Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Causing Slowdown and Possible Internet Connection Problems


  • This topic is locked This topic is locked
15 replies to this topic

#1 srr123

srr123

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 12 April 2010 - 02:07 PM

I'm experiencing general slowdown and occasional page hijacking, as well as progressively worse Internet connection problems. The Internet connection problem is my main concern as it is difficult for me to establish a connection and then once I do I'm often kicked off, sometimes as frequently as every 2 minutes. I also constantly get the message "Local Area Connection: A network cable is unplugged", but this does not necessarily correspond to the times that I've been kicked off and I've checked my physical connection and my modem and there doesn't seem to be a problem. I've run Malwarebytes and no problem was discovered. Any help would be appreciated. Please see my DDS and Gmer logs below:

DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Owner at 12:22:08.34 on Mon 04/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.268 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
FW: Norton Personal Firewall *enabled* {825036E0-9F94-4752-8789-8B92454AF49B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nc.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.gmail.com/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [NetCleaner] nc.exe /install
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [WUSB54Gv2] c:\program files\linksys wireless-g usb wireless network monitor\InvokeSvc3.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://www.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/24/install/gtdownls.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://www.windowsecurity.com/trojanscan/axscan.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://advancedmeetings.webex.com/client/v_mywebex/webex/ieatgpc.cab
DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} - hxxp://lg.home.microsoft.com/search/lobby/searchsettings.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\ypy8vd9e.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\hp_owner\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\ypy8vd9e.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\Savrtpel.sys [2003-11-7 37056]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-3-2 270888]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2003-12-9 255648]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2003-12-9 218736]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2003-12-9 235168]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-13 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-2-20 38224]
R3 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\navapsvc.exe [2004-6-4 174208]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20050302.008\NAVENG.Sys [2005-3-5 73728]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20050302.008\NavEx15.Sys [2005-3-5 631040]
R3 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2003-11-7 308416]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2010-3-2 65576]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2003-12-9 87712]
S3 SAVScan;SAVScan;c:\program files\norton antivirus\SAVScan.exe [2003-11-7 193816]
S3 SNDP106;Dual Mode Camera (8001 CIF);c:\windows\system32\drivers\sndp106.sys [2005-3-13 227072]

=============== Created Last 30 ================

2010-04-12 04:59:36 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-23 01:08:15 0 d-----w- c:\docume~1\hp_owner\applic~1\KodakCredentialStore

==================== Find3M ====================

2010-03-02 06:18:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2005-07-01 20:15:35 0 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 12:25:20.71 ===============




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-12 14:53:34
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\kxldypod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwClose [0xF5DCC160]
SSDT 85D59688 ZwConnectPort
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateFile [0xF5DCB868]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateKey [0xF5DC8320]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcess [0xF5DCAE90]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcessEx [0xF5DCAD9C]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateThread [0xF5DCB3FC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteFile [0xF5DCC210]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteKey [0xF5DC8786]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteValueKey [0xF5DC8846]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenFile [0xF5DCBB54]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenKey [0xF5DC85CA]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwResumeThread [0xF5DCB4EC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetInformationFile [0xF5DCBE8C]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetValueKey [0xF5DC89BC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwWriteFile [0xF5DCBDE0]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF75EE794]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1404] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0089000A
.text C:\WINDOWS\System32\svchost.exe[1404] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 008A000A
.text C:\WINDOWS\System32\svchost.exe[1404] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0088000C
.text C:\WINDOWS\System32\svchost.exe[1404] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0245000A
.text C:\WINDOWS\Explorer.EXE[1760] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B2000A
.text C:\WINDOWS\Explorer.EXE[1760] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B3000A
.text C:\WINDOWS\Explorer.EXE[1760] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B1000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3188] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0129000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3188] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 012A000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3188] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0128000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3188] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)

Device \Driver\NAVEX15 \Device\NAVEX15 EED40F1A

AttachedDevice \Driver\Tcpip \Device\Tcp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)

Device \Driver\NAVENG \Device\NAVENG EED0D486

AttachedDevice \Driver\Tcpip \Device\Udp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 862AFB4C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:45 PM

Posted 16 April 2010 - 01:56 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 srr123

srr123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 16 April 2010 - 10:40 PM

Thank you for your reply. Since I first posted, my Internet connection became much worse and I contacted Verizon. They felt that my modem was no longer working and I received a replacement and connected it today. My Internet connection has been fine ever since so thankfully that one major problem seems resolved.

As for my malware issues, as mentioned before pages occasionally get hijacked and there's general slowdown. In addition, my computer is also crashing at least once a day now. I'm also now getting a message several times a day from my firewall saying that it's blocking "HTTPS Tideserv Request 2" which continually tries to infiltrate my system.

