Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google / Yahoo Redirect Issue


  • This topic is locked This topic is locked
37 replies to this topic

#1 tobyw1019

tobyw1019

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 09 April 2010 - 04:09 PM

I am about to give up on this machine because of the above mentioned problem. I run a standard search in yahoo or google and get redirected to various sites when I click a normal link yahoo or google has displayed. This happens in IE and Firefox, and also happens in safemode with networking. I run Eset Smart Security realtime AV protection, which updates daily, and runs a daily scan. Eset doesn't come up with any infections during the scan. Malware-bytes has also been installed on my machine, and then updated, and then performed a full scan, which didn't find anything. SuperAntispyware Pro has also been installed and found some tracking cookies, which didn't remedy the problem. Spybot search and destroy has also been installed and found some tracking cookie, but didn't remedy the problem. Below are the log results from DDS and gmer. Oh, and Google Chrome will not open any web page. After running gmer 5 times in a row without completing (would lock up the machine) I have given up on it. Here is my dds log. I do have a Hijack this log as well.


DDS (Ver_10-03-17.01) - NTFSx86
Run by twilhite at 14:31:58.38 on Wed 04/07/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.554 [GMT -5:00]

AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\twilhite\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\twilhite\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: isqft.com\www
Trusted Zone: isqft.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\twilhite\applic~1\mozilla\firefox\profiles\3ya4sco3.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\twilhite\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-11-16 735960]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [2006-7-27 26304]

=============== Created Last 30 ================

2010-04-07 18:46:38 0 d--h--w- c:\windows\PIF
2010-04-06 21:55:12 46464 ----a-r- c:\windows\system32\drivers\SiSRaid_2.sys
2010-04-06 21:48:17 0 d-sha-r- C:\cmdcons
2010-04-06 21:45:02 98816 ----a-w- c:\windows\sed.exe
2010-04-06 21:45:02 77312 ----a-w- c:\windows\MBR.exe
2010-04-06 21:45:02 261632 ----a-w- c:\windows\PEV.exe
2010-04-06 21:45:02 161792 ----a-w- c:\windows\SWREG.exe
2010-04-06 21:08:55 0 d-----w- c:\program files\Trend Micro
2010-04-06 21:04:58 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-06 21:01:44 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-06 21:01:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-06 21:01:07 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-06 18:05:50 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-05 16:29:22 0 d-sh--w- c:\documents and settings\twilhite\.COMMgr
2010-04-01 19:36:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 19:49:50 0 d-----w- c:\program files\CCleaner
2010-03-31 19:28:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-31 19:28:36 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-31 19:28:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-31 14:27:08 27766784 ----a-w- C:\ProjectProv82RELEASE_Backup_Backup.mde
2010-03-23 14:54:06 197952 ----a-w- c:\windows\system32\FTLang.dll
2010-03-23 14:54:05 57800 ----a-w- c:\windows\system32\drivers\ftdibus.sys
2010-03-23 14:54:05 206144 ----a-w- c:\windows\system32\ftd2xx.dll
2010-03-23 14:54:05 120136 ----a-w- c:\windows\system32\ftbusui.dll
2010-03-23 14:46:53 48640 ------w- c:\windows\system32\drivers\ser2pl.sys
2010-03-19 21:05:11 27262976 ----a-w- C:\ProjectProv82RELEASE_Backup.mde
2010-03-19 21:03:43 1157440 ----a-w- C:\tacrun90.EXE
2010-03-19 21:03:40 1944896 ----a-r- C:\tamrun90.exe
2010-03-10 00:10:33 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-04-07 18:32:06 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-07 18:04:46 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-03-11 12:38:54 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2008-08-07 18:05:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080720080808\index.dat

============= FINISH: 14:33:30.40 ===============









BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:32 PM

Posted 12 April 2010 - 06:10 PM

Hello tobyw1019,



Not time to give up yet. thumbup2.gif The new malware out there is a royal pain to detect for most all programs. Can you please post the gmer log you said you have? Also, a HijackThis log might come in handy for somethings later, so go ahead and post it as well. smile.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 tobyw1019

tobyw1019
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 12 April 2010 - 11:39 PM

gmer wouldn't finish running the 5 times I tried. The pc would lock up, or the app would every time. I do have a hijackthis log I could post. I'll get at that in the morning.

thx

#4 tobyw1019

tobyw1019
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 13 April 2010 - 09:44 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:29 PM, on 4/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SigmaDallas
O17 - HKLM\Software\..\Telephony: DomainName = SigmaDallas
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SigmaDallas
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

--
End of file - 4926 bytes


#5 tobyw1019

tobyw1019
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 13 April 2010 - 10:12 AM

I also have a combo-fix log I could post at your request

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:32 PM

Posted 13 April 2010 - 12:38 PM

Yes, please post it. smile.gif
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 tobyw1019

tobyw1019
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 13 April 2010 - 12:44 PM

ComboFix 10-04-08.06 - twilhite 04/09/2010 16:42:49.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.543 [GMT -5:00]
Running from: c:\documents and settings\twilhite\Desktop\Combo-Fix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\twilhite\.COMMgr
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2010-03-09 to 2010-04-09 )))))))))))))))))))))))))))))))
.

