ad,c8
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1520)
c:\windows\system32\WININET.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'lsass.exe'(1580)
c:\windows\system32\WININET.dll
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll

- - - - - - - > 'explorer.exe'(3756)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\Apntex.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2010-04-12 15:26:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-12 14:26
ComboFix2.txt 2010-04-12 12:37

Pre-Run: 57,498,177,536 bytes free
Post-Run: 57,480,638,464 bytes free

Current=5 Default=5 Failed=2 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 63807FA06F297D9F50365AE5AAD574A0


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:57 AM

Posted 12 April 2010 - 11:26 AM

Hello again,

Click Start > Run, in the box that opens type notepad and press enter.
Copy/paste the text in the codebox below in Notepad and save it as fixme.bat to your desktop.
CODE
@echo off
copy c:\windows\system32\drivers\mouclass.sys c:\mouclass.sys
del %0
Exit Notepad and double-click on fixme.bat to run it.

Verify the following file has been created: c:\mouclass.sys
Do not continue if this file hasn't been created!!


CF-SCRIPT
-------------
Open notepad and copy/paste the text in the quotebox below into it:

CODE
<http://www.bleepingcomputer.com/forums/index.php?showtopic=308079&view=findpost&p=1711455>

Collect::
C:\tujserrew.bat
c:\windows\Ofosasutiyayiyo.dat
c:\program files\Common Files\kuket.exe
c:\program files\Common Files\ycatoq.pif
c:\program files\Common Files\ugunyq.db
c:\program files\Common Files\uhohoviv._dl

FCopy::
c:\mouclass.sys | c:\windows\system32\drivers\mouclass.sys


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.



regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 jma12

jma12
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 12 April 2010 - 11:40 AM

c:\mouclass.sys is created

when i drag CFScript.txt into combofix nothing happens.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:57 AM

Posted 12 April 2010 - 12:01 PM

Can you try it in safe mode? Also, are you absolutely sure the file was dropped correctly onto combofix.exe?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 jma12

jma12
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 12 April 2010 - 12:07 PM

didn't work in safe mode. i'm pretty sure i drag/dropped the correctly; i tried it about 50 times.

#14 jma12

jma12
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 12 April 2010 - 12:38 PM

i tried it once more after i had booted back into normal mode and it worked.

here's the log:

ComboFix 10-04-11.06 - AJM 12/04/2010 18:18:55.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.760 [GMT 1:00]
Running from: c:\documents and settings\AJM\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\AJM\Desktop\CFScript.txt

file zipped: c:\program files\Common Files\kuket.exe
file zipped: c:\program files\Common Files\ugunyq.db
file zipped: c:\program files\Common Files\uhohoviv._dl
file zipped: c:\program files\Common Files\ycatoq.pif
file zipped: C:\tujserrew.bat
file zipped: c:\windows\Ofosasutiyayiyo.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\kuket.exe
c:\program files\Common Files\ugunyq.db
c:\program files\Common Files\uhohoviv._dl
c:\program files\Common Files\ycatoq.pif
C:\tujserrew.bat
c:\windows\Ofosasutiyayiyo.dat