As requested I'm posting my new DDS log and I've attached my new Gmer log. Thanks for your help.

DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Owner at 23:26:50.34 on Fri 04/16/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.360 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
FW: Norton Personal Firewall *enabled* {825036E0-9F94-4752-8789-8B92454AF49B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nc.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.gmail.com/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [NetCleaner] nc.exe /install
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [WUSB54Gv2] c:\program files\linksys wireless-g usb wireless network monitor\InvokeSvc3.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://www.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/24/install/gtdownls.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://www.windowsecurity.com/trojanscan/axscan.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://advancedmeetings.webex.com/client/v_mywebex/webex/ieatgpc.cab
DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} - hxxp://lg.home.microsoft.com/search/lobby/searchsettings.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\ypy8vd9e.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\hp_owner\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\ypy8vd9e.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\Savrtpel.sys [2003-11-7 37056]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-3-2 270888]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2003-12-9 255648]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2003-12-9 218736]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2003-12-9 235168]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-13 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\navapsvc.exe [2004-6-4 174208]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20050302.008\NAVENG.Sys [2005-3-5 73728]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20050302.008\NavEx15.Sys [2005-3-5 631040]
R3 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2003-11-7 308416]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2010-3-2 65576]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2003-12-9 87712]
S3 SAVScan;SAVScan;c:\program files\norton antivirus\SAVScan.exe [2003-11-7 193816]
S3 SNDP106;Dual Mode Camera (8001 CIF);c:\windows\system32\drivers\sndp106.sys [2005-3-13 227072]

=============== Created Last 30 ================

2010-04-16 19:03:47 0 d-----w- c:\program files\common files\SupportSoft
2010-04-12 04:59:36 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-23 01:08:15 0 d-----w- c:\docume~1\hp_owner\applic~1\KodakCredentialStore

==================== Find3M ====================

2010-04-16 22:46:12 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-02 06:18:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2005-07-01 20:15:35 0 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 23:28:36.14 ===============

Attached Files

  • Attached File  ark.txt   6.54KB   7 downloads


#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:45 AM

Posted 17 April 2010 - 07:37 PM

Hi srr123,


Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1
  1. Go to this thread and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Start > Run and copy/paste the following bolded command into run box and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  4. If TDSSKiller alerts you that the system needs to reboot, please consent.
  5. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Step2
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.



In your next reply, please post back:

1.TDSSKiller.txt
2.ComboFix log

Tell me if you have any remaining issues on your pc.

#5 srr123

srr123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 17 April 2010 - 10:36 PM

Not sure if I'm still having issues because they happen sporadically but I'll monitor it over the next 24 hours. The logs are pasted below. Thanks.

TDSS:

21:57:05:000 0420 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
21:57:05:000 0420 ================================================================================
21:57:05:000 0420 SystemInfo:

21:57:05:000 0420 OS Version: 5.1.2600 ServicePack: 3.0
21:57:05:000 0420 Product type: Workstation
21:57:05:000 0420 ComputerName: STEVEN
21:57:05:000 0420 UserName: HP_Owner
21:57:05:000 0420 Windows directory: C:\WINDOWS
21:57:05:000 0420 Processor architecture: Intel x86
21:57:05:000 0420 Number of processors: 1
21:57:05:000 0420 Page size: 0x1000
21:57:05:000 0420 Boot type: Normal boot
21:57:05:000 0420 ================================================================================
21:57:05:000 0420 UnloadDriverW: NtUnloadDriver error 1
21:57:05:000 0420 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
21:57:05:015 0420 LoadDriverW: Driver already loaded
21:57:05:015 0420 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
21:57:05:015 0420 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:57:05:015 0420 wfopen_ex: Trying to KLMD file open
21:57:05:015 0420 wfopen_ex: File opened ok (Flags 2)
21:57:05:015 0420 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
21:57:05:015 0420 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:57:05:015 0420 wfopen_ex: Trying to KLMD file open
21:57:05:015 0420 wfopen_ex: File opened ok (Flags 2)
21:57:05:031 0420 Initialize success
21:57:05:031 0420
21:57:05:031 0420 Scanning Services ...
21:57:05:375 0420 Raw services enum returned 371 services
21:57:05:390 0420
21:57:05:390 0420 Scanning Kernel memory ...
21:57:05:390 0420 Devices to scan: 11
21:57:05:390 0420
21:57:05:390 0420 Driver Name: Disk
21:57:05:390 0420 IRP_MJ_CREATE : F76B5BB0
21:57:05:390 0420 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
21:57:05:390 0420 IRP_MJ_CLOSE : F76B5BB0
21:57:05:390 0420 IRP_MJ_READ : F76AFD1F
21:57:05:390 0420 IRP_MJ_WRITE : F76AFD1F
21:57:05:390 0420 IRP_MJ_QUERY_INFORMATION : 804FA88E
21:57:05:390 0420 IRP_MJ_SET_INFORMATION : 804FA88E
21:57:05:390 0420 IRP_MJ_QUERY_EA : 804FA88E
21:57:05:390 0420 IRP_MJ_SET_EA : 804FA88E
21:57:05:390 0420 IRP_MJ_FLUSH_BUFFERS : F76B02E2
21:57:05:390 0420 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
21:57:05:390 0420 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
21:57:05:390 0420 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
21:57:05:390 0420 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
21:57:05:390 0420 IRP_MJ_DEVICE_CONTROL : F76B03BB
21:57:05:390 0420 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B3F28
21:57:05:390 0420 IRP_MJ_SHUTDOWN : F76B02E2
21:57:05:390 0420 IRP_MJ_LOCK_CONTROL : 804FA88E
21:57:05:390 0420 IRP_MJ_CLEANUP : 804FA88E
21:57:05:390 0420 IRP_MJ_CREATE_MAILSLOT : 804FA88E
21:57:05:390 0420 IRP_MJ_QUERY_SECURITY : 804FA88E
21:57:05:390 0420 IRP_MJ_SET_SECURITY : 804FA88E
21:57:05:390 0420 IRP_MJ_POWER : F76B1C82
21:57:05:390 0420 IRP_MJ_SYSTEM_CONTROL : F76B699E
21:57:05:390 0420 IRP_MJ_DEVICE_CHANGE : 804FA88E
21:57:05:390 0420 IRP_MJ_QUERY_QUOTA : 804FA88E
21:57:05:390 0420 IRP_MJ_SET_QUOTA : 804FA88E
21:57:05:390 0420 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
21:57:05:390 0420
21:57:05:390 0420 Driver Name: Disk
21:57:05:390 0420 IRP_MJ_CREATE : F76B5BB0
21:57:05:390 0420 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
21:57:05:390 0420 IRP_MJ_CLOSE : F76B5BB0
21:57:05:390 0420 IRP_MJ_READ : F76AFD1F
21:57:05:390 0420 IRP_MJ_WRITE : F76AFD1F
21:57:05:390 0420 IRP_MJ_QUERY_INFORMATION : 804FA88E
21:57:05:390 0420 IRP_MJ_SET_INFORMATION : 804FA88E
21:57:05:390 0420 IRP_MJ_QUERY_EA : 804FA88E
21:57:05:390 0420 IRP_MJ_SET_EA : 804FA88E
21:57:05:390 0420 IRP_MJ_FLUSH_BUFFERS : F76B02E2
21:57:05:390 0420 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
21:57:05:390 0420 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
21:57:05:390 0420 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
21:57:05:390 0420 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
