Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I may be infected with TDSS rootkit


  • This topic is locked This topic is locked
22 replies to this topic

#1 inyearstocome

inyearstocome

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 09 April 2010 - 12:10 PM

Hey guys, hoping you could help me out here.

A while back my laptop developed symptoms of a TDSS rootkit. Everything was running extremely slow, Google and Yahoo would both re-direct to unwanted sites, and a "Just-In-Time Debugger" window would pop up. I didn't know what that window was at first so I just closed it, only to have it reappear. After searching the internet I found Kaspersky's TDSS Killer program and I decided to give it a shot. Immediately it found a TDSS rootkit and I followed the instructions and upon reboot it removed it. Or so I thought. A bad play on my part, I didn't run anything else to make sure it was fully gone (I didn't figure it to be that dangerous). Then about a week ago, my laptop would run much slower than normal; System Idle Process would run at about 80-90%. About three days ago the same symptoms popped back up again. New problems appeared such as BSOD'ing when I tried to go into safe mode, a rogue anti-spyware called "XP AntiMalware 2010" would pop up, and everything got slower. I tried running the TDSS Killer tool again (going as far as to turning System Restore off and renaming the program) but when I rebooted the problems were still present. AVG Anti-Malware hasn't found anything, MalwareBytes and Ad-Aware haven't either. I did fix the safe mode issue though.

Here are the logs the guide said for me to post:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Dan at 1:17:49.32 on Fri 04/09/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.73 [GMT -4:00]

AV: avast! antivirus 4.8.1368 [VPS 100408-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
svchost.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Zend\php\php5.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\Zend\php\php5.exe
C:\Program Files\Zend\php\php5.exe
C:\Program Files\Zend\php\php5.exe
C:\Program Files\Zend\php\php5.exe
C:\Program Files\Zend\php\php5.exe
C:\Program Files\Zend\php\php5.exe
C:\Program Files\Zend\php\php5.exe
C:\Program Files\Zend\php\php5.exe
C:\Program Files\Zend\php\php5.exe
C:\Program Files\CVSNT\cvsservice.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
c:\apache\APACHE.EXE
C:\WINDOWS\system32\HPZipm12.exe
c:\apache\APACHE.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\DSentry.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Wireless Sync\Client\ClientShell.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\VS7JIT.EXE
C:\Documents and Settings\Dan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell.com
uDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {aa58ed58-01dd-4d91-8333-cf10577473f7} - Google Toolbar Helper
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\dan\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [COMODO SafeSurf] "c:\program files\comodo\safesurf\cssurf.exe" -s
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\wireless sync\client\ClientShell.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/tgctlcm.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} - hxxps://connect.jpmorganchase.com/dana-cached/setup/NeoterisSetup.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://192.168.0.105/Remote/msrdp.cab
DPF: {871AA60B-D425-4784-AD09-6C2E63342CAD} - hxxp://download.verizon.net/sfp/Cabs/dlink/webinstall/FrmUpDLink11047.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: Sebring - c:\windows\system32\LgNotify.dll
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: wbsys.dll c:\windows\system32\cssdll32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 setuid

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dan\applic~1\mozilla\firefox\profiles\08kw3ms4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\dan\application data\mozilla\firefox\profiles\08kw3ms4.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\dan\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmeadax.dll
FF - plugin: c:\program files\osa kit pro player v4.0\npmeadax.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-7 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-3-23 217032]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-9-20 114768]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-4-8 3968]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-3-23 233136]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-9-20 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-9-20 138680]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-4-5 93320]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2010-3-23 818432]
R2 PHPGeekUtil;PHPGeekUtil;c:\apache\Apache.exe [2002-1-25 20480]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-4-7 53088]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2010-3-17 582992]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-9-20 254040]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [1980-1-1 59328]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-3-23 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [2010-3-23 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2010-3-23 115216]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-3-17 206608]
RUnknown Partizan;Partizan; [x]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2010-3-23 88040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-9-20 352920]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-3-17 206608]

=============== Created Last 30 ================

2010-04-20 17:44:42 0 d-----w- C:\d3c3a77ed27e8f39076fd5bc
2010-04-20 17:43:45 0 d-----w- C:\1d8bfcb7fd460462e760d7eec418
2010-04-20 02:37:43 189784 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-04-20 02:06:16 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2010-04-20 02:03:29 0 d-----w- c:\docume~1\dan\applic~1\id Software
2010-04-20 02:02:58 0 d-----w- c:\docume~1\alluse~1\applic~1\id Software
2010-04-09 05:09:19 0 ----a-w- c:\documents and settings\dan\defogger_reenable
2010-04-09 00:34:06 2 --shatr- c:\windows\winstart.bat
2010-04-09 00:33:21 0 d-----w- c:\program files\UnHackMe
2010-04-08 19:51:50 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-04-08 19:39:56 0 d-----w- c:\windows\ERUNT
2010-04-08 19:31:50 0 d-----w- C:\SDFix
2010-04-08 18:06:29 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-08 13:37:54 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-04-07 21:40:42 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-07 20:15:20 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-07 20:12:03 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-07 19:26:52 53088 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-07 19:26:40 0 d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2010-04-05 19:00:46 0 d-----w- c:\program files\common files\McAfee
2010-04-05 01:46:25 0 d-----w- C:\d4269c242766e9b0ff3b899a1f
2010-03-24 15:03:08 0 d-----w- c:\docume~1\dan\applic~1\PCToolsFirewallPlus
2010-03-24 03:07:06 7435 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.cat
2010-03-24 03:07:05 7399 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.cat
2010-03-24 03:07:05 70664 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-03-24 03:07:05 58816 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2010-03-24 03:07:05 32680 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2010-03-24 03:07:00 7383 ----a-w- c:\windows\system32\drivers\pctplfw.cat
2010-03-24 03:06:59 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2010-03-24 03:06:45 0 d-----w- c:\program files\PC Tools Firewall Plus
2010-03-24 02:47:48 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-03-24 02:47:48 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-24 02:46:32 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-24 02:46:32 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-03-24 02:46:32 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-03-24 02:46:32 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-24 02:45:07 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-03-24 02:45:07 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-24 02:43:39 0 d-----w- c:\program files\common files\PC Tools
2010-03-24 02:43:33 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-03-24 02:43:32 0 d-----w- c:\program files\Spyware Doctor
2010-03-24 02:43:32 0 d-----w- c:\docume~1\dan\applic~1\PC Tools
2010-03-22 14:34:56 0 d-----w- C:\DukeN
2010-03-22 00:57:56 24 ----a-w- C:\DUKE3D.BAT
2010-03-22 00:57:01 0 d-----w- C:\DUKE3D
2010-03-18 03:16:44 0 d-----w- c:\program files\Wise Registry Cleaner
2010-03-18 03:11:55 0 d-----w- c:\program files\Wise Disk Cleaner
2010-03-17 19:53:21 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys

==================== Find3M ====================

2010-04-20 02:33:24 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-09 00:15:26 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-28 17:44:59 48665 ----a-w- c:\windows\system32\nvModes.dat
2007-11-16 08:49:48 265 ----a-w- c:\program files\podBible.txt
2009-05-04 14:02:17 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050420090505\index.dat

============= FINISH: 1:20:39.66 ===============

Attached Files


Edited by inyearstocome, 09 April 2010 - 12:21 PM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:33 PM

Posted 12 April 2010 - 12:21 PM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif

***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade

In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 inyearstocome

inyearstocome
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 12 April 2010 - 07:11 PM

Thanks for the response. After I finished with ComboFix the previously mentioned 'Just-In-Time Debugger' pop-up has disappeared so it seems there's progress. Here's the ComboFix log.

ComboFix 10-04-12.01 - Dan 04/12/2010 18:17:29.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.201 [GMT -4:00]
Running from: c:\documents and settings\Dan\Desktop\renamed.exe
AV: avast! antivirus 4.8.1368 [VPS 100412-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\data
c:\data\ibdata1
c:\documents and settings\All Users\Application Data\68Dov5Lc.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Dan\Local Settings\Application Data\ave.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe
c:\windows\eSellerateEngine.dll
c:\windows\system32\bszip.dll
c:\windows\system32\ccrpTmr6.dll
c:\windows\system32\drivers\fad.sys