.
--------------- FCopy ---------------

c:\mouclass.sys --> c:\windows\system32\drivers\mouclass.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-12 16:34 . 2010-04-11 19:10 23040 ------w- C:\mouclass.sys
2010-04-09 13:17 . 2010-04-09 13:17 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-09 13:14 . 2010-04-10 13:32 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-09 13:13 . 2010-04-09 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-09 13:13 . 2010-04-09 13:13 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-09 13:02 . 2010-04-09 13:05 -------- d-----w- c:\windows\ie8updates
2010-04-08 21:00 . 2010-04-08 21:00 71680 --sha-r- c:\windows\system32\keyboards.dll
2010-04-07 11:07 . 2010-04-07 11:07 388096 ----a-r- c:\documents and settings\AJM\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-07 11:07 . 2010-04-07 11:07 -------- d-----w- c:\program files\TrendMicro
2010-04-06 23:12 . 2010-04-06 23:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trusteer
2010-04-06 23:09 . 2010-04-06 23:09 -------- d-----w- c:\documents and settings\AJM\Application Data\Trusteer
2010-04-06 22:54 . 2010-04-07 19:42 -------- d-----w- c:\program files\PartyGaming
2010-04-06 22:06 . 2010-04-06 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-04-06 21:57 . 2010-04-06 22:23 -------- d-----w- c:\documents and settings\AJM\Application Data\UB
2010-04-06 20:03 . 2010-04-06 20:03 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-06 18:58 . 2010-04-06 18:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-06 18:54 . 2010-04-12 13:10 -------- d-----w- c:\program files\Lavasoft
2010-04-06 17:17 . 2010-04-06 17:17 0 ----a-w- c:\windows\Fvafi.bin
2010-04-06 17:17 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-06 17:17 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-06 17:17 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-06 17:17 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-06 17:15 . 2010-04-06 17:15 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-06 16:56 . 2010-04-06 16:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-03 10:16 . 2010-04-03 10:16 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-03 10:03 . 2010-04-03 10:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-01 20:20 . 2010-04-01 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NJStar
2010-04-01 20:17 . 2010-04-01 20:17 -------- d-----w- c:\documents and settings\AJM\Application Data\NJStar
2010-04-01 20:17 . 2010-04-01 20:17 -------- d-----w- c:\program files\NJStar Communicator
2010-03-23 17:38 . 2010-03-24 12:46 -------- d-----w- c:\documents and settings\AJM\Application Data\BitTorrent
2010-03-23 17:38 . 2010-03-23 17:38 -------- d-----w- c:\program files\BitTorrent
2010-03-20 20:34 . 2010-03-20 20:34 -------- d-----w- c:\documents and settings\fei\Application Data\TSO
2010-03-20 16:58 . 2010-03-20 16:59 -------- d-----w- c:\documents and settings\AJM\Application Data\JustVoip
2010-03-20 13:03 . 2010-03-20 13:42 -------- d-----w- c:\documents and settings\fei\Application Data\JustVoip
2010-03-20 12:29 . 2010-03-20 12:29 -------- d-----w- c:\documents and settings\fei\Application Data\skypePM
2010-03-20 12:28 . 2010-03-20 13:58 -------- d-----w- c:\documents and settings\fei\Application Data\Skype
2010-03-20 11:46 . 2010-03-20 11:46 -------- d-----w- c:\documents and settings\fei\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 17:18 . 2004-08-03 22:58 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-04-12 17:13 . 2007-07-22 00:04 -------- d-----w- c:\documents and settings\AJM\Application Data\Free Download Manager
2010-04-12 16:31 . 2008-10-25 18:18 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-12 13:26 . 2010-04-12 12:00 96512 ----a-w- c:\windows\system32\drivers\tsk2D.tmp
2010-04-12 13:12 . 2007-08-06 15:15 -------- d-----w- c:\program files\Java
2010-04-12 12:02 . 2010-04-09 14:13 96512 ----a-w- c:\windows\system32\drivers\tsk9.tmp
2010-04-11 22:09 . 2009-08-31 23:11 -------- d-----w- c:\documents and settings\AJM\Application Data\Skype
2010-04-10 21:35 . 2009-08-31 23:12 -------- d-----w- c:\documents and settings\AJM\Application Data\skypePM
2010-04-09 15:10 . 2006-10-18 20:32 67672 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-09 13:45 . 2010-04-09 13:45 96512 ----a-w- c:\windows\system32\drivers\tsk6.tmp
2010-04-07 19:43 . 2008-07-23 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-06 22:18 . 2009-08-24 23:09 -------- d-----w- c:\program files\UltimateBet
2010-04-06 21:57 . 2009-08-23 00:42 -------- d-----w- c:\program files\_uninstallation_info
2010-04-03 11:36 . 2009-12-04 23:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 11:34 . 2010-01-19 16:52 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-31 17:45 . 2006-10-18 18:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-29 23:46 . 2009-12-05 12:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2009-12-05 12:35 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-20 11:39 . 2010-03-20 11:39 -------- d-----w- c:\documents and settings\fei\Application Data\Intel
2010-03-20 11:39 . 2010-03-20 11:39 -------- d-----w- c:\documents and settings\fei\Application Data\Malwarebytes
2010-02-26 18:24 . 2007-10-03 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-25 06:24 . 2004-08-03 22:56 916480 ------w- c:\windows\system32\wininet.dll
2010-02-23 13:50 . 2008-06-13 20:01 -------- d-----w- c:\program files\MSECache
2010-02-15 16:16 . 2009-09-18 18:03 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-15 16:16 . 2010-03-20 11:39 38784 ----a-w- c:\documents and settings\fei\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-15 16:16 . 2009-09-18 18:03 38784 ----a-w- c:\documents and settings\AJM\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-15 16:16 . 2009-09-18 18:03 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2007-02-01 17:02 . 2008-07-05 22:11 313344 ----a-w- c:\program files\hjsplit.exe
2008-04-12 15:31 . 2008-02-26 21:10 11270 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-04-12_12.31.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 01:07 . 2010-04-12 17:21 65902 c:\windows\system32\perfc009.dat
- 2004-08-04 01:07 . 2010-04-12 12:33 65902 c:\windows\system32\perfc009.dat
- 2004-08-03 22:58 . 2010-04-11 19:10 23040 c:\windows\system32\dllcache\mouclass.sys
+ 2004-08-03 22:58 . 2010-04-12 17:18 23040 c:\windows\system32\dllcache\mouclass.sys
- 2006-10-16 17:34 . 2010-04-08 20:48 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-10-16 17:34 . 2010-04-12 14:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-10-16 17:34 . 2010-04-12 14:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-16 17:34 . 2010-04-08 20:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-08-04 01:07 . 2010-04-12 12:33 395090 c:\windows\system32\perfh009.dat
+ 2004-08-04 01:07 . 2010-04-12 17:21 395090 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 667718]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-07 7557120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup]
2008-04-14 00:11 625664 ----a-w- c:\windows\system32\catsrvut.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 16:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli fusstub