21:57:05:390 0420 IRP_MJ_DEVICE_CONTROL : F76B03BB
21:57:05:390 0420 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B3F28
21:57:05:390 0420 IRP_MJ_SHUTDOWN : F76B02E2
21:57:05:390 0420 IRP_MJ_LOCK_CONTROL : 804FA88E
21:57:05:390 0420 IRP_MJ_CLEANUP : 804FA88E
21:57:05:390 0420 IRP_MJ_CREATE_MAILSLOT : 804FA88E
21:57:05:390 0420 IRP_MJ_QUERY_SECURITY : 804FA88E
21:57:05:390 0420 IRP_MJ_SET_SECURITY : 804FA88E
21:57:05:390 0420 IRP_MJ_POWER : F76B1C82
21:57:05:390 0420 IRP_MJ_SYSTEM_CONTROL : F76B699E
21:57:05:390 0420 IRP_MJ_DEVICE_CHANGE : 804FA88E
21:57:05:390 0420 IRP_MJ_QUERY_QUOTA : 804FA88E
21:57:05:390 0420 IRP_MJ_SET_QUOTA : 804FA88E
21:57:05:406 0420 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
21:57:05:406 0420
21:57:05:406 0420 Driver Name: Disk
21:57:05:406 0420 IRP_MJ_CREATE : F76B5BB0
21:57:05:406 0420 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
21:57:05:406 0420 IRP_MJ_CLOSE : F76B5BB0
21:57:05:406 0420 IRP_MJ_READ : F76AFD1F
21:57:05:406 0420 IRP_MJ_WRITE : F76AFD1F
21:57:05:406 0420 IRP_MJ_QUERY_INFORMATION : 804FA88E
21:57:05:406 0420 IRP_MJ_SET_INFORMATION : 804FA88E
21:57:05:406 0420 IRP_MJ_QUERY_EA : 804FA88E
21:57:05:406 0420 IRP_MJ_SET_EA : 804FA88E
21:57:05:406 0420 IRP_MJ_FLUSH_BUFFERS : F76B02E2
21:57:05:406 0420 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
21:57:05:406 0420 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
21:57:05:406 0420 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
21:57:05:406 0420 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
21:57:05:406 0420 IRP_MJ_DEVICE_CONTROL : F76B03BB
21:57:05:406 0420 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B3F28
21:57:05:406 0420 IRP_MJ_SHUTDOWN : F76B02E2
21:57:05:406 0420 IRP_MJ_LOCK_CONTROL : 804FA88E
21:57:05:406 0420 IRP_MJ_CLEANUP : 804FA88E
21:57:05:406 0420 IRP_MJ_CREATE_MAILSLOT : 804FA88E
21:57:05:406 0420 IRP_MJ_QUERY_SECURITY : 804FA88E
21:57:05:406 0420 IRP_MJ_SET_SECURITY : 804FA88E
21:57:05:406 0420 IRP_MJ_POWER : F76B1C82
21:57:05:406 0420 IRP_MJ_SYSTEM_CONTROL : F76B699E
21:57:05:406 0420 IRP_MJ_DEVICE_CHANGE : 804FA88E
21:57:05:406 0420 IRP_MJ_QUERY_QUOTA : 804FA88E
21:57:05:406 0420 IRP_MJ_SET_QUOTA : 804FA88E
21:57:05:406 0420 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
21:57:05:406 0420
21:57:05:406 0420 Driver Name: Disk
21:57:05:406 0420 IRP_MJ_CREATE : F76B5BB0
21:57:05:406 0420 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
21:57:05:406 0420 IRP_MJ_CLOSE : F76B5BB0
21:57:05:406 0420 IRP_MJ_READ : F76AFD1F
21:57:05:406 0420 IRP_MJ_WRITE : F76AFD1F
21:57:05:406 0420 IRP_MJ_QUERY_INFORMATION : 804FA88E
21:57:05:406 0420 IRP_MJ_SET_INFORMATION : 804FA88E
21:57:05:406 0420 IRP_MJ_QUERY_EA : 804FA88E
21:57:05:406 0420 IRP_MJ_SET_EA : 804FA88E
21:57:05:406 0420 IRP_MJ_FLUSH_BUFFERS : F76B02E2
21:57:05:406 0420 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
21:57:05:406 0420 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
21:57:05:406 0420 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
21:57:05:406 0420 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
21:57:05:406 0420 IRP_MJ_DEVICE_CONTROL : F76B03BB
21:57:05:406 0420 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B3F28
21:57:05:406 0420 IRP_MJ_SHUTDOWN : F76B02E2
21:57:05:406 0420 IRP_MJ_LOCK_CONTROL : 804FA88E
21:57:05:406 0420 IRP_MJ_CLEANUP : 804FA88E
21:57:05:406 0420 IRP_MJ_CREATE_MAILSLOT : 804FA88E
21:57:05:406 0420 IRP_MJ_QUERY_SECURITY : 804FA88E
21:57:05:406 0420 IRP_MJ_SET_SECURITY : 804FA88E
21:57:05:406 0420 IRP_MJ_POWER : F76B1C82
21:57:05:406 0420 IRP_MJ_SYSTEM_CONTROL : F76B699E
21:57:05:406 0420 IRP_MJ_DEVICE_CHANGE : 804FA88E
21:57:05:406 0420 IRP_MJ_QUERY_QUOTA : 804FA88E
21:57:05:406 0420 IRP_MJ_SET_QUOTA : 804FA88E