----- BITS: Possible infected sites -----

hxxp://resources.zune.net
.
((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-20 02:03 . 2010-04-20 02:03 -------- d-----w- c:\documents and settings\Dan\Application Data\id Software
2010-04-20 02:02 . 2010-04-20 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2010-04-07 20:12 . 2010-04-07 20:12 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-07 19:26 . 2010-04-07 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-03-24 15:03 . 2010-03-24 15:04 -------- d-----w- c:\documents and settings\Dan\Application Data\PCToolsFirewallPlus
2010-03-24 02:43 . 2010-03-24 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-03-24 02:43 . 2010-03-24 02:43 -------- d-----w- c:\documents and settings\Dan\Application Data\PC Tools
2010-03-24 02:43 . 2010-04-12 22:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-17 19:50 . 2010-03-17 19:50 -------- d-----w- c:\documents and settings\Dan\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
CODE
<pre>
c:\program files\Apoint\Apoint .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\COMODO\SafeSurf\cssurf .exe
c:\program files\Dell\QuickSet\quickset .exe
c:\program files\Intel\NCS\PROSet\PRONoMgr .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" [N/A]
"Google Update"="c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="nwiz.exe" [2004-10-26 921600]
"Apoint"="c:\program files\Apoint\Apoint.exe" [N/A]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2010-04-12 41476]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset .exe" [2004-05-17 528384]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2010-04-12 41476]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-04-12 41476]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2010-04-12 41476]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-04-12 41476]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-04-12 41476]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-30 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-11-30 24576]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-4-30 118784]
Wireless Sync Client.lnk - c:\program files\Wireless Sync\Client\ClientShell.exe [2004-11-17 241736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 12:55 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 04:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk]
backup=c:\windows\pss\Palo Alto Software Update Manager 8.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2006-01-13 00:52 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 18:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 03:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-01-03 16:15 50528 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 20:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-04-12 21:17 41476 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
2007-09-02 17:58 495616 ----a-w- c:\program files\RocketDock\RocketDock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-06-20 22:56 1217784 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-03-03 22:11 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-04-12 21:17 41476 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\WS_FTP\\FTP95PRO.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Apache Group\\Apache\\Apache.exe"=
"c:\\apache\\mysql\\bin\\mysqld-nt.exe"=
"c:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Net2Phone CommCenter\\CommCtr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"c:\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\phoenix1gnition\\team fortress 2\\hl2.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [4/7/2010 4:15 PM 64288]
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [3/23/2010 10:46 PM 217032]
R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [9/20/2008 8:06 PM 114768]
R1 pctgntdi;pctgntdi;c:\windows\SYSTEM32\DRIVERS\pctgntdi.sys [3/23/2010 10:47 PM 233136]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [9/20/2008 8:06 PM 20560]
R2 pxrts;pxrts;c:\windows\SYSTEM32\DRIVERS\pxrts.sys [4/7/2010 3:26 PM 53088]
R3 GTICARD;GTICARD;c:\windows\SYSTEM32\DRIVERS\gticard.sys [1/1/1980 2:00 AM 59328]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\SYSTEM32\DRIVERS\pctNdis-PacketFilter.sys [3/23/2010 11:07 PM 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\SYSTEM32\DRIVERS\pctNdis.sys [3/23/2010 11:07 PM 58816]
R3 pctplfw;pctplfw;c:\windows\SYSTEM32\DRIVERS\pctplfw.sys [3/23/2010 11:06 PM 115216]
R3 TMPassthruMP;TMPassthruMP;c:\windows\SYSTEM32\DRIVERS\TMPassthru.sys [3/17/2010 3:53 PM 206608]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\SYSTEM32\DRIVERS\PCTAppEvent.sys [3/23/2010 10:46 PM 88040]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\SYSTEM32\DRIVERS\TMPassthru.sys [3/17/2010 3:53 PM 206608]
.
Contents of the 'Scheduled Tasks' folder

2010-04-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:40]

2010-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-04-12 c:\windows\Tasks\At1.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At10.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At11.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At12.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At13.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At14.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At15.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At16.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At17.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At18.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At19.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At2.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At20.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At21.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At22.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At23.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At24.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At3.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At4.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At5.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At6.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At7.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At8.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-12 c:\windows\Tasks\At9.job
- c:\windows\Fonts\875ki6.com [2010-04-12 21:17]

2010-04-02 c:\windows\Tasks\{3901BD2F-41AD-491D-8DB9-EA93D1CEE7A3}_ARAGORN_Michael Whitcomb.job
- c:\windows\system32\MOBSYNC.EXE [2004-08-04 00:12]

2010-04-09 c:\windows\Tasks\{3C50D220-384A-472A-B79D-D740CCB35B56}_ARAGORN_Michael Whitcomb.job
- c:\windows\system32\MOBSYNC.EXE [2004-08-04 00:12]

2010-04-07 c:\windows\Tasks\{60114160-C589-4EEA-A514-CD5D244DCA67}_ARAGORN_Michael Whitcomb.job
- c:\windows\system32\MOBSYNC.EXE [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {871AA60B-D425-4784-AD09-6C2E63342CAD} - hxxp://download.verizon.net/sfp/Cabs/dlink/webinstall/FrmUpDLink11047.cab
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\08kw3ms4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\08kw3ms4.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmeadax.dll
FF - plugin: c:\program files\OSA Kit Pro Player v4.0\npmeadax.dll
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
SafeBoot-WudfPf
SafeBoot-WudfRd



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 18:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x83ACAAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8793f28
\Driver\ACPI -> ACPI.sys @ 0xf8686cb8
\Driver\atapi -> atapi.sys @ 0xf85e2852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a8
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a8
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
NDIS: IntelŽ PRO/Wireless LAN 2100 3A Mini PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf845abb0
PacketIndicateHandler -> NDIS.sys @ 0xf8467a21
SendHandler -> NDIS.sys @ 0xf844587b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(464)
c:\windows\system32\WININET.dll
c:\program files\AlienGUIse\fastload.dll
c:\windows\system32\LgNotify.dll

- - - - - - - > 'lsass.exe'(548)
c:\windows\system32\WININET.dll
c:\windows\system32\setuid.dll

- - - - - - - > 'explorer.exe'(3968)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\nvwddi.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\S24EvMon.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\1XConfig.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Apache Group\Apache\Apache.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\basfipm.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Apache Group\Apache\Apache.exe
c:\program files\Zend\php\php5.exe
c:\program files\CVSNT\cvslock.exe
c:\program files\Zend\php\php5.exe
c:\program files\Zend\php\php5.exe
c:\program files\Zend\php\php5.exe
c:\program files\Zend\php\php5.exe
c:\program files\Zend\php\php5.exe
c:\program files\Zend\php\php5.exe
c:\program files\Zend\php\php5.exe
c:\program files\Zend\php\php5.exe
c:\program files\Zend\php\php5.exe
c:\program files\CVSNT\cvsservice.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\program files\Dell\QuickSet\quickset.exe
c:\windows\system32\rundll32.exe
c:\progra~1\mcafee\SITEAD~1\mcsacore.exe
c:\program files\Apoint\Apoint .exe
c:\program files\Intel\NCS\PROSet\PRONoMgr .exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\COMODO\SafeSurf\cssurf .exe
c:\program files\PC Tools Firewall Plus\FirewallGUI .exe
c:\program files\Spyware Doctor\pctsTray .exe
c:\program files\Trend Micro\RUBotted\TMRUBottedTray .exe
c:\program files\Zune\ZuneLauncher .exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\nvsvc32.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\apache\APACHE.EXE
c:\windows\system32\HPZipm12.exe
c:\apache\APACHE.EXE
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\RegSrvc.exe
c:\program files\Trend Micro\RUBotted\TMRUBotted.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-04-12 19:24:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-12 23:24

Pre-Run: 2,694,582,272 bytes free
Post-Run: 2,522,382,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=5 LastKnownGood=6 Sets=1,2,4,5,6
- - End Of File - - FE2DD3D0A85C07DCDB3B70EDAA3E7148

Edited by inyearstocome, 12 April 2010 - 07:15 PM.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:33 PM

Posted 12 April 2010 - 11:16 PM

Hello inyearstocome.

Looking better. . . but still got some work to do.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
***************************************************

Please download: DelDomains.inf
Locate DelDomains.inf right-click and select: Install
Note: you will not see any on-screen action ...
This will remove all entries in the Trusted, Restricted,and Enhanced Security Configuration Zones.
Note once you do this, any previous restricted zone hacks (spywareblaster, ie-spyad, etc) will need to be reapplyed.[/list]

***************************************************

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/308405/i-think-i-may-be-infected-with-tdss-rootkit/

AtJob::

Collect::
c:\windows\Fonts\875ki6.com

RenV::
c:\program files\Apoint\Apoint .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\COMODO\SafeSurf\cssurf .exe
c:\program files\Dell\QuickSet\quickset .exe
c:\program files\Intel\NCS\PROSet\PRONoMgr .exe


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
~Blade


In your next reply, please include the following:
TDSSKiller Log
ComboFix Log

Edited by Blade Zephon, 12 April 2010 - 11:16 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 inyearstocome

inyearstocome
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 13 April 2010 - 03:47 PM

Okay, finished. The 'Just-In-Time' pop-up appeared again, although I suppose that's not an accurate way to measure progress. Here are the two requested logs.