2010-04-09 17:43 . 2010-04-09 17:43 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-09 16:31 . 2010-04-09 16:31 52224 ----a-w- c:\documents and settings\twilhite\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-09 16:31 . 2010-04-09 16:31 117760 ----a-w- c:\documents and settings\twilhite\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-09 16:30 . 2010-04-09 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-09 16:29 . 2010-04-09 16:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-09 16:29 . 2010-04-09 16:29 -------- d-----w- c:\documents and settings\twilhite\Application Data\SUPERAntiSpyware.com
2010-04-07 18:46 . 2010-04-07 18:46 -------- d--h--w- c:\windows\PIF
2010-04-07 05:27 . 2010-04-07 05:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 21:55 . 2004-09-03 05:43 46464 ----a-r- c:\windows\system32\drivers\SiSRaid_2.sys
2010-04-06 21:08 . 2010-04-06 21:08 -------- d-----w- c:\program files\Trend Micro
2010-04-06 21:04 . 2010-04-06 21:04 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-06 21:01 . 2010-04-09 21:06 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-06 21:01 . 2010-04-06 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-06 21:01 . 2010-04-06 21:01 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-06 18:05 . 2010-04-06 18:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-06 17:20 . 2008-06-12 10:09 33088 ----a-w- c:\documents and settings\twilhite\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-05 18:12 . 2010-04-05 18:12 -------- d-sh--w- c:\documents and settings\NetworkService\UserData
2010-04-05 16:28 . 2010-04-05 16:28 -------- d-----w- c:\documents and settings\twilhite\Local Settings\Application Data\ESET
2010-04-01 19:36 . 2010-04-09 17:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 19:49 . 2010-03-31 19:49 -------- d-----w- c:\program files\CCleaner
2010-03-31 19:28 . 2010-03-29 20:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-31 19:28 . 2010-03-29 20:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-31 19:28 . 2010-03-31 19:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 23:31 . 2010-03-24 23:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-03-23 14:54 . 2009-10-22 20:16 197952 ----a-w- c:\windows\system32\FTLang.dll
2010-03-23 14:54 . 2009-10-22 20:17 206144 ----a-w- c:\windows\system32\ftd2xx.dll
2010-03-23 14:54 . 2009-10-22 20:17 120136 ----a-w- c:\windows\system32\ftbusui.dll
2010-03-23 14:54 . 2009-10-22 20:11 57800 ----a-w- c:\windows\system32\drivers\ftdibus.sys
2010-03-19 21:03 . 2000-04-28 20:18 1157440 ----a-w- C:\tacrun90.EXE
2010-03-19 21:03 . 2002-11-08 21:39 1944896 ----a-r- C:\tamrun90.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-09 16:29 . 2009-01-20 16:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-08 17:36 . 2007-09-28 19:00 -------- d-----w- c:\program files\Yahoo!
2010-04-08 17:35 . 2006-07-23 06:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-08 17:33 . 2006-07-28 15:01 -------- d-----w- c:\program files\Google
2010-04-08 17:26 . 2006-08-14 14:55 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-07 21:41 . 2006-08-01 15:12 69296 ----a-w- c:\documents and settings\twilhite\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-07 19:31 . 2009-06-24 17:28 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-04-07 19:31 . 2006-08-01 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-04-07 18:32 . 2004-08-04 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-04-07 18:04 . 2004-08-04 12:00 24576 ------w- c:\windows\system32\drivers\kbdclass.sys
2010-04-06 22:18 . 2006-08-15 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-06 17:12 . 2009-09-17 22:12 60 ----a-w- c:\windows\wpd99.drv
2010-04-06 17:12 . 2009-09-17 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-03-31 20:32 . 2008-08-14 21:03 -------- d-----w- c:\program files\On-Screen Takeoff 3
2010-03-12 15:42 . 2009-11-30 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-11 12:38 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-10 09:23 . 2009-08-21 08:09 1006168 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-26 16:25 . 2009-12-03 19:49 -------- d-----w- c:\documents and settings\twilhite\Application Data\DisplayTune
2001-12-03 23:09 . 2006-11-15 22:36 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-04-07_19.52.27 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2010-04-06 20:48 71904 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-04-08 20:29 71904 c:\windows\system32\perfc009.dat
+ 2010-04-09 16:30 . 2010-04-09 16:30 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2010-04-09 16:30 . 2010-04-09 16:30 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2010-04-09 16:30 . 2010-04-09 16:30 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2004-08-04 12:00 . 2010-04-08 20:29 444028 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-04-06 20:48 444028 c:\windows\system32\perfh009.dat
+ 2006-07-23 00:39 . 2010-04-07 20:46 269392 c:\windows\system32\FNTCACHE.DAT
+ 2010-02-02 16:30 . 2010-02-02 16:30 5527040 c:\windows\Installer\46ce895.msp
+ 2010-04-08 17:26 . 2010-04-08 17:26 3940352 c:\windows\Installer\46ce885.msi
+ 2010-04-09 16:29 . 2010-04-09 16:29 1583616 c:\windows\Installer\41c4c51.msi
+ 2009-10-28 01:34 . 2009-10-28 01:34 5009408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\authplay.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-03-03 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-04-06 5650240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\twilhite\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2006-7-23 266240]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SmartCenter 97.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus SmartCenter 97.lnk
backup=c:\windows\pss\Lotus SmartCenter 97.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SuiteStart 97.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus SuiteStart 97.lnk
backup=c:\windows\pss\Lotus SuiteStart 97.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^twilhite^Start Menu^Programs^Startup^Lotus SmartSuite 97 Registration.lnk]
path=c:\documents and settings\twilhite\Start Menu\Programs\Startup\Lotus SmartSuite 97 Registration.lnk
backup=c:\windows\pss\Lotus SmartSuite 97 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-08-11 16:17 133104 ----atw- c:\documents and settings\twilhite\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-24 08:24 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSRaid]
2004-11-12 15:50 892928 ------w- c:\program files\Silicon Integrated Systems\SiSRaidPackage\Sraid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-11-15 10:20 77824 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-05 18:54 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"WZCSVC"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [11/16/2009 10:03 AM 108792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/16/2009 10:04 AM 735960]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 12:28 PM 135664]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [7/27/2006 3:00 PM 26304]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: isqft.com\www
Trusted Zone: isqft.com\www
FF - ProfilePath - c:\documents and settings\twilhite\Application Data\Mozilla\Firefox\Profiles\3ya4sco3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\twilhite\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-09 16:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x865D1AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf752ef28
\Driver\ACPI -> ACPI.sys @ 0xf7491cb8
\Driver\atapi -> atapi.sys @ 0xf7423852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-1770027372-725345543-1118\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\PNP0F03\4&2ef2171&0\LogConf]
@DACL=(02 0000)
"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\
"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,
00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\twilhite\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\twilhite\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