21:57:05:406 0420 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
21:57:05:406 0420
21:57:05:406 0420 Driver Name: USBSTOR
21:57:05:406 0420 IRP_MJ_CREATE : F0CA1218
21:57:05:406 0420 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
21:57:05:406 0420 IRP_MJ_CLOSE : F0CA1218
21:57:05:406 0420 IRP_MJ_READ : F0CA123C
21:57:05:406 0420 IRP_MJ_WRITE : F0CA123C
21:57:05:406 0420 IRP_MJ_QUERY_INFORMATION : 804FA88E
21:57:05:406 0420 IRP_MJ_SET_INFORMATION : 804FA88E
21:57:05:406 0420 IRP_MJ_QUERY_EA : 804FA88E
21:57:05:406 0420 IRP_MJ_SET_EA : 804FA88E
21:57:05:406 0420 IRP_MJ_FLUSH_BUFFERS : 804FA88E
21:57:05:406 0420 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
21:57:05:406 0420 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
21:57:05:406 0420 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
21:57:05:406 0420 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
21:57:05:406 0420 IRP_MJ_DEVICE_CONTROL : F0CA1180
21:57:05:406 0420 IRP_MJ_INTERNAL_DEVICE_CONTROL : F0C9C9E6
21:57:05:406 0420 IRP_MJ_SHUTDOWN : 804FA88E
21:57:05:406 0420 IRP_MJ_LOCK_CONTROL : 804FA88E
21:57:05:406 0420 IRP_MJ_CLEANUP : 804FA88E
21:57:05:406 0420 IRP_MJ_CREATE_MAILSLOT : 804FA88E
21:57:05:406 0420 IRP_MJ_QUERY_SECURITY : 804FA88E
21:57:05:406 0420 IRP_MJ_SET_SECURITY : 804FA88E
21:57:05:406 0420 IRP_MJ_POWER : F0CA05F0
21:57:05:406 0420 IRP_MJ_SYSTEM_CONTROL : F0C9EA6E
21:57:05:406 0420 IRP_MJ_DEVICE_CHANGE : 804FA88E
21:57:05:406 0420 IRP_MJ_QUERY_QUOTA : 804FA88E
21:57:05:406 0420 IRP_MJ_SET_QUOTA : 804FA88E
21:57:05:437 0420 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
21:57:05:437 0420
21:57:05:437 0420 Driver Name: USBSTOR
21:57:05:437 0420 IRP_MJ_CREATE : F0CA1218
21:57:05:437 0420 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
21:57:05:437 0420 IRP_MJ_CLOSE : F0CA1218
21:57:05:437 0420 IRP_MJ_READ : F0CA123C
21:57:05:437 0420 IRP_MJ_WRITE : F0CA123C
21:57:05:437 0420 IRP_MJ_QUERY_INFORMATION : 804FA88E
21:57:05:437 0420 IRP_MJ_SET_INFORMATION : 804FA88E
21:57:05:437 0420 IRP_MJ_QUERY_EA : 804FA88E
21:57:05:437 0420 IRP_MJ_SET_EA : 804FA88E
21:57:05:437 0420 IRP_MJ_FLUSH_BUFFERS : 804FA88E
21:57:05:437 0420 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
21:57:05:437 0420 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
21:57:05:437 0420 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
21:57:05:437 0420 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
21:57:05:437 0420 IRP_MJ_DEVICE_CONTROL : F0CA1180
21:57:05:437 0420 IRP_MJ_INTERNAL_DEVICE_CONTROL : F0C9C9E6
21:57:05:437 0420 IRP_MJ_SHUTDOWN : 804FA88E
21:57:05:437 0420 IRP_MJ_LOCK_CONTROL : 804FA88E
21:57:05:437 0420 IRP_MJ_CLEANUP : 804FA88E
21:57:05:437 0420 IRP_MJ_CREATE_MAILSLOT : 804FA88E
21:57:05:437 0420 IRP_MJ_QUERY_SECURITY : 804FA88E
21:57:05:437 0420 IRP_MJ_SET_SECURITY : 804FA88E
21:57:05:437 0420 IRP_MJ_POWER : F0CA05F0
21:57:05:437 0420 IRP_MJ_SYSTEM_CONTROL : F0C9EA6E
21:57:05:437 0420 IRP_MJ_DEVICE_CHANGE : 804FA88E
21:57:05:437 0420 IRP_MJ_QUERY_QUOTA : 804FA88E
21:57:05:437 0420 IRP_MJ_SET_QUOTA : 804FA88E
21:57:05:437 0420 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
21:57:05:437 0420
21:57:05:437 0420 Driver Name: USBSTOR
21:57:05:437 0420 IRP_MJ_CREATE : F0CA1218
21:57:05:437 0420 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
21:57:05:437 0420 IRP_MJ_CLOSE : F0CA1218
21:57:05:437 0420 IRP_MJ_READ : F0CA123C
21:57:05:437 0420 IRP_MJ_WRITE : F0CA123C
21:57:05:437 0420 IRP_MJ_QUERY_INFORMATION : 804FA88E
21:57:05:437 0420 IRP_MJ_SET_INFORMATION : 804FA88E
21:57:05:437 0420 IRP_MJ_QUERY_EA : 804FA88E
21:57:05:437 0420 IRP_MJ_SET_EA : 804FA88E
21:57:05:437 0420 IRP_MJ_FLUSH_BUFFERS : 804FA88E
21:57:05:437 0420 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
21:57:05:437 0420 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