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cmd32.sys]
@="cmd32"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-06-28 08:14 270648 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-03-07 20:26 7557120 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"wuauserv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe"
"ISBMgr.exe"=c:\program files\Sony\ISB Utility\ISBMgr.exe
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe"
"Biomenu"="c:\program files\Protector Suite QL\menusw.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [11/03/2002 07:55 9216]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [29/01/2008 20:21 8576]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [22/02/2006 18:13 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [22/02/2006 18:13 33024]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [18/10/2006 20:21 36352]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [16/10/2006 19:07 37040]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [18/10/2006 19:56 226304]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [03/10/2007 18:49 717296]
S1 cmd32.sys;cmd32.sys;\??\c:\windows\system32\cmd32.sys --> c:\windows\system32\cmd32.sys [?]
S4 gupdate1c9862f1fc5b8aa;Google Update Service (gupdate1c9862f1fc5b8aa);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 18:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F8DAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7628f28
\Driver\ACPI -> ACPI.sys @ 0xf749bcb8
\Driver\atapi -> tsk2D.tmp @ 0xf731d852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7216bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7205a0d
SendHandler -> NDIS.sys @ 0xf7219b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\atapi]
"ImagePath"="system32\drivers\tsk2D.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-1123561945-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:80,61,a9,58,e5,c6,93,cf,83,49,62,9a,4c,ea,1a,8a,8b,04,cf,ca,7a,
16,b8,7a,10,c2,f7,60,2c,40,dc,9a,63,50,3e,12,6c,0a,48,46,34,04,85,b3,e1,00,\
"rkeysecu"=hex:f8,28,c1,24,62,a6,57,7c,53,2a,00,1e,d5,ab,ad,c8
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1520)
c:\windows\system32\WININET.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'lsass.exe'(1580)
c:\windows\system32\WININET.dll
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll

- - - - - - - > 'explorer.exe'(2212)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Adobe\Reader 8.0\Reader\viewerps.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\Apntex.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
.
**************************************************************************
.
Completion time: 2010-04-12 18:36:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-12 17:35
ComboFix2.txt 2010-04-12 14:26
ComboFix3.txt 2010-04-12 12:37

Pre-Run: 56,019,292,160 bytes free
Post-Run: 55,997,902,848 bytes free

Current=5 Default=5 Failed=2 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - E4F02FB492D765C7E2D6287C5BF8CC34


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:57 AM

Posted 12 April 2010 - 12:46 PM

Please rerun GMER. Make sure the Sections is checked (you can uncheck all other options so the scan will be faster).

Please post me the scan results.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users