- - - - - - - > 'lsass.exe'(804)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-09 16:58:45
ComboFix-quarantined-files.txt 2010-04-09 21:58
ComboFix2.txt 2010-04-08 21:17
ComboFix3.txt 2010-04-07 19:56
ComboFix4.txt 2010-04-06 22:29

Pre-Run: 72,686,247,936 bytes free
Post-Run: 72,705,191,936 bytes free

- - End Of File - - 2B7F2E3FEBD551B1A37474F69A0C18CD


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:32 PM

Posted 13 April 2010 - 04:02 PM

ugh....how many times did you run it? sad.gif Do you have any of the older logs?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 tobyw1019

tobyw1019
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 13 April 2010 - 04:29 PM

I believe I ran that twice....well looking at the log it looks like 3-4 times now. Here is a scan result from 2 days before. If I knew where the app saved log files I'd post the very first one.

ComboFix 10-04-06.05 - twilhite 04/07/2010 14:41:07.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.464 [GMT -5:00]
Running from: c:\documents and settings\twilhite\Desktop\Combo-Fix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-07 18:46 . 2010-04-07 18:46 -------- d--h--w- c:\windows\PIF
2010-04-07 05:27 . 2010-04-07 05:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 21:55 . 2004-09-03 05:43 46464 ----a-r- c:\windows\system32\drivers\SiSRaid_2.sys
2010-04-06 21:08 . 2010-04-06 21:08 -------- d-----w- c:\program files\Trend Micro
2010-04-06 21:04 . 2010-04-06 21:04 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-06 21:01 . 2010-04-06 22:18 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-06 21:01 . 2010-04-06 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-06 21:01 . 2010-04-06 21:01 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-06 18:05 . 2010-04-06 18:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-06 17:20 . 2008-06-12 10:09 33088 ----a-w- c:\documents and settings\twilhite\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-05 18:12 . 2010-04-05 18:12 -------- d-sh--w- c:\documents and settings\NetworkService\UserData
2010-04-05 16:29 . 2010-04-05 21:45 -------- d-sh--w- c:\documents and settings\twilhite\.COMMgr
2010-04-05 16:28 . 2010-04-05 16:28 -------- d-----w- c:\documents and settings\twilhite\Local Settings\Application Data\ESET
2010-04-01 19:36 . 2010-04-01 19:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 19:49 . 2010-03-31 19:49 -------- d-----w- c:\program files\CCleaner
2010-03-31 19:28 . 2010-03-29 20:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-31 19:28 . 2010-03-29 20:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-31 19:28 . 2010-03-31 19:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 23:31 . 2010-03-24 23:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-03-23 14:54 . 2009-10-22 20:16 197952 ----a-w- c:\windows\system32\FTLang.dll
2010-03-23 14:54 . 2009-10-22 20:17 206144 ----a-w- c:\windows\system32\ftd2xx.dll
2010-03-23 14:54 . 2009-10-22 20:17 120136 ----a-w- c:\windows\system32\ftbusui.dll
2010-03-23 14:54 . 2009-10-22 20:11 57800 ----a-w- c:\windows\system32\drivers\ftdibus.sys
2010-03-23 14:46 . 2005-07-25 15:04 48640 ------w- c:\windows\system32\drivers\ser2pl.sys
2010-03-19 21:03 . 2000-04-28 20:18 1157440 ----a-w- C:\tacrun90.EXE
2010-03-19 21:03 . 2002-11-08 21:39 1944896 ----a-r- C:\tamrun90.exe
2010-03-10 00:10 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 19:31 . 2009-06-24 17:28 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-04-07 19:31 . 2006-08-01 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-04-07 18:32 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-07 18:04 . 2004-08-04 12:00 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-04-06 22:18 . 2006-08-15 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-06 17:12 . 2009-09-17 22:12 60 ----a-w- c:\windows\wpd99.drv
2010-04-06 17:12 . 2009-09-17 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-03-31 20:32 . 2008-08-14 21:03 -------- d-----w- c:\program files\On-Screen Takeoff 3
2010-03-23 14:46 . 2006-07-23 06:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-12 15:42 . 2009-11-30 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-11 12:38 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-10 09:23 . 2009-08-21 08:09 1006168 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-26 16:27 . 2006-07-28 15:01 -------- d-----w- c:\program files\Google
2010-02-26 16:25 . 2009-12-03 19:49 -------- d-----w- c:\documents and settings\twilhite\Application Data\DisplayTune
2010-02-24 21:54 . 2006-08-14 14:55 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-08 14:13 . 2010-01-08 14:13 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2001-12-03 23:09 . 2006-11-15 22:36 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-03-03 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-04-06 5650240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]