21:57:05:437 0420 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
21:57:05:437 0420 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
21:57:05:437 0420 IRP_MJ_DEVICE_CONTROL : F0CA1180
21:57:05:437 0420 IRP_MJ_INTERNAL_DEVICE_CONTROL : F0C9C9E6
21:57:05:437 0420 IRP_MJ_SHUTDOWN : 804FA88E
21:57:05:437 0420 IRP_MJ_LOCK_CONTROL : 804FA88E
21:57:05:437 0420 IRP_MJ_CLEANUP : 804FA88E
21:57:05:437 0420 IRP_MJ_CREATE_MAILSLOT : 804FA88E
21:57:05:437 0420 IRP_MJ_QUERY_SECURITY : 804FA88E
21:57:05:437 0420 IRP_MJ_SET_SECURITY : 804FA88E
21:57:05:437 0420 IRP_MJ_POWER : F0CA05F0
21:57:05:437 0420 IRP_MJ_SYSTEM_CONTROL : F0C9EA6E
21:57:05:437 0420 IRP_MJ_DEVICE_CHANGE : 804FA88E
21:57:05:437 0420 IRP_MJ_QUERY_QUOTA : 804FA88E
21:57:05:437 0420 IRP_MJ_SET_QUOTA : 804FA88E
21:57:05:437 0420 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
21:57:05:437 0420
21:57:05:437 0420 Driver Name: USBSTOR
21:57:05:437 0420 IRP_MJ_CREATE : F0CA1218
21:57:05:453 0420 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
21:57:05:453 0420 IRP_MJ_CLOSE : F0CA1218
21:57:05:453 0420 IRP_MJ_READ : F0CA123C
21:57:05:453 0420 IRP_MJ_WRITE : F0CA123C
21:57:05:453 0420 IRP_MJ_QUERY_INFORMATION : 804FA88E
21:57:05:453 0420 IRP_MJ_SET_INFORMATION : 804FA88E
21:57:05:453 0420 IRP_MJ_QUERY_EA : 804FA88E
21:57:05:453 0420 IRP_MJ_SET_EA : 804FA88E
21:57:05:453 0420 IRP_MJ_FLUSH_BUFFERS : 804FA88E
21:57:05:453 0420 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
21:57:05:453 0420 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
21:57:05:453 0420 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
21:57:05:453 0420 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
21:57:05:453 0420 IRP_MJ_DEVICE_CONTROL : F0CA1180
21:57:05:453 0420 IRP_MJ_INTERNAL_DEVICE_CONTROL : F0C9C9E6
21:57:05:453 0420 IRP_MJ_SHUTDOWN : 804FA88E
21:57:05:453 0420 IRP_MJ_LOCK_CONTROL : 804FA88E
21:57:05:453 0420 IRP_MJ_CLEANUP : 804FA88E
21:57:05:453 0420 IRP_MJ_CREATE_MAILSLOT : 804FA88E
21:57:05:453 0420 IRP_MJ_QUERY_SECURITY : 804FA88E
21:57:05:453 0420 IRP_MJ_SET_SECURITY : 804FA88E
21:57:05:453 0420 IRP_MJ_POWER : F0CA05F0
21:57:05:453 0420 IRP_MJ_SYSTEM_CONTROL : F0C9EA6E
21:57:05:453 0420 IRP_MJ_DEVICE_CHANGE : 804FA88E
21:57:05:453 0420 IRP_MJ_QUERY_QUOTA : 804FA88E
21:57:05:453 0420 IRP_MJ_SET_QUOTA : 804FA88E
21:57:05:453 0420 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
21:57:05:453 0420
21:57:05:453 0420 Driver Name: Disk
21:57:05:453 0420 IRP_MJ_CREATE : F76B5BB0
21:57:05:453 0420 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
21:57:05:453 0420 IRP_MJ_CLOSE : F76B5BB0
21:57:05:453 0420 IRP_MJ_READ : F76AFD1F
21:57:05:453 0420 IRP_MJ_WRITE : F76AFD1F
21:57:05:453 0420 IRP_MJ_QUERY_INFORMATION : 804FA88E
21:57:05:453 0420 IRP_MJ_SET_INFORMATION : 804FA88E
21:57:05:453 0420 IRP_MJ_QUERY_EA : 804FA88E
21:57:05:453 0420 IRP_MJ_SET_EA : 804FA88E
21:57:05:453 0420 IRP_MJ_FLUSH_BUFFERS : F76B02E2
21:57:05:453 0420 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
21:57:05:453 0420 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
21:57:05:453 0420 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
21:57:05:453 0420 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
21:57:05:453 0420 IRP_MJ_DEVICE_CONTROL : F76B03BB
21:57:05:453 0420 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B3F28
21:57:05:453 0420 IRP_MJ_SHUTDOWN : F76B02E2
21:57:05:453 0420 IRP_MJ_LOCK_CONTROL : 804FA88E
21:57:05:453 0420 IRP_MJ_CLEANUP : 804FA88E
21:57:05:453 0420 IRP_MJ_CREATE_MAILSLOT : 804FA88E
21:57:05:453 0420 IRP_MJ_QUERY_SECURITY : 804FA88E
21:57:05:453 0420 IRP_MJ_SET_SECURITY : 804FA88E
21:57:05:453 0420 IRP_MJ_POWER : F76B1C82
21:57:05:453 0420 IRP_MJ_SYSTEM_CONTROL : F76B699E
21:57:05:453 0420 IRP_MJ_DEVICE_CHANGE : 804FA88E