TDSSKiller:

16:06:13:930 3720 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
16:06:13:930 3720 ================================================================================
16:06:13:930 3720 SystemInfo:

16:06:13:930 3720 OS Version: 5.1.2600 ServicePack: 3.0
16:06:13:930 3720 Product type: Workstation
16:06:13:930 3720 ComputerName: ARAGORN
16:06:13:930 3720 UserName: Dan
16:06:13:930 3720 Windows directory: C:\WINDOWS
16:06:13:930 3720 Processor architecture: Intel x86
16:06:13:930 3720 Number of processors: 1
16:06:13:930 3720 Page size: 0x1000
16:06:13:930 3720 Boot type: Normal boot
16:06:13:930 3720 ================================================================================
16:06:13:940 3720 UnloadDriverW: NtUnloadDriver error 2
16:06:13:940 3720 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:06:14:020 3720 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:06:14:020 3720 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:06:14:020 3720 wfopen_ex: Trying to KLMD file open
16:06:14:020 3720 wfopen_ex: File opened ok (Flags 2)
16:06:14:020 3720 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:06:14:020 3720 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:06:14:020 3720 wfopen_ex: Trying to KLMD file open
16:06:14:020 3720 wfopen_ex: File opened ok (Flags 2)
16:06:14:020 3720 Initialize success
16:06:14:020 3720
16:06:14:020 3720 Scanning Services ...
16:06:14:671 3720 Raw services enum returned 404 services
16:06:14:691 3720
16:06:14:701 3720 Scanning Kernel memory ...
16:06:14:701 3720 Devices to scan: 3
16:06:14:701 3720
16:06:14:701 3720 Driver Name: Disk
16:06:14:701 3720 IRP_MJ_CREATE : F877CBB0
16:06:14:701 3720 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
16:06:14:701 3720 IRP_MJ_CLOSE : F877CBB0
16:06:14:701 3720 IRP_MJ_READ : F8776D1F
16:06:14:701 3720 IRP_MJ_WRITE : F8776D1F
16:06:14:701 3720 IRP_MJ_QUERY_INFORMATION : 804FA87E
16:06:14:701 3720 IRP_MJ_SET_INFORMATION : 804FA87E
16:06:14:701 3720 IRP_MJ_QUERY_EA : 804FA87E
16:06:14:701 3720 IRP_MJ_SET_EA : 804FA87E
16:06:14:701 3720 IRP_MJ_FLUSH_BUFFERS : F87772E2
16:06:14:701 3720 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
16:06:14:701 3720 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
16:06:14:701 3720 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
16:06:14:701 3720 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
16:06:14:701 3720 IRP_MJ_DEVICE_CONTROL : F87773BB
16:06:14:701 3720 IRP_MJ_INTERNAL_DEVICE_CONTROL : F877AF28
16:06:14:701 3720 IRP_MJ_SHUTDOWN : F87772E2
16:06:14:701 3720 IRP_MJ_LOCK_CONTROL : 804FA87E
16:06:14:701 3720 IRP_MJ_CLEANUP : 804FA87E
16:06:14:701 3720 IRP_MJ_CREATE_MAILSLOT : 804FA87E
16:06:14:701 3720 IRP_MJ_QUERY_SECURITY : 804FA87E
16:06:14:701 3720 IRP_MJ_SET_SECURITY : 804FA87E
16:06:14:701 3720 IRP_MJ_POWER : F8778C82
16:06:14:701 3720 IRP_MJ_SYSTEM_CONTROL : F877D99E
16:06:14:701 3720 IRP_MJ_DEVICE_CHANGE : 804FA87E
16:06:14:701 3720 IRP_MJ_QUERY_QUOTA : 804FA87E
16:06:14:701 3720 IRP_MJ_SET_QUOTA : 804FA87E
16:06:14:741 3720 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
16:06:14:741 3720
16:06:14:741 3720 Driver Name: Disk
16:06:14:741 3720 IRP_MJ_CREATE : F877CBB0
16:06:14:741 3720 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
16:06:14:741 3720 IRP_MJ_CLOSE : F877CBB0
16:06:14:741 3720 IRP_MJ_READ : F8776D1F
16:06:14:741 3720 IRP_MJ_WRITE : F8776D1F
16:06:14:741 3720 IRP_MJ_QUERY_INFORMATION : 804FA87E
16:06:14:741 3720 IRP_MJ_SET_INFORMATION : 804FA87E
16:06:14:741 3720 IRP_MJ_QUERY_EA : 804FA87E
16:06:14:741 3720 IRP_MJ_SET_EA : 804FA87E
16:06:14:741 3720 IRP_MJ_FLUSH_BUFFERS : F87772E2
16:06:14:741 3720 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
16:06:14:741 3720 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
16:06:14:741 3720 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
16:06:14:741 3720 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
16:06:14:741 3720 IRP_MJ_DEVICE_CONTROL : F87773BB
16:06:14:741 3720 IRP_MJ_INTERNAL_DEVICE_CONTROL : F877AF28
16:06:14:741 3720 IRP_MJ_SHUTDOWN : F87772E2
16:06:14:741 3720 IRP_MJ_LOCK_CONTROL : 804FA87E
16:06:14:741 3720 IRP_MJ_CLEANUP : 804FA87E
16:06:14:741 3720 IRP_MJ_CREATE_MAILSLOT : 804FA87E
16:06:14:741 3720 IRP_MJ_QUERY_SECURITY : 804FA87E
16:06:14:741 3720 IRP_MJ_SET_SECURITY : 804FA87E
16:06:14:741 3720 IRP_MJ_POWER : F8778C82
16:06:14:741 3720 IRP_MJ_SYSTEM_CONTROL : F877D99E
16:06:14:741 3720 IRP_MJ_DEVICE_CHANGE : 804FA87E
16:06:14:741 3720 IRP_MJ_QUERY_QUOTA : 804FA87E
16:06:14:741 3720 IRP_MJ_SET_QUOTA : 804FA87E
16:06:14:761 3720 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
16:06:14:761 3720
16:06:14:761 3720 Driver Name: atapi
16:06:14:761 3720 IRP_MJ_CREATE : 83AA4AC8
16:06:14:761 3720 IRP_MJ_CREATE_NAMED_PIPE : 83AA4AC8
16:06:14:761 3720 IRP_MJ_CLOSE : 83AA4AC8
16:06:14:761 3720 IRP_MJ_READ : 83AA4AC8
16:06:14:761 3720 IRP_MJ_WRITE : 83AA4AC8
16:06:14:761 3720 IRP_MJ_QUERY_INFORMATION : 83AA4AC8
16:06:14:761 3720 IRP_MJ_SET_INFORMATION : 83AA4AC8
16:06:14:761 3720 IRP_MJ_QUERY_EA : 83AA4AC8
16:06:14:761 3720 IRP_MJ_SET_EA : 83AA4AC8
16:06:14:761 3720 IRP_MJ_FLUSH_BUFFERS : 83AA4AC8
16:06:14:761 3720 IRP_MJ_QUERY_VOLUME_INFORMATION : 83AA4AC8
16:06:14:761 3720 IRP_MJ_SET_VOLUME_INFORMATION : 83AA4AC8
16:06:14:761 3720 IRP_MJ_DIRECTORY_CONTROL : 83AA4AC8
16:06:14:761 3720 IRP_MJ_FILE_SYSTEM_CONTROL : 83AA4AC8
16:06:14:761 3720 IRP_MJ_DEVICE_CONTROL : 83AA4AC8
16:06:14:761 3720 IRP_MJ_INTERNAL_DEVICE_CONTROL : 83AA4AC8
16:06:14:761 3720 IRP_MJ_SHUTDOWN : 83AA4AC8
16:06:14:761 3720 IRP_MJ_LOCK_CONTROL : 83AA4AC8
16:06:14:761 3720 IRP_MJ_CLEANUP : 83AA4AC8
16:06:14:761 3720 IRP_MJ_CREATE_MAILSLOT : 83AA4AC8
16:06:14:761 3720 IRP_MJ_QUERY_SECURITY : 83AA4AC8
16:06:14:761 3720 IRP_MJ_SET_SECURITY : 83AA4AC8
16:06:14:761 3720 IRP_MJ_POWER : 83AA4AC8
16:06:14:761 3720 IRP_MJ_SYSTEM_CONTROL : 83AA4AC8
16:06:14:761 3720 IRP_MJ_DEVICE_CHANGE : 83AA4AC8
16:06:14:761 3720 IRP_MJ_QUERY_QUOTA : 83AA4AC8
16:06:14:761 3720 IRP_MJ_SET_QUOTA : 83AA4AC8
16:06:14:761 3720 Driver "atapi" infected by TDSS rootkit!
16:06:14:801 3720 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
16:06:14:801 3720 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 16:06:14:801 3720 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
16:06:14:801 3720 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
16:06:14:931 3720 vfvi6
16:06:15:071 3720 !dsvbh1
16:06:18:677 3720 dsvbh2
16:06:18:677 3720 fdfb2
16:06:18:677 3720 Backup copy found, using it..
16:06:18:777 3720 will be cured on next reboot
16:06:18:777 3720 Reboot required for cure complete..
16:06:18:777 3720 Cure on reboot scheduled successfully
16:06:18:777 3720
16:06:18:777 3720 Completed
16:06:18:777 3720
16:06:18:777 3720 Results:
16:06:18:777 3720 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
16:06:18:777 3720 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:06:18:777 3720 File objects infected / cured / cured on reboot: 1 / 0 / 1
16:06:18:777 3720
16:06:18:777 3720 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:06:18:777 3720 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:06:18:777 3720 UnloadDriverW: NtUnloadDriver error 1
16:06:18:777 3720 KLMD(ARK) unloaded successfully


ComboFix:

ComboFix 10-04-13.02 - Dan 04/13/2010 17:11:43.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.194 [GMT -4:00]
Running from: c:\documents and settings\Dan\Desktop\renamed.exe
Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100413-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-20 17:44 . 2010-04-20 17:44 -------- d-----w- C:\d3c3a77ed27e8f39076fd5bc
2010-04-20 17:43 . 2010-04-20 17:44 -------- d-----w- C:\1d8bfcb7fd460462e760d7eec418
2010-04-20 02:15 . 2010-04-20 02:15 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\PunkBuster
2010-04-20 02:06 . 2010-04-20 02:06 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2010-04-20 02:03 . 2010-04-20 02:03 -------- d-----w- c:\documents and settings\Dan\Application Data\id Software
2010-04-20 02:02 . 2010-04-20 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2010-04-13 18:19 . 2010-04-13 18:20 -------- d-----w- c:\documents and settings\NetworkService\Application Data\PCToolsFirewallPlus
2010-04-09 02:51 . 2010-04-09 02:51 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Help
2010-04-09 00:34 . 2010-04-09 00:34 2 --shatr- c:\windows\winstart.bat
2010-04-09 00:33 . 2010-04-09 05:15 -------- d-----w- c:\program files\UnHackMe
2010-04-08 19:51 . 2010-04-08 19:51 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-04-08 19:39 . 2010-04-08 19:40 -------- d-----w- c:\windows\ERUNT
2010-04-08 19:31 . 2010-04-08 20:59 -------- d-----w- C:\SDFix
2010-04-08 18:06 . 2010-04-08 18:06 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-08 13:37 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-04-07 21:40 . 2010-04-07 21:40 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-07 20:15 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-07 20:12 . 2010-04-07 20:12 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-07 19:26 . 2010-04-07 19:26 53088 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-07 19:26 . 2010-04-07 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-04-05 19:00 . 2010-04-05 19:00 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-05 01:46 . 2010-04-05 01:49 -------- d-----w- C:\d4269c242766e9b0ff3b899a1f
2010-03-24 15:03 . 2010-03-24 15:04 -------- d-----w- c:\documents and settings\Dan\Application Data\PCToolsFirewallPlus
2010-03-24 03:07 . 2010-01-12 13:34 70664 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-03-24 03:07 . 2010-01-07 15:35 58816 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2010-03-24 03:07 . 2010-01-07 15:35 32680 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2010-03-24 03:06 . 2010-01-13 12:59 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2010-03-24 03:06 . 2010-04-12 21:17 -------- d-----w- c:\program files\PC Tools Firewall Plus
2010-03-24 02:47 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-24 02:46 . 2010-03-10 15:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-24 02:46 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-24 02:45 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-24 02:43 . 2010-03-24 03:07 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-24 02:43 . 2010-03-24 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-03-24 02:43 . 2010-04-12 21:17 -------- d-----w- c:\program files\Spyware Doctor
2010-03-24 02:43 . 2010-03-24 02:43 -------- d-----w- c:\documents and settings\Dan\Application Data\PC Tools
2010-03-24 02:43 . 2010-04-13 21:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-22 14:34 . 2010-03-22 18:42 -------- d-----w- C:\DukeN
2010-03-22 00:57 . 2010-03-22 00:57 24 ----a-w- C:\DUKE3D.BAT
2010-03-22 00:57 . 2010-03-22 01:19 -------- d-----w- C:\DUKE3D
2010-03-18 03:16 . 2010-03-18 03:45 -------- d-----w- c:\program files\Wise Registry Cleaner
2010-03-18 03:11 . 2010-03-31 17:00 -------- d-----w- c:\program files\Wise Disk Cleaner
2010-03-17 19:53 . 2008-03-02 07:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-03-17 19:50 . 2010-03-17 19:50 -------- d-----w- c:\documents and settings\Dan\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 02:33 . 2009-05-07 20:20 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-20 02:19 . 2010-04-20 02:15 457792 ----a-w- c:\documents and settings\Dan\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll
2010-04-13 21:11 . 2004-11-30 21:56 -------- d-----w- c:\program files\Apoint
2010-04-13 20:43 . 2010-04-12 21:49 112 ----a-w- c:\documents and settings\All Users\Application Data\m2Cj62.dat
2010-04-13 20:43 . 2010-04-13 17:10 71170 ----a-w- c:\windows\Fonts\875ki6.com_
2010-04-13 20:08 . 2004-08-04 04:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-13 18:36 . 2009-11-18 01:23 -------- d-----w- c:\program files\QuickTime
2010-04-13 18:19 . 2004-11-30 21:59 54598 ----a-w- c:\windows\system32\nvModes.dat
2010-04-12 21:17 . 2009-05-24 19:48 -------- d-----w- c:\program files\Zune
2010-04-07 21:39 . 2010-04-07 21:39 818256 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-04-07 21:39 . 2010-04-07 21:39 1265264 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-04-07 20:12 . 2005-06-13 01:17 -------- d-----w- c:\program files\Lavasoft
2010-04-07 20:08 . 2008-02-26 14:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-07 20:07 . 2008-01-07 19:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-07 19:52 . 2009-04-10 17:17 -------- d-----w- c:\program files\Warcraft III
2010-04-06 12:41 . 2005-02-19 21:22 -------- d-----w- c:\program files\McAfee
2010-04-05 18:59 . 2004-12-12 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-05 12:28 . 2009-07-15 23:35 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-31 17:51 . 2007-10-08 18:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-31 17:40 . 2007-10-08 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-17 19:53 . 2004-11-30 22:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-17 19:53 . 2008-09-21 00:07 -------- d-----w- c:\program files\Trend Micro
2010-03-17 16:06 . 2008-12-08 15:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 16:05 . 2010-03-17 16:05 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-27 20:24 . 2010-02-23 23:49 -------- d-----w- c:\program files\RedAlert
2010-02-27 00:45 . 2010-02-27 00:44 -------- d-----w- c:\program files\MagicDisc
2010-02-24 19:36 . 2008-02-22 01:51 -------- d-----w- c:\program files\Opera
2010-02-24 03:41 . 2010-02-24 03:41 79488 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\jre1.6.0_18\gtapi.dll
2010-02-04 15:53 . 2010-04-07 20:12 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2007-11-16 08:49 . 2007-11-16 08:49 265 ----a-w- c:\program files\podBible.txt
.
CODE
<pre>
c:\program files\PC Tools Firewall Plus\FirewallGUI .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Spyware Doctor\pctsTray .exe
c:\program files\Trend Micro\RUBotted\TMRUBottedTray .exe
c:\program files\Zune\ZuneLauncher .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" [N/A]
"Google Update"="c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="nwiz.exe" [2004-10-26 921600]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 86016]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset .exe c:\program files\Dell\QuickSet\quickset.exe" [N/A]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2008-09-19 278264]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-04-12 41476]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2010-04-12 41476]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-04-12 41476]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-04-12 41476]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-30 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-11-30 24576]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-4-30 118784]
Wireless Sync Client.lnk - c:\program files\Wireless Sync\Client\ClientShell.exe [2004-11-17 241736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 12:55 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 04:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk]
backup=c:\windows\pss\Palo Alto Software Update Manager 8.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2006-01-13 00:52 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 18:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 03:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-01-03 16:15 50528 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 20:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-04-12 21:17 41476 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
2007-09-02 17:58 495616 ----a-w- c:\program files\RocketDock\RocketDock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-06-20 22:56 1217784 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-03-03 22:11 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-04-12 21:17 41476 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\WS_FTP\\FTP95PRO.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Apache Group\\Apache\\Apache.exe"=
"c:\\apache\\mysql\\bin\\mysqld-nt.exe"=
"c:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Net2Phone CommCenter\\CommCtr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"c:\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\phoenix1gnition\\team fortress 2\\hl2.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [4/7/2010 4:15 PM 64288]
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [3/23/2010 10:46 PM 217032]
R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [9/20/2008 8:06 PM 114768]
R1 pctgntdi;pctgntdi;c:\windows\SYSTEM32\DRIVERS\pctgntdi.sys [3/23/2010 10:47 PM 233136]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [9/20/2008 8:06 PM 20560]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [4/5/2010 2:58 PM 93320]
R2 pxrts;pxrts;c:\windows\SYSTEM32\DRIVERS\pxrts.sys [4/7/2010 3:26 PM 53088]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [3/17/2010 3:53 PM 582992]
R3 GTICARD;GTICARD;c:\windows\SYSTEM32\DRIVERS\gticard.sys [1/1/1980 2:00 AM 59328]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\SYSTEM32\DRIVERS\pctNdis-PacketFilter.sys [3/23/2010 11:07 PM 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\SYSTEM32\DRIVERS\pctNdis.sys [3/23/2010 11:07 PM 58816]
R3 TMPassthruMP;TMPassthruMP;c:\windows\SYSTEM32\DRIVERS\TMPassthru.sys [3/17/2010 3:53 PM 206608]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1265264]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\SYSTEM32\DRIVERS\PCTAppEvent.sys [3/23/2010 10:46 PM 88040]
S2 PHPGeekUtil;PHPGeekUtil;c:\apache\Apache.exe [1/25/2002 12:30 AM 20480]
S3 pctplfw;pctplfw;c:\windows\SYSTEM32\DRIVERS\pctplfw.sys [3/23/2010 11:06 PM 115216]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\SYSTEM32\DRIVERS\TMPassthru.sys [3/17/2010 3:53 PM 206608]

--- Other Services/Drivers In Memory ---

*Deregistered* - klmdb
.
Contents of the 'Scheduled Tasks' folder

2010-04-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:40]

2010-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-04-02 c:\windows\Tasks\{3901BD2F-41AD-491D-8DB9-EA93D1CEE7A3}_ARAGORN_Michael Whitcomb.job
- c:\windows\system32\MOBSYNC.EXE [2004-08-04 00:12]