c:\documents and settings\twilhite\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2006-7-23 266240]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SmartCenter 97.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus SmartCenter 97.lnk
backup=c:\windows\pss\Lotus SmartCenter 97.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SuiteStart 97.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus SuiteStart 97.lnk
backup=c:\windows\pss\Lotus SuiteStart 97.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^twilhite^Start Menu^Programs^Startup^Lotus SmartSuite 97 Registration.lnk]
path=c:\documents and settings\twilhite\Start Menu\Programs\Startup\Lotus SmartSuite 97 Registration.lnk
backup=c:\windows\pss\Lotus SmartSuite 97 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 17:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-08-11 16:17 133104 ----atw- c:\documents and settings\twilhite\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 17:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-24 08:24 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSRaid]
2004-11-12 15:50 892928 ------w- c:\program files\Silicon Integrated Systems\SiSRaidPackage\Sraid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-11-15 10:20 77824 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-05 18:54 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 22:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"WZCSVC"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [11/16/2009 10:03 AM 108792]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/16/2009 10:04 AM 735960]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 12:28 PM 135664]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [7/27/2006 3:00 PM 26304]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb
.
Contents of the 'Scheduled Tasks' folder

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 17:28]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 17:28]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1770027372-725345543-1118Core.job
- c:\documents and settings\twilhite\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-11 16:17]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1770027372-725345543-1118UA.job
- c:\documents and settings\twilhite\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-11 16:17]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: isqft.com\www
Trusted Zone: isqft.com\www
FF - ProfilePath - c:\documents and settings\twilhite\Application Data\Mozilla\Firefox\Profiles\3ya4sco3.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\twilhite\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 14:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x865CDAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf752ef28
\Driver\ACPI -> ACPI.sys @ 0xf7491cb8
\Driver\atapi -> tsk2BC3.tmp @ 0xf7423852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-1770027372-725345543-1118\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\PNP0F03\4&2ef2171&0\LogConf]
@DACL=(02 0000)
"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\
"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,
00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(808)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1228)
c:\windows\system32\WININET.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-07 14:56:34
ComboFix-quarantined-files.txt 2010-04-07 19:56
ComboFix2.txt 2010-04-06 22:29

Pre-Run: 72,932,093,952 bytes free
Post-Run: 72,988,729,344 bytes free

- - End Of File - - 80EEF398DD936F2F378013EDA4E2AAB9

Edited by tobyw1019, 13 April 2010 - 04:32 PM.


#10 tobyw1019

tobyw1019
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 13 April 2010 - 04:39 PM

ok...sorry. Here is the first combofix log I could find from 4-6-10, which is the date I d/l'd the app.

ComboFix 10-04-05.06 - twilhite 04/06/2010 16:55:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.431 [GMT -5:00]
Running from: c:\documents and settings\twilhite\My Documents\Downloads\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRIVER
-------\Legacy_DRIVERDRV


((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
.