21:57:05:453 0420 IRP_MJ_QUERY_QUOTA : 804FA88E
21:57:05:453 0420 IRP_MJ_SET_QUOTA : 804FA88E
21:57:05:453 0420 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
21:57:05:453 0420
21:57:05:453 0420 Driver Name: Disk
21:57:05:453 0420 IRP_MJ_CREATE : F76B5BB0
21:57:05:453 0420 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
21:57:05:453 0420 IRP_MJ_CLOSE : F76B5BB0
21:57:05:453 0420 IRP_MJ_READ : F76AFD1F
21:57:05:453 0420 IRP_MJ_WRITE : F76AFD1F
21:57:05:453 0420 IRP_MJ_QUERY_INFORMATION : 804FA88E
21:57:05:453 0420 IRP_MJ_SET_INFORMATION : 804FA88E
21:57:05:453 0420 IRP_MJ_QUERY_EA : 804FA88E
21:57:05:453 0420 IRP_MJ_SET_EA : 804FA88E
21:57:05:453 0420 IRP_MJ_FLUSH_BUFFERS : F76B02E2
21:57:05:453 0420 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
21:57:05:453 0420 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
21:57:05:453 0420 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
21:57:05:453 0420 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
21:57:05:453 0420 IRP_MJ_DEVICE_CONTROL : F76B03BB
21:57:05:453 0420 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B3F28
21:57:05:453 0420 IRP_MJ_SHUTDOWN : F76B02E2
21:57:05:453 0420 IRP_MJ_LOCK_CONTROL : 804FA88E
21:57:05:453 0420 IRP_MJ_CLEANUP : 804FA88E
21:57:05:453 0420 IRP_MJ_CREATE_MAILSLOT : 804FA88E
21:57:05:453 0420 IRP_MJ_QUERY_SECURITY : 804FA88E
21:57:05:453 0420 IRP_MJ_SET_SECURITY : 804FA88E
21:57:05:453 0420 IRP_MJ_POWER : F76B1C82
21:57:05:453 0420 IRP_MJ_SYSTEM_CONTROL : F76B699E
21:57:05:453 0420 IRP_MJ_DEVICE_CHANGE : 804FA88E
21:57:05:453 0420 IRP_MJ_QUERY_QUOTA : 804FA88E
21:57:05:453 0420 IRP_MJ_SET_QUOTA : 804FA88E
21:57:05:468 0420 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
21:57:05:468 0420
21:57:05:468 0420 Driver Name: atapi
21:57:05:468 0420 IRP_MJ_CREATE : 862D6B4C
21:57:05:468 0420 IRP_MJ_CREATE_NAMED_PIPE : 862D6B4C
21:57:05:468 0420 IRP_MJ_CLOSE : 862D6B4C
21:57:05:468 0420 IRP_MJ_READ : 862D6B4C
21:57:05:468 0420 IRP_MJ_WRITE : 862D6B4C
21:57:05:468 0420 IRP_MJ_QUERY_INFORMATION : 862D6B4C
21:57:05:468 0420 IRP_MJ_SET_INFORMATION : 862D6B4C
21:57:05:468 0420 IRP_MJ_QUERY_EA : 862D6B4C
21:57:05:468 0420 IRP_MJ_SET_EA : 862D6B4C
21:57:05:468 0420 IRP_MJ_FLUSH_BUFFERS : 862D6B4C
21:57:05:468 0420 IRP_MJ_QUERY_VOLUME_INFORMATION : 862D6B4C
21:57:05:468 0420 IRP_MJ_SET_VOLUME_INFORMATION : 862D6B4C
21:57:05:468 0420 IRP_MJ_DIRECTORY_CONTROL : 862D6B4C
21:57:05:468 0420 IRP_MJ_FILE_SYSTEM_CONTROL : 862D6B4C
21:57:05:468 0420 IRP_MJ_DEVICE_CONTROL : 862D6B4C
21:57:05:468 0420 IRP_MJ_INTERNAL_DEVICE_CONTROL : 862D6B4C
21:57:05:468 0420 IRP_MJ_SHUTDOWN : 862D6B4C
21:57:05:468 0420 IRP_MJ_LOCK_CONTROL : 862D6B4C
21:57:05:468 0420 IRP_MJ_CLEANUP : 862D6B4C
21:57:05:468 0420 IRP_MJ_CREATE_MAILSLOT : 862D6B4C
21:57:05:468 0420 IRP_MJ_QUERY_SECURITY : 862D6B4C
21:57:05:468 0420 IRP_MJ_SET_SECURITY : 862D6B4C
21:57:05:468 0420 IRP_MJ_POWER : 862D6B4C
21:57:05:468 0420 IRP_MJ_SYSTEM_CONTROL : 862D6B4C
21:57:05:468 0420 IRP_MJ_DEVICE_CHANGE : 862D6B4C
21:57:05:468 0420 IRP_MJ_QUERY_QUOTA : 862D6B4C
21:57:05:468 0420 IRP_MJ_SET_QUOTA : 862D6B4C
21:57:05:468 0420 Driver "atapi" infected by TDSS rootkit!
21:57:05:468 0420 C:\WINDOWS\system32\drivers\tskADC.tmp - Verdict: 3
21:57:05:468 0420
21:57:05:468 0420 Completed
21:57:05:468 0420
21:57:05:468 0420 Results:
21:57:05:468 0420 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
21:57:05:468 0420 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
21:57:05:468 0420 File objects infected / cured / cured on reboot: 0 / 0 / 0
21:57:05:468 0420
21:57:05:468 0420 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
21:57:05:468 0420 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
21:57:05:468 0420 UnloadDriverW: NtUnloadDriver error 1
21:57:05:468 0420 KLMD(ARK) unloaded successfully