2010-04-09 c:\windows\Tasks\{3C50D220-384A-472A-B79D-D740CCB35B56}_ARAGORN_Michael Whitcomb.job
- c:\windows\system32\MOBSYNC.EXE [2004-08-04 00:12]

2010-04-13 c:\windows\Tasks\{60114160-C589-4EEA-A514-CD5D244DCA67}_ARAGORN_Michael Whitcomb.job
- c:\windows\system32\MOBSYNC.EXE [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {871AA60B-D425-4784-AD09-6C2E63342CAD} - hxxp://download.verizon.net/sfp/Cabs/dlink/webinstall/FrmUpDLink11047.cab
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\08kw3ms4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\08kw3ms4.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmeadax.dll
FF - plugin: c:\program files\OSA Kit Pro Player v4.0\npmeadax.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-13 17:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x83AA4AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf877af28
\Driver\ACPI -> ACPI.sys @ 0xf866dcb8
\Driver\atapi -> tsk2B.tmp @ 0xf85c9852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a8
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a8
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
NDIS: Intel® PRO/Wireless LAN 2100 3A Mini PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf8441bb0
PacketIndicateHandler -> NDIS.sys @ 0xf844ea21
SendHandler -> NDIS.sys @ 0xf842c87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(456)
c:\windows\system32\WININET.dll
c:\program files\AlienGUIse\fastload.dll
c:\windows\system32\LgNotify.dll

- - - - - - - > 'lsass.exe'(540)
c:\windows\system32\WININET.dll
c:\windows\system32\setuid.dll
.
Completion time: 2010-04-13 17:45:11
ComboFix-quarantined-files.txt 2010-04-13 21:45
ComboFix2.txt 2010-04-12 23:24

Pre-Run: 2,488,668,160 bytes free
Post-Run: 2,466,463,744 bytes free

Current=4 Default=4 Failed=5 LastKnownGood=6 Sets=1,2,4,5,6
- - End Of File - - 314BE8E92FBD428D5A16DD65B4C92B92

Edited by inyearstocome, 13 April 2010 - 05:09 PM.


#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:33 PM

Posted 14 April 2010 - 09:53 AM

Hello inyearstocome.

We're making progress. . . but still got work to do!

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
MBR::

File::
c:\windows\Fonts\875ki6.com_

RenV::
c:\program files\PC Tools Firewall Plus\FirewallGUI .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Spyware Doctor\pctsTray .exe
c:\program files\Trend Micro\RUBotted\TMRUBottedTray .exe
c:\program files\Zune\ZuneLauncher .exe


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade


In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 inyearstocome

inyearstocome
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 15 April 2010 - 10:18 AM

This morning I turned on the infected computer to do what you asked for. Right after logging into my profile avast! found: "JS: Pdfka- Gen [Expl]", "JS:Prontexi - AO [Trj]", and "Win32: Rootkit-Gen [Rtk]". I moved all three to the virus chest except for the first which avast said it was in-use so I deleted it.

Then I shut down all anti-virus', firewalls, etc. to prepare for ComboFix. PC Firewall was turned off, but when I clicked "exit" it said it couldn't completely shut down. I tried running it again via start menu and it wouldn't load up. I went to task manager to see if it was running and I couldn't find anything. However after about 5 minutes, it popped up and said it couldn't connect to the servers and it shut down. Afterwards, I double-checked to make sure everything was how it should be and I ran ComboFix via dragging the notepad file. Right away it found a rootkit and asked to reboot. I allowed it to reboot, however it's stuck at the "Logging Off...." screen. It's been sitting for about half an hour now. I'm not quite sure what to do, would it be alright for me to manually reboot? Is this a result of the firewall confusion?

Edited by inyearstocome, 15 April 2010 - 10:20 AM.


#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:33 PM

Posted 18 April 2010 - 02:52 AM

I apologize for the delay inyearstocome; I've had some things that required my attention elsewhere for the past couple days.

Yes, please manually reboot the computer. If ComboFix does not automatically resume once you've rebooted, please stop and let me know. Otherwise allow ComboFix to finish and post the log here.

~Blade

Edited by Blade Zephon, 18 April 2010 - 02:52 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 inyearstocome

inyearstocome
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 20 April 2010 - 05:13 PM

Here you go.

ComboFix 10-04-14.03 - Dan 04/16/2010 8:56.3.1 - x86
Running from: c:\documents and settings\Dan\Desktop\renamed.exe
Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100415-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

FILE ::
"c:\windows\Fonts\875ki6.com_"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\68Dov5Lc.exe
c:\windows\Fonts\875ki6.com_
c:\windows\Tasks\At1.job

Infected copy of c:\windows\system32\DRIVERS\cd20xrnt.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\CD20XRNT.SYS

.
((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-20 17:44 . 2010-04-20 17:44 -------- d-----w- C:\d3c3a77ed27e8f39076fd5bc
2010-04-20 17:43 . 2010-04-20 17:44 -------- d-----w- C:\1d8bfcb7fd460462e760d7eec418
2010-04-20 02:15 . 2010-04-20 02:15 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\PunkBuster
2010-04-20 02:06 . 2010-04-20 02:06 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2010-04-20 02:03 . 2010-04-20 02:03 -------- d-----w- c:\documents and settings\Dan\Application Data\id Software
2010-04-20 02:02 . 2010-04-20 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2010-04-15 13:23 . 2010-04-15 13:23 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-15 13:20 . 2010-04-15 13:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-13 21:06 . 2010-04-13 21:45 -------- d-----w- C:\renamed
2010-04-13 18:19 . 2010-04-13 18:20 -------- d-----w- c:\documents and settings\NetworkService\Application Data\PCToolsFirewallPlus
2010-04-09 02:51 . 2010-04-09 02:51 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Help
2010-04-09 00:34 . 2010-04-09 00:34 2 --shatr- c:\windows\winstart.bat
2010-04-09 00:33 . 2010-04-09 05:15 -------- d-----w- c:\program files\UnHackMe
2010-04-08 19:51 . 2010-04-08 19:51 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-04-08 19:39 . 2010-04-08 19:40 -------- d-----w- c:\windows\ERUNT
2010-04-08 19:31 . 2010-04-08 20:59 -------- d-----w- C:\SDFix
2010-04-08 18:06 . 2010-04-08 18:06 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-08 13:37 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-04-07 21:40 . 2010-04-07 21:40 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-07 20:15 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-07 20:12 . 2010-04-07 20:12 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-07 19:26 . 2010-04-07 19:26 53088 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-07 19:26 . 2010-04-07 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-04-05 19:00 . 2010-04-05 19:00 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-05 01:46 . 2010-04-05 01:49 -------- d-----w- C:\d4269c242766e9b0ff3b899a1f
2010-03-24 15:03 . 2010-03-24 15:04 -------- d-----w- c:\documents and settings\Dan\Application Data\PCToolsFirewallPlus
2010-03-24 03:07 . 2010-01-12 13:34 70664 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-03-24 03:07 . 2010-01-07 15:35 58816 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2010-03-24 03:07 . 2010-01-07 15:35 32680 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2010-03-24 03:06 . 2010-01-13 12:59 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2010-03-24 03:06 . 2010-04-16 12:56 -------- d-----w- c:\program files\PC Tools Firewall Plus
2010-03-24 02:47 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-24 02:46 . 2010-03-10 15:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-24 02:46 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-24 02:45 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-24 02:43 . 2010-03-24 03:07 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-24 02:43 . 2010-03-24 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-03-24 02:43 . 2010-04-16 12:56 -------- d-----w- c:\program files\Spyware Doctor
2010-03-24 02:43 . 2010-03-24 02:43 -------- d-----w- c:\documents and settings\Dan\Application Data\PC Tools
2010-03-24 02:43 . 2010-04-15 13:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-22 14:34 . 2010-03-22 18:42 -------- d-----w- C:\DukeN
2010-03-22 00:57 . 2010-03-22 00:57 24 ----a-w- C:\DUKE3D.BAT
2010-03-22 00:57 . 2010-03-22 01:19 -------- d-----w- C:\DUKE3D
2010-03-18 03:16 . 2010-03-18 03:45 -------- d-----w- c:\program files\Wise Registry Cleaner
2010-03-18 03:11 . 2010-03-31 17:00 -------- d-----w- c:\program files\Wise Disk Cleaner
2010-03-17 19:53 . 2008-03-02 07:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-03-17 19:50 . 2010-03-17 19:50 -------- d-----w- c:\documents and settings\Dan\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 02:33 . 2009-05-07 20:20 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-16 13:16 . 2009-11-18 01:23 -------- d-----w- c:\program files\QuickTime
2010-04-16 12:56 . 2009-05-24 19:48 -------- d-----w- c:\program files\Zune
2010-04-16 12:36 . 2004-11-30 21:56 -------- d-----w- c:\program files\Apoint
2010-04-15 13:16 . 2010-04-12 21:49 112 ----a-w- c:\documents and settings\All Users\Application Data\m2Cj62.dat
2010-04-13 20:08 . 2004-08-04 04:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-04-13 18:19 . 2004-11-30 21:59 54598 ----a-w- c:\windows\system32\nvModes.dat
2010-04-07 20:12 . 2005-06-13 01:17 -------- d-----w- c:\program files\Lavasoft
2010-04-07 20:08 . 2008-02-26 14:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-07 20:07 . 2008-01-07 19:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-07 19:52 . 2009-04-10 17:17 -------- d-----w- c:\program files\Warcraft III
2010-04-06 12:41 . 2005-02-19 21:22 -------- d-----w- c:\program files\McAfee
2010-04-05 18:59 . 2004-12-12 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-05 12:28 . 2009-07-15 23:35 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-31 17:51 . 2007-10-08 18:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-31 17:40 . 2007-10-08 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-17 19:53 . 2004-11-30 22:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-17 19:53 . 2008-09-21 00:07 -------- d-----w- c:\program files\Trend Micro
2010-03-17 16:06 . 2008-12-08 15:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-27 20:24 . 2010-02-23 23:49 -------- d-----w- c:\program files\RedAlert
2010-02-27 00:45 . 2010-02-27 00:44 -------- d-----w- c:\program files\MagicDisc
2010-02-24 19:36 . 2008-02-22 01:51 -------- d-----w- c:\program files\Opera
2007-11-16 08:49 . 2007-11-16 08:49 265 ----a-w- c:\program files\podBible.txt
.
CODE
<pre>
c:\program files\Apoint\Apoint .exe
c:\program files\COMODO\SafeSurf\cssurf .exe
c:\program files\Intel\NCS\PROSet\PRONoMgr .exe
c:\program files\QuickTime\qttask          .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" [N/A]
"Google Update"="c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="nwiz.exe" [2004-10-26 921600]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2010-04-13 41480]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset .exe c:\program files\Dell\QuickSet\quickset.exe" [N/A]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2010-04-13 41480]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-03-09 1286608]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-30 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-11-30 24576]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-4-30 118784]
Wireless Sync Client.lnk - c:\program files\Wireless Sync\Client\ClientShell.exe [2004-11-17 241736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 12:55 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 04:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk]
backup=c:\windows\pss\Palo Alto Software Update Manager 8.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2006-01-13 00:52 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 18:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 03:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-01-03 16:15 50528 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 20:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-04-12 22:46 41484 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
2007-09-02 17:58 495616 ----a-w- c:\program files\RocketDock\RocketDock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-06-20 22:56 1217784 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-03-03 22:11 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-01-07 19:38 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\WS_FTP\\FTP95PRO.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Apache Group\\Apache\\Apache.exe"=
"c:\\apache\\mysql\\bin\\mysqld-nt.exe"=
"c:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Net2Phone CommCenter\\CommCtr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"c:\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\phoenix1gnition\\team fortress 2\\hl2.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [4/7/2010 4:15 PM 64288]
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [3/23/2010 10:46 PM 217032]
R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [9/20/2008 8:06 PM 114768]
R1 pctgntdi;pctgntdi;c:\windows\SYSTEM32\DRIVERS\pctgntdi.sys [3/23/2010 10:47 PM 233136]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [9/20/2008 8:06 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1265264]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [4/5/2010 2:58 PM 93320]
R2 PHPGeekUtil;PHPGeekUtil;c:\apache\Apache.exe [1/25/2002 12:30 AM 20480]
R2 pxrts;pxrts;c:\windows\SYSTEM32\DRIVERS\pxrts.sys [4/7/2010 3:26 PM 53088]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [3/17/2010 3:53 PM 582992]
R3 GTICARD;GTICARD;c:\windows\SYSTEM32\DRIVERS\gticard.sys [1/1/1980 2:00 AM 59328]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\SYSTEM32\DRIVERS\pctNdis-PacketFilter.sys [3/23/2010 11:07 PM 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\SYSTEM32\DRIVERS\pctNdis.sys [3/23/2010 11:07 PM 58816]
R3 pctplfw;pctplfw;c:\windows\SYSTEM32\DRIVERS\pctplfw.sys [3/23/2010 11:06 PM 115216]
R3 TMPassthruMP;TMPassthruMP;c:\windows\SYSTEM32\DRIVERS\TMPassthru.sys [3/17/2010 3:53 PM 206608]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\SYSTEM32\DRIVERS\PCTAppEvent.sys [3/23/2010 10:46 PM 88040]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\SYSTEM32\DRIVERS\TMPassthru.sys [3/17/2010 3:53 PM 206608]
.
Contents of the 'Scheduled Tasks' folder