2010-04-06 21:55 . 2004-09-03 05:43 46464 ----a-r- c:\windows\system32\drivers\SiSRaid_2.sys
2010-04-06 21:08 . 2010-04-06 21:08 -------- d-----w- c:\program files\Trend Micro
2010-04-06 21:04 . 2010-04-06 21:04 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-06 21:01 . 2010-04-06 22:18 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-06 21:01 . 2010-04-06 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-06 21:01 . 2010-04-06 21:01 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-06 18:05 . 2010-04-06 18:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-06 17:20 . 2008-06-12 10:09 33088 ----a-w- c:\documents and settings\twilhite\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-05 18:12 . 2010-04-05 18:12 -------- d-sh--w- c:\documents and settings\NetworkService\UserData
2010-04-05 16:29 . 2010-04-05 21:45 -------- d-sh--w- c:\documents and settings\twilhite\.COMMgr
2010-04-05 16:28 . 2010-04-05 16:28 -------- d-----w- c:\documents and settings\twilhite\Local Settings\Application Data\ESET
2010-04-01 19:36 . 2010-04-01 19:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 19:49 . 2010-03-31 19:49 -------- d-----w- c:\program files\CCleaner
2010-03-31 19:28 . 2010-03-29 20:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-31 19:28 . 2010-03-29 20:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-31 19:28 . 2010-03-31 19:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 23:31 . 2010-03-24 23:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-03-23 14:54 . 2009-10-22 20:16 197952 ----a-w- c:\windows\system32\FTLang.dll
2010-03-23 14:54 . 2009-10-22 20:17 206144 ----a-w- c:\windows\system32\ftd2xx.dll
2010-03-23 14:54 . 2009-10-22 20:17 120136 ----a-w- c:\windows\system32\ftbusui.dll
2010-03-23 14:54 . 2009-10-22 20:11 57800 ----a-w- c:\windows\system32\drivers\ftdibus.sys
2010-03-23 14:46 . 2005-07-25 15:04 48640 ------w- c:\windows\system32\drivers\ser2pl.sys
2010-03-19 21:03 . 2000-04-28 20:18 1157440 ----a-w- C:\tacrun90.EXE
2010-03-19 21:03 . 2002-11-08 21:39 1944896 ----a-r- C:\tamrun90.exe
2010-03-10 00:10 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 22:18 . 2006-08-15 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-06 17:12 . 2009-09-17 22:12 60 ----a-w- c:\windows\wpd99.drv
2010-04-06 17:12 . 2009-09-17 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-03-31 20:32 . 2008-08-14 21:03 -------- d-----w- c:\program files\On-Screen Takeoff 3
2010-03-23 14:46 . 2006-07-23 06:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-12 15:42 . 2009-11-30 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-10 09:23 . 2009-08-21 08:09 1006168 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-26 16:27 . 2006-07-28 15:01 -------- d-----w- c:\program files\Google
2010-02-26 16:25 . 2009-12-03 19:49 -------- d-----w- c:\documents and settings\twilhite\Application Data\DisplayTune
2010-02-24 21:54 . 2006-08-14 14:55 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-08 14:13 . 2010-01-08 14:13 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2001-12-03 23:09 . 2006-11-15 22:36 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-03-03 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-04-06 5650240]

c:\documents and settings\twilhite\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2006-7-23 266240]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SmartCenter 97.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus SmartCenter 97.lnk
backup=c:\windows\pss\Lotus SmartCenter 97.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SuiteStart 97.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus SuiteStart 97.lnk
backup=c:\windows\pss\Lotus SuiteStart 97.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^twilhite^Start Menu^Programs^Startup^Lotus SmartSuite 97 Registration.lnk]
path=c:\documents and settings\twilhite\Start Menu\Programs\Startup\Lotus SmartSuite 97 Registration.lnk
backup=c:\windows\pss\Lotus SmartSuite 97 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 17:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-08-11 16:17 133104 ----atw- c:\documents and settings\twilhite\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 17:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-24 08:24 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSRaid]
2004-11-12 15:50 892928 ------w- c:\program files\Silicon Integrated Systems\SiSRaidPackage\Sraid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-11-15 10:20 77824 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-05 18:54 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 22:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"WZCSVC"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [11/16/2009 10:03 AM 108792]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/16/2009 10:04 AM 735960]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [4/6/2010 4:01 PM 15944]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 12:28 PM 135664]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [7/27/2006 3:00 PM 26304]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HITMANPRO35
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 17:28]

2010-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 17:28]

2010-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1770027372-725345543-1118Core.job
- c:\documents and settings\twilhite\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-11 16:17]

2010-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1770027372-725345543-1118UA.job
- c:\documents and settings\twilhite\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-11 16:17]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: isqft.com\www
Trusted Zone: isqft.com\www
FF - ProfilePath - c:\documents and settings\twilhite\Application Data\Mozilla\Firefox\Profiles\3ya4sco3.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\twilhite\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-06 17:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x865D4AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf756cf28
\Driver\ACPI -> ACPI.sys @ 0xf74cfcb8
\Driver\atapi -> atapi.sys @ 0xf7461852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-1770027372-725345543-1118\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\PNP0F03\4&2ef2171&0\LogConf]
@DACL=(02 0000)
"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\
"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,
00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3456)
c:\windows\system32\WININET.dll
c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MICROS~3\rapimgr.exe
.
**************************************************************************
.
Completion time: 2010-04-06 17:29:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-06 22:29

Pre-Run: 72,411,185,152 bytes free
Post-Run: 72,409,464,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4F8A757B9190ADB3A88C60A8A574BA2E


#11 tobyw1019

tobyw1019
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 15 April 2010 - 10:09 AM

well if the redirect problem wasn't enough...ave.exe decided to come visit my pc as well...again. I should have mentioned that this was the first issue that I encountered a week before the redirect problem. Malwarebytes picked it up after I was able to fix the file association issue that accompanies this virus. Malwarebytes picked it up again. Here is a log

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3960

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

4/15/2010 10:05:01 AM
mbam-log-2010-04-15 (10-05-01).txt

Scan type: Quick scan
Objects scanned: 110956
Time elapsed: 10 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\IEXPLORE.EXE") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\twilhite\Local Settings\Application Data\MSASCui.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\twilhite\Local Settings\Application Data\Microsoft\Windows Defender\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.


#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:32 PM

Posted 15 April 2010 - 01:08 PM

Hi there,

Let's try this and see what happens :

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

QUOTE
FCOPY::
C:\WINDOWS\SERVICEPACKFILES\I386\atapi.sys | c:\windows\system32\drivers\atapi.sys


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 tobyw1019

tobyw1019
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 15 April 2010 - 01:32 PM

hey hey...I was able to get gmer to run, but had to stop the scan because of a server reboot, but I did save the log, and it appears that it got most of the way through. Not sure how much this will help, but here is what I have.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-15 13:19:23
Windows 5.1.2600 Service Pack 3
Running: s-gmer.exe; Driver: C:\DOCUME~1\twilhite\LOCALS~1\Temp\uxtdapog.sys


---- System - GMER 1.0.15 ----

SSDT 85FDB580 ZwAssignProcessToJobObject
SSDT 85FDC100 ZwDebugActiveProcess
SSDT 85FDBB30 ZwDuplicateObject
SSDT 85FDACC0 ZwOpenProcess
SSDT 85FDAFC0 ZwOpenThread
SSDT 85FDB9C0 ZwProtectVirtualMemory
SSDT 85FDB860 ZwSetContextThread
SSDT 85FDB6E0 ZwSetInformationThread
SSDT 85FD8700 ZwSetSecurityObject
SSDT 85FDB420 ZwSuspendProcess
SSDT 85FDB2C0 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF44B1320]
SSDT 85FDB150 ZwTerminateThread
SSDT 85FDBF50 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\DRIVERS\kbdclass.sys entry point in ".rsrc" section [0xF77F6E14]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[376] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[376] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\system32\wuauclt.exe[392] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0098000A
.text C:\WINDOWS\system32\wuauclt.exe[392] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\wuauclt.exe[392] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0097000C
.text C:\WINDOWS\System32\svchost.exe[1220] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0098000A
.text C:\WINDOWS\System32\svchost.exe[1220] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1220] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0097000C
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1668] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (FileSpy Filter Driver/Windows ® 2000 DDK provider)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

Device -> \Driver\atapi \Device\Harddisk0\DR0 865E1AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\kbdclass.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#14 tobyw1019

tobyw1019
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 15 April 2010 - 02:01 PM

combofix log w/ script.

ComboFix 10-04-08.06 - twilhite 04/15/2010 13:40:23.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.444 [GMT -5:00]
Running from: c:\documents and settings\twilhite\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\twilhite\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\twilhite\Start Menu\Programs\Startup\Logitech . Product Registration.lnk

.
--------------- FCopy ---------------

c:\windows\SERVICEPACKFILES\I386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-15 to 2010-04-15 )))))))))))))))))))))))))))))))
.