2010-04-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:40]

2010-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-04-02 c:\windows\Tasks\{3901BD2F-41AD-491D-8DB9-EA93D1CEE7A3}_ARAGORN_Michael Whitcomb.job
- c:\windows\system32\MOBSYNC.EXE [2004-08-04 00:12]

2010-04-09 c:\windows\Tasks\{3C50D220-384A-472A-B79D-D740CCB35B56}_ARAGORN_Michael Whitcomb.job
- c:\windows\system32\MOBSYNC.EXE [2004-08-04 00:12]

2010-04-13 c:\windows\Tasks\{60114160-C589-4EEA-A514-CD5D244DCA67}_ARAGORN_Michael Whitcomb.job
- c:\windows\system32\MOBSYNC.EXE [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {871AA60B-D425-4784-AD09-6C2E63342CAD} - hxxp://download.verizon.net/sfp/Cabs/dlink/webinstall/FrmUpDLink11047.cab
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\08kw3ms4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\08kw3ms4.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmeadax.dll
FF - plugin: c:\program files\OSA Kit Pro Player v4.0\npmeadax.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-16 09:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(464)
c:\program files\AlienGUIse\fastload.dll
c:\windows\system32\LgNotify.dll

- - - - - - - > 'lsass.exe'(544)
c:\windows\system32\setuid.dll

- - - - - - - > 'explorer.exe'(1104)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Apache Group\Apache\Apache.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Apache Group\Apache\Apache.exe
c:\windows\system32\basfipm.exe
c:\program files\Zend\php\php5.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Zend\php\php5.exe
c:\program files\Zend\php\php5.exe
c:\program files\Zend\php\php5.exe
c:\program files\Zend\php\php5.exe
c:\program files\Zend\php\php5.exe
c:\program files\Zend\php\php5.exe
c:\program files\Zend\php\php5.exe
c:\program files\Zend\php\php5.exe
c:\program files\Zend\php\php5.exe
c:\program files\CVSNT\cvslock.exe
c:\program files\CVSNT\cvsservice.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\1XConfig.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\rundll32.exe
c:\program files\QuickTime\qttask .exe
.
**************************************************************************
.
Completion time: 2010-04-16 10:07:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-16 14:07
ComboFix2.txt 2010-04-13 21:45
ComboFix3.txt 2010-04-12 23:24

Pre-Run: 2,407,657,472 bytes free
Post-Run: 2,371,817,472 bytes free

Current=4 Default=4 Failed=5 LastKnownGood=6 Sets=1,2,4,5,6
- - End Of File - - 24F61659EC861CE8E140197F7F5BF723

Edited by inyearstocome, 20 April 2010 - 05:16 PM.


#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:33 PM

Posted 20 April 2010 - 09:30 PM

Hello inyearstocome
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

~Blade


In your next reply, please include the following:
TDSSKiller log

Edited by Blade Zephon, 20 April 2010 - 09:30 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 inyearstocome

inyearstocome
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 23 April 2010 - 11:44 PM

Sorry for the late reply. Here's the log.

00:42:32:569 0600 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
00:42:32:569 0600 ================================================================================
00:42:32:569 0600 SystemInfo:

00:42:32:569 0600 OS Version: 5.1.2600 ServicePack: 3.0
00:42:32:569 0600 Product type: Workstation
00:42:32:569 0600 ComputerName: ARAGORN
00:42:32:569 0600 UserName: Dan
00:42:32:569 0600 Windows directory: C:\WINDOWS
00:42:32:569 0600 Processor architecture: Intel x86
00:42:32:569 0600 Number of processors: 1
00:42:32:569 0600 Page size: 0x1000
00:42:32:569 0600 Boot type: Normal boot
00:42:32:569 0600 ================================================================================
00:42:32:569 0600 UnloadDriverW: NtUnloadDriver error 2
00:42:32:569 0600 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
00:42:32:850 0600 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
00:42:32:850 0600 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:42:32:850 0600 wfopen_ex: Trying to KLMD file open
00:42:32:850 0600 wfopen_ex: File opened ok (Flags 2)
00:42:32:850 0600 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
00:42:32:850 0600 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:42:32:850 0600 wfopen_ex: Trying to KLMD file open
00:42:32:850 0600 wfopen_ex: File opened ok (Flags 2)
00:42:32:850 0600 Initialize success
00:42:32:850 0600
00:42:32:850 0600 Scanning Services ...
00:42:33:861 0600 Raw services enum returned 404 services
00:42:33:871 0600
00:42:33:871 0600 Scanning Kernel memory ...
00:42:33:871 0600 Devices to scan: 3
00:42:33:871 0600
00:42:33:871 0600 Driver Name: Disk
00:42:33:871 0600 IRP_MJ_CREATE : F877CBB0
00:42:33:871 0600 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
00:42:33:871 0600 IRP_MJ_CLOSE : F877CBB0
00:42:33:871 0600 IRP_MJ_READ : F8776D1F
00:42:33:871 0600 IRP_MJ_WRITE : F8776D1F
00:42:33:871 0600 IRP_MJ_QUERY_INFORMATION : 804FA87E
00:42:33:871 0600 IRP_MJ_SET_INFORMATION : 804FA87E
00:42:33:871 0600 IRP_MJ_QUERY_EA : 804FA87E
00:42:33:871 0600 IRP_MJ_SET_EA : 804FA87E
00:42:33:871 0600 IRP_MJ_FLUSH_BUFFERS : F87772E2
00:42:33:871 0600 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
00:42:33:871 0600 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
00:42:33:871 0600 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
00:42:33:871 0600 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
00:42:33:871 0600 IRP_MJ_DEVICE_CONTROL : F87773BB
00:42:33:871 0600 IRP_MJ_INTERNAL_DEVICE_CONTROL : F877AF28
00:42:33:871 0600 IRP_MJ_SHUTDOWN : F87772E2
00:42:33:871 0600 IRP_MJ_LOCK_CONTROL : 804FA87E
00:42:33:871 0600 IRP_MJ_CLEANUP : 804FA87E
00:42:33:871 0600 IRP_MJ_CREATE_MAILSLOT : 804FA87E
00:42:33:871 0600 IRP_MJ_QUERY_SECURITY : 804FA87E
00:42:33:871 0600 IRP_MJ_SET_SECURITY : 804FA87E
00:42:33:871 0600 IRP_MJ_POWER : F8778C82
00:42:33:871 0600 IRP_MJ_SYSTEM_CONTROL : F877D99E
00:42:33:871 0600 IRP_MJ_DEVICE_CHANGE : 804FA87E
00:42:33:871 0600 IRP_MJ_QUERY_QUOTA : 804FA87E
00:42:33:871 0600 IRP_MJ_SET_QUOTA : 804FA87E
00:42:33:921 0600 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
00:42:33:921 0600
00:42:33:921 0600 Driver Name: Disk
00:42:33:921 0600 IRP_MJ_CREATE : F877CBB0
00:42:33:921 0600 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
00:42:33:921 0600 IRP_MJ_CLOSE : F877CBB0
00:42:33:921 0600 IRP_MJ_READ : F8776D1F
00:42:33:921 0600 IRP_MJ_WRITE : F8776D1F
00:42:33:921 0600 IRP_MJ_QUERY_INFORMATION : 804FA87E
00:42:33:921 0600 IRP_MJ_SET_INFORMATION : 804FA87E
00:42:33:921 0600 IRP_MJ_QUERY_EA : 804FA87E
00:42:33:921 0600 IRP_MJ_SET_EA : 804FA87E
00:42:33:921 0600 IRP_MJ_FLUSH_BUFFERS : F87772E2
00:42:33:921 0600 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
00:42:33:921 0600 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
00:42:33:921 0600 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
00:42:33:921 0600 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
00:42:33:921 0600 IRP_MJ_DEVICE_CONTROL : F87773BB
00:42:33:921 0600 IRP_MJ_INTERNAL_DEVICE_CONTROL : F877AF28
00:42:33:921 0600 IRP_MJ_SHUTDOWN : F87772E2
00:42:33:921 0600 IRP_MJ_LOCK_CONTROL : 804FA87E
00:42:33:921 0600 IRP_MJ_CLEANUP : 804FA87E
00:42:33:921 0600 IRP_MJ_CREATE_MAILSLOT : 804FA87E
00:42:33:921 0600 IRP_MJ_QUERY_SECURITY : 804FA87E
00:42:33:921 0600 IRP_MJ_SET_SECURITY : 804FA87E
00:42:33:921 0600 IRP_MJ_POWER : F8778C82
00:42:33:921 0600 IRP_MJ_SYSTEM_CONTROL : F877D99E
00:42:33:921 0600 IRP_MJ_DEVICE_CHANGE : 804FA87E
00:42:33:921 0600 IRP_MJ_QUERY_QUOTA : 804FA87E
00:42:33:921 0600 IRP_MJ_SET_QUOTA : 804FA87E
00:42:33:931 0600 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
00:42:33:931 0600
00:42:33:931 0600 Driver Name: atapi
00:42:33:931 0600 IRP_MJ_CREATE : F85CD6F2
00:42:33:931 0600 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
00:42:33:931 0600 IRP_MJ_CLOSE : F85CD6F2
00:42:33:931 0600 IRP_MJ_READ : 804FA87E
00:42:33:931 0600 IRP_MJ_WRITE : 804FA87E
00:42:33:931 0600 IRP_MJ_QUERY_INFORMATION : 804FA87E
00:42:33:931 0600 IRP_MJ_SET_INFORMATION : 804FA87E
00:42:33:931 0600 IRP_MJ_QUERY_EA : 804FA87E
00:42:33:931 0600 IRP_MJ_SET_EA : 804FA87E
00:42:33:931 0600 IRP_MJ_FLUSH_BUFFERS : 804FA87E
00:42:33:931 0600 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
00:42:33:931 0600 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
00:42:33:931 0600 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
00:42:33:931 0600 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
00:42:33:931 0600 IRP_MJ_DEVICE_CONTROL : F85CD712
00:42:33:931 0600 IRP_MJ_INTERNAL_DEVICE_CONTROL : F85C9852
00:42:33:931 0600 IRP_MJ_SHUTDOWN : 804FA87E
00:42:33:931 0600 IRP_MJ_LOCK_CONTROL : 804FA87E
00:42:33:931 0600 IRP_MJ_CLEANUP : 804FA87E
00:42:33:931 0600 IRP_MJ_CREATE_MAILSLOT : 804FA87E
00:42:33:931 0600 IRP_MJ_QUERY_SECURITY : 804FA87E
00:42:33:931 0600 IRP_MJ_SET_SECURITY : 804FA87E
00:42:33:931 0600 IRP_MJ_POWER : F85CD73C
00:42:33:931 0600 IRP_MJ_SYSTEM_CONTROL : F85D4336
00:42:33:931 0600 IRP_MJ_DEVICE_CHANGE : 804FA87E
00:42:33:931 0600 IRP_MJ_QUERY_QUOTA : 804FA87E
00:42:33:931 0600 IRP_MJ_SET_QUOTA : 804FA87E
00:42:33:981 0600 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
00:42:33:981 0600
00:42:33:981 0600 Completed
00:42:33:981 0600
00:42:33:981 0600 Results:
00:42:33:981 0600 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
00:42:33:981 0600 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
00:42:33:981 0600 File objects infected / cured / cured on reboot: 0 / 0 / 0
00:42:33:981 0600
00:42:33:981 0600 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
00:42:33:981 0600 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
00:42:33:981 0600 KLMD(ARK) unloaded successfully


#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:33 PM

Posted 25 April 2010 - 11:53 AM

Hello inyearstocome.

Please re-run ComboFix exactly as you did in Post 2. Once complete, please post the log for my review.

~Blade


In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 inyearstocome

inyearstocome
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 27 April 2010 - 11:08 PM

ComboFix 10-04-26.05 - Dan 04/27/2010 21:06:15.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.227 [GMT -4:00]
Running from: c:\documents and settings\Dan\Desktop\renamed.exe
AV: avast! antivirus 4.8.1368 [VPS 100427-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.

((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 )))))))))))))))))))))))))))))))
.

2010-04-20 17:44 . 2010-04-20 17:44 -------- d-----w- C:\d3c3a77ed27e8f39076fd5bc
2010-04-20 17:43 . 2010-04-20 17:44 -------- d-----w- C:\1d8bfcb7fd460462e760d7eec418
2010-04-20 02:15 . 2010-04-20 02:15 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\PunkBuster
2010-04-20 02:06 . 2010-04-20 02:06 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2010-04-20 02:03 . 2010-04-20 02:03 -------- d-----w- c:\documents and settings\Dan\Application Data\id Software
2010-04-20 02:02 . 2010-04-20 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2010-04-15 13:23 . 2010-04-15 13:23 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-15 13:20 . 2010-04-15 13:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-13 21:06 . 2010-04-13 21:45 -------- d-----w- C:\renamed
2010-04-13 18:19 . 2010-04-13 18:20 -------- d-----w- c:\documents and settings\NetworkService\Application Data\PCToolsFirewallPlus
2010-04-09 02:51 . 2010-04-09 02:51 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Help
2010-04-09 00:34 . 2010-04-09 00:34 2 --shatr- c:\windows\winstart.bat
2010-04-09 00:33 . 2010-04-09 05:15 -------- d-----w- c:\program files\UnHackMe
2010-04-08 19:51 . 2010-04-08 19:51 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-04-08 19:39 . 2010-04-08 19:40 -------- d-----w- c:\windows\ERUNT
2010-04-08 19:31 . 2010-04-08 20:59 -------- d-----w- C:\SDFix
2010-04-08 18:06 . 2010-04-08 18:06 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-08 13:37 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-04-07 21:40 . 2010-04-07 21:40 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-07 20:15 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-07 20:12 . 2010-04-07 20:12 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-07 19:26 . 2010-04-07 19:26 53088 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-07 19:26 . 2010-04-07 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-04-05 19:00 . 2010-04-05 19:00 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-05 01:46 . 2010-04-05 01:49 -------- d-----w- C:\d4269c242766e9b0ff3b899a1f