2010-04-15 14:50 . 2010-04-15 14:50 -------- d-----w- c:\documents and settings\twilhite\Application Data\Logitech
2010-04-15 14:45 . 2010-04-15 14:45 -------- d-----w- c:\documents and settings\twilhite\Application Data\Leadertech
2010-04-14 21:52 . 2009-07-20 17:25 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2010-04-14 21:52 . 2009-07-20 17:26 84496 ----a-w- c:\windows\system32\KemXML.dll
2010-04-14 21:52 . 2009-07-20 17:26 117264 ----a-w- c:\windows\system32\KemWnd.dll
2010-04-14 21:52 . 2009-07-20 17:26 145936 ----a-w- c:\windows\system32\KemUtil.dll
2010-04-14 21:52 . 2009-07-20 17:26 170512 ----a-w- c:\windows\system32\kemutb.dll
2010-04-14 21:51 . 2010-04-14 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-04-14 21:50 . 2010-04-15 14:45 -------- d-----w- c:\program files\Common Files\Logishrd
2010-04-14 21:50 . 2010-04-14 21:50 -------- d-----w- c:\program files\Logitech
2010-04-14 21:49 . 2010-04-14 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-04-13 21:25 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-04-13 21:25 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-04-13 21:25 . 2008-04-13 18:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-04-13 21:25 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-04-09 17:43 . 2010-04-09 17:43 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-09 16:31 . 2010-04-09 16:31 52224 ----a-w- c:\documents and settings\twilhite\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-09 16:31 . 2010-04-09 16:31 117760 ----a-w- c:\documents and settings\twilhite\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-09 16:30 . 2010-04-09 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-09 16:29 . 2010-04-09 16:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-09 16:29 . 2010-04-09 16:29 -------- d-----w- c:\documents and settings\twilhite\Application Data\SUPERAntiSpyware.com
2010-04-07 18:46 . 2010-04-07 18:46 -------- d--h--w- c:\windows\PIF
2010-04-07 05:27 . 2010-04-07 05:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 21:55 . 2004-09-03 05:43 46464 ----a-r- c:\windows\system32\drivers\SiSRaid_2.sys
2010-04-06 21:08 . 2010-04-06 21:08 -------- d-----w- c:\program files\Trend Micro
2010-04-06 21:04 . 2010-04-13 20:46 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-06 21:01 . 2010-04-14 18:32 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-06 21:01 . 2010-04-06 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-06 21:01 . 2010-04-06 21:01 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-06 18:05 . 2010-04-06 18:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-06 17:20 . 2008-06-12 10:09 33088 ----a-w- c:\documents and settings\twilhite\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-05 18:12 . 2010-04-05 18:12 -------- d-sh--w- c:\documents and settings\NetworkService\UserData
2010-04-05 16:28 . 2010-04-05 16:28 -------- d-----w- c:\documents and settings\twilhite\Local Settings\Application Data\ESET
2010-04-01 19:36 . 2010-04-09 17:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 19:49 . 2010-03-31 19:49 -------- d-----w- c:\program files\CCleaner
2010-03-31 19:28 . 2010-03-29 20:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-31 19:28 . 2010-03-29 20:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-31 19:28 . 2010-03-31 19:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 23:31 . 2010-03-24 23:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-03-23 14:54 . 2009-10-22 20:16 197952 ----a-w- c:\windows\system32\FTLang.dll
2010-03-23 14:54 . 2009-10-22 20:17 206144 ----a-w- c:\windows\system32\ftd2xx.dll
2010-03-23 14:54 . 2009-10-22 20:17 120136 ----a-w- c:\windows\system32\ftbusui.dll
2010-03-23 14:54 . 2009-10-22 20:11 57800 ----a-w- c:\windows\system32\drivers\ftdibus.sys
2010-03-19 21:03 . 2000-04-28 20:18 1157440 ----a-w- C:\tacrun90.EXE
2010-03-19 21:03 . 2002-11-08 21:39 1944896 ----a-r- C:\tamrun90.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-14 21:51 . 2006-07-23 06:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-14 19:08 . 2009-09-17 22:12 59 ----a-w- c:\windows\wpd99.drv
2010-04-14 19:08 . 2009-09-17 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-04-13 15:42 . 2004-08-04 12:00 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-04-09 16:29 . 2009-01-20 16:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-08 17:36 . 2007-09-28 19:00 -------- d-----w- c:\program files\Yahoo!
2010-04-08 17:33 . 2006-07-28 15:01 -------- d-----w- c:\program files\Google
2010-04-08 17:26 . 2006-08-14 14:55 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-07 21:41 . 2006-08-01 15:12 69296 ----a-w- c:\documents and settings\twilhite\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-07 19:31 . 2009-06-24 17:28 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-04-07 19:31 . 2006-08-01 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-04-06 22:18 . 2006-08-15 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-31 20:32 . 2008-08-14 21:03 -------- d-----w- c:\program files\On-Screen Takeoff 3
2010-03-12 15:42 . 2009-11-30 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-11 12:38 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-10 09:23 . 2009-08-21 08:09 1006168 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-26 16:25 . 2009-12-03 19:49 -------- d-----w- c:\documents and settings\twilhite\Application Data\DisplayTune
2001-12-03 23:09 . 2006-11-15 22:36 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-04-07_19.52.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 12:00 . 2010-04-08 20:29 71904 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-04-06 20:48 71904 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2008-04-13 18:45 17152 c:\windows\system32\drivers\usbohci.sys
- 2004-08-04 12:00 . 2008-04-13 18:45 17152 c:\windows\system32\drivers\usbohci.sys
- 2004-08-03 22:58 . 2008-04-13 18:39 23040 c:\windows\system32\drivers\mouclass.sys
+ 2004-08-03 22:58 . 2008-04-13 18:39 23040 c:\windows\system32\drivers\mouclass.sys
+ 2004-08-04 12:00 . 2008-04-13 18:45 17152 c:\windows\system32\dllcache\usbohci.sys
+ 2004-08-03 22:58 . 2008-04-13 18:39 23040 c:\windows\system32\dllcache\mouclass.sys
+ 2004-08-04 12:00 . 2010-04-13 15:42 24576 c:\windows\system32\dllcache\kbdclass.sys
- 2004-08-04 12:00 . 2010-04-07 18:04 24576 c:\windows\system32\dllcache\kbdclass.sys
+ 2004-08-04 12:00 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2010-04-15 05:33 . 2010-04-15 05:33 69296 c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
+ 2010-04-09 16:30 . 2010-04-09 16:30 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2010-04-09 16:30 . 2010-04-09 16:30 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2010-04-15 14:45 . 2010-04-15 14:45 10134 c:\windows\Installer\{A498D9EB-927B-459B-85D6-DD6EF8C2C564}\ARPPRODUCTICON.exe
+ 2010-04-15 14:46 . 2010-04-15 14:46 10134 c:\windows\Installer\{3101CB58-3482-4D21-AF1A-7057FC935355}\ARPPRODUCTICON.exe
+ 2010-04-09 16:30 . 2010-04-09 16:30 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
- 2004-08-04 12:00 . 2010-04-06 20:48 444028 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-04-08 20:29 444028 c:\windows\system32\perfh009.dat
+ 2006-07-23 00:39 . 2010-04-07 20:46 269392 c:\windows\system32\FNTCACHE.DAT
+ 2010-04-15 14:45 . 2010-04-15 14:45 193536 c:\windows\Installer\69820.msi
+ 2010-04-15 14:46 . 2010-04-15 14:46 2715648 c:\windows\Installer\69831.msi
+ 2010-02-02 16:30 . 2010-02-02 16:30 5527040 c:\windows\Installer\46ce895.msp
+ 2010-04-08 17:26 . 2010-04-08 17:26 3940352 c:\windows\Installer\46ce885.msi
+ 2010-04-09 16:29 . 2010-04-09 16:29 1583616 c:\windows\Installer\41c4c51.msi
+ 2009-10-28 01:34 . 2009-10-28 01:34 5009408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\authplay.dll
+ 2010-04-14 21:52 . 2010-04-14 21:52 10386432 c:\windows\Installer\bcfef7.msi
+ 2010-04-15 14:48 . 2010-04-15 14:48 10386432 c:\windows\Installer\9161c.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-03-03 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-04-06 5650240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\twilhite\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-4-14 813584]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2006-7-23 266240]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SmartCenter 97.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus SmartCenter 97.lnk
backup=c:\windows\pss\Lotus SmartCenter 97.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SuiteStart 97.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus SuiteStart 97.lnk
backup=c:\windows\pss\Lotus SuiteStart 97.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^twilhite^Start Menu^Programs^Startup^Lotus SmartSuite 97 Registration.lnk]
path=c:\documents and settings\twilhite\Start Menu\Programs\Startup\Lotus SmartSuite 97 Registration.lnk
backup=c:\windows\pss\Lotus SmartSuite 97 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-08-11 16:17 133104 ----atw- c:\documents and settings\twilhite\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-24 08:24 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSRaid]
2004-11-12 15:50 892928 ------w- c:\program files\Silicon Integrated Systems\SiSRaidPackage\Sraid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-11-15 10:20 77824 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-05 18:54 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"WZCSVC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [11/16/2009 10:03 AM 108792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/16/2009 10:04 AM 735960]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 12:28 PM 135664]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [7/27/2006 3:00 PM 26304]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: isqft.com\www
Trusted Zone: isqft.com\www
FF - ProfilePath - c:\documents and settings\twilhite\Application Data\Mozilla\Firefox\Profiles\3ya4sco3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\twilhite\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-15 13:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x865E5AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf752ef28
\Driver\ACPI -> ACPI.sys @ 0xf7491cb8
\Driver\atapi -> atapi.sys @ 0xf7423852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-1770027372-725345543-1118\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\PNP0F03\4&2ef2171&0\LogConf]
@DACL=(02 0000)
"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\
"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,
00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\twilhite\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\twilhite\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-15 13:57:07
ComboFix-quarantined-files.txt 2010-04-15 18:56
ComboFix2.txt 2010-04-09 21:58
ComboFix3.txt 2010-04-08 21:17
ComboFix4.txt 2010-04-07 19:56
ComboFix5.txt 2010-04-15 18:37

Pre-Run: 72,633,876,480 bytes free
Post-Run: 72,686,854,144 bytes free

- - End Of File - - AB930A5B99C6D5903AF75EF007275BFC


#15 tobyw1019

tobyw1019
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 15 April 2010 - 02:16 PM

Not sure if this helps, but Eset firewall keeps blocking 2 ip addresses that keep trying to connect to my machine each time I do a google / yahoo search, or just open up Mozilla. I don't get the redirect anymore as of this morning, but a new mozilla window pops up with the contents of this path C:\Program Files\Mozilla Firefox, along with about 5 tabs that don't have anything in them. The ip addresses are 78.47.248.116:80, and 213.163.89.106:80




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users