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 01:00 . 2010-03-24 02:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-20 02:33 . 2009-05-07 20:20 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-20 02:19 . 2010-04-20 02:15 457792 ----a-w- c:\documents and settings\Dan\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll
2010-04-16 13:16 . 2009-11-18 01:23 -------- d-----w- c:\program files\QuickTime
2010-04-16 12:56 . 2009-05-24 19:48 -------- d-----w- c:\program files\Zune
2010-04-16 12:56 . 2010-03-24 02:43 -------- d-----w- c:\program files\Spyware Doctor
2010-04-16 12:56 . 2010-03-24 03:06 -------- d-----w- c:\program files\PC Tools Firewall Plus
2010-04-16 12:36 . 2004-11-30 21:56 -------- d-----w- c:\program files\Apoint
2010-04-15 13:16 . 2010-04-12 21:49 112 ----a-w- c:\documents and settings\All Users\Application Data\m2Cj62.dat
2010-04-13 20:08 . 2004-08-04 04:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-04-13 18:19 . 2004-11-30 21:59 54598 ----a-w- c:\windows\system32\nvModes.dat
2010-04-07 21:39 . 2010-04-07 21:39 818256 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-04-07 21:39 . 2010-04-07 21:39 1265264 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-04-07 20:12 . 2005-06-13 01:17 -------- d-----w- c:\program files\Lavasoft
2010-04-07 20:08 . 2008-02-26 14:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-07 20:07 . 2008-01-07 19:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-07 19:52 . 2009-04-10 17:17 -------- d-----w- c:\program files\Warcraft III
2010-04-06 12:41 . 2005-02-19 21:22 -------- d-----w- c:\program files\McAfee
2010-04-05 18:59 . 2004-12-12 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-05 12:28 . 2009-07-15 23:35 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-31 17:51 . 2007-10-08 18:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-31 17:40 . 2007-10-08 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-31 17:00 . 2010-03-18 03:11 -------- d-----w- c:\program files\Wise Disk Cleaner
2010-03-24 15:04 . 2010-03-24 15:03 -------- d-----w- c:\documents and settings\Dan\Application Data\PCToolsFirewallPlus
2010-03-24 03:07 . 2010-03-24 02:43 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-24 02:43 . 2010-03-24 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-03-24 02:43 . 2010-03-24 02:43 -------- d-----w- c:\documents and settings\Dan\Application Data\PC Tools
2010-03-22 00:57 . 2010-03-22 00:57 24 ----a-w- C:\DUKE3D.BAT
2010-03-18 03:45 . 2010-03-18 03:16 -------- d-----w- c:\program files\Wise Registry Cleaner
2010-03-17 19:53 . 2004-11-30 22:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-17 19:53 . 2008-09-21 00:07 -------- d-----w- c:\program files\Trend Micro
2010-03-17 19:50 . 2010-03-17 19:50 -------- d-----w- c:\documents and settings\Dan\Application Data\InstallShield
2010-03-17 16:06 . 2008-12-08 15:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 16:05 . 2010-03-17 16:05 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-10 15:36 . 2010-03-24 02:46 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-27 20:24 . 2010-02-23 23:49 -------- d-----w- c:\program files\RedAlert
2010-02-24 03:41 . 2010-02-24 03:41 79488 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\jre1.6.0_18\gtapi.dll
2010-02-05 13:25 . 2010-03-24 02:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-05 13:17 . 2010-03-24 02:47 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-04 15:53 . 2010-04-07 20:12 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2007-11-16 08:49 . 2007-11-16 08:49 265 ----a-w- c:\program files\podBible.txt
.
CODE
<pre>
c:\program files\Apoint\Apoint .exe
c:\program files\COMODO\SafeSurf\cssurf .exe
c:\program files\Intel\NCS\PROSet\PRONoMgr .exe
c:\program files\QuickTime\qttask          .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-04-13_21.32.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-27 15:06 . 2010-04-27 15:06 16384 c:\windows\Temp\Perflib_Perfdata_538.dat
+ 2004-12-06 23:59 . 2010-04-21 04:06 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-12-06 23:59 . 2010-04-07 21:41 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-12-06 23:59 . 2010-04-21 04:06 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-12-06 23:59 . 2010-04-07 21:41 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-04-21 04:06 . 2010-04-21 04:06 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" [N/A]
"Google Update"="c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="nwiz.exe" [2004-10-26 921600]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2010-04-13 41480]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset .exe c:\program files\Dell\QuickSet\quickset.exe" [N/A]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2010-04-13 41480]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-03-09 1286608]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-30 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-11-30 24576]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-4-30 118784]
Wireless Sync Client.lnk - c:\program files\Wireless Sync\Client\ClientShell.exe [2004-11-17 241736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 12:55 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 04:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk]
backup=c:\windows\pss\Palo Alto Software Update Manager 8.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2006-01-13 00:52 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 18:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 03:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-01-03 16:15 50528 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 20:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-04-12 22:46 41484 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
2007-09-02 17:58 495616 ----a-w- c:\program files\RocketDock\RocketDock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-06-20 22:56 1217784 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-03-03 22:11 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-01-07 19:38 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\WS_FTP\\FTP95PRO.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Apache Group\\Apache\\Apache.exe"=
"c:\\apache\\mysql\\bin\\mysqld-nt.exe"=
"c:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Net2Phone CommCenter\\CommCtr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"c:\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\phoenix1gnition\\team fortress 2\\hl2.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [4/7/2010 4:15 PM 64288]
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [3/23/2010 10:46 PM 217032]
R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [9/20/2008 8:06 PM 114768]
R1 pctgntdi;pctgntdi;c:\windows\SYSTEM32\DRIVERS\pctgntdi.sys [3/23/2010 10:47 PM 233136]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [9/20/2008 8:06 PM 20560]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [4/5/2010 2:58 PM 93320]
R2 pxrts;pxrts;c:\windows\SYSTEM32\DRIVERS\pxrts.sys [4/7/2010 3:26 PM 53088]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [3/17/2010 3:53 PM 582992]
R3 GTICARD;GTICARD;c:\windows\SYSTEM32\DRIVERS\gticard.sys [1/1/1980 2:00 AM 59328]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\SYSTEM32\DRIVERS\pctNdis-PacketFilter.sys [3/23/2010 11:07 PM 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\SYSTEM32\DRIVERS\pctNdis.sys [3/23/2010 11:07 PM 58816]
R3 TMPassthruMP;TMPassthruMP;c:\windows\SYSTEM32\DRIVERS\TMPassthru.sys [3/17/2010 3:53 PM 206608]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1265264]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\SYSTEM32\DRIVERS\PCTAppEvent.sys [3/23/2010 10:46 PM 88040]
S2 PHPGeekUtil;PHPGeekUtil;c:\apache\Apache.exe [1/25/2002 12:30 AM 20480]
S3 pctplfw;pctplfw;c:\windows\SYSTEM32\DRIVERS\pctplfw.sys [3/23/2010 11:06 PM 115216]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\SYSTEM32\DRIVERS\TMPassthru.sys [3/17/2010 3:53 PM 206608]
.
Contents of the 'Scheduled Tasks' folder

2010-04-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:40]

2010-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-04-23 c:\windows\Tasks\{3901BD2F-41AD-491D-8DB9-EA93D1CEE7A3}_ARAGORN_Michael Whitcomb.job
- c:\windows\system32\MOBSYNC.EXE [2004-08-04 00:12]

2010-04-09 c:\windows\Tasks\{3C50D220-384A-472A-B79D-D740CCB35B56}_ARAGORN_Michael Whitcomb.job
- c:\windows\system32\MOBSYNC.EXE [2004-08-04 00:12]

2010-04-27 c:\windows\Tasks\{60114160-C589-4EEA-A514-CD5D244DCA67}_ARAGORN_Michael Whitcomb.job
- c:\windows\system32\MOBSYNC.EXE [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {871AA60B-D425-4784-AD09-6C2E63342CAD} - hxxp://download.verizon.net/sfp/Cabs/dlink/webinstall/FrmUpDLink11047.cab
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\08kw3ms4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\08kw3ms4.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmeadax.dll
FF - plugin: c:\program files\OSA Kit Pro Player v4.0\npmeadax.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-27 21:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(460)
c:\program files\AlienGUIse\fastload.dll
c:\windows\system32\LgNotify.dll

- - - - - - - > 'lsass.exe'(544)
c:\windows\system32\setuid.dll

- - - - - - - > 'explorer.exe'(2008)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-27 21:30:41
ComboFix-quarantined-files.txt 2010-04-28 01:30
ComboFix2.txt 2010-04-13 21:45
ComboFix3.txt 2010-04-12 23:24

Pre-Run: 2,039,341,056 bytes free
Post-Run: 1,988,222,976 bytes free

Current=4 Default=4 Failed=5 LastKnownGood=6 Sets=1,2,4,5,6
- - End Of File - - 9F088F700464F9781B6BA298C232AE4A


#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:33 PM

Posted 29 April 2010 - 12:56 AM

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/308405/i-think-i-may-be-infected-with-tdss-rootkit/

Collect::
c:\windows\winstart.bat

RenV::
c:\program files\Apoint\Apoint .exe
c:\program files\COMODO\SafeSurf\cssurf .exe
c:\program files\Intel\NCS\PROSet\PRONoMgr .exe
c:\program files\QuickTime\qttask          .exe


Save this as CFScript.txt, in the same location as renamed.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into renamed.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

~Blade


In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:33 PM

Posted 19 May 2010 - 06:18 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users