ComboFix Log:

ComboFix 10-04-17.02 - HP_Owner 04/17/2010 22:52:26.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.612 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
FW: Norton Personal Firewall *disabled* {825036E0-9F94-4752-8789-8B92454AF49B}
.

((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-16 19:03 . 2010-04-16 19:03 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\SupportSoft
2010-04-16 19:03 . 2010-04-16 19:03 -------- d-----w- c:\program files\Common Files\SupportSoft
2010-04-12 04:59 . 2010-04-12 04:59 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-23 01:08 . 2010-03-23 01:08 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\KodakCredentialStore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 02:51 . 2004-08-04 05:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-18 01:55 . 2010-04-18 01:55 96512 ----a-w- c:\windows\system32\drivers\tskADC.tmp
2010-04-17 19:52 . 2009-04-17 13:49 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-16 21:46 . 2004-08-08 14:56 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-12 19:59 . 2010-04-12 19:59 503808 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4aa2ad25-n\msvcp71.dll
2010-04-12 19:59 . 2010-04-12 19:59 499712 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4aa2ad25-n\jmc.dll
2010-04-12 19:59 . 2010-04-12 19:59 348160 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4aa2ad25-n\msvcr71.dll
2010-04-12 05:02 . 2009-07-03 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-04-12 04:59 . 2004-08-07 21:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-08 21:07 . 2010-04-12 04:56 185482 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-04-03 03:31 . 2009-04-30 13:59 -------- d-----w- c:\program files\iTunes
2010-03-26 21:59 . 2010-03-26 21:59 61440 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-77d2ded7-n\decora-sse.dll
2010-03-26 21:59 . 2010-03-26 21:59 12800 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-77d2ded7-n\decora-d3d.dll
2010-03-17 04:00 . 2005-01-16 02:19 63344 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 06:15 . 2004-08-07 18:47 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 21:08 . 2010-03-01 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-07 21:04 . 2005-01-20 23:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-07 21:02 . 2010-03-07 21:03 38784 ----a-w- c:\documents and settings\HP_Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-07 21:00 . 2010-03-07 21:00 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-07 21:00 . 2010-03-07 21:00 -------- d-----w- c:\program files\NOS
2010-03-02 23:23 . 2005-02-01 23:44 -------- d-----w- c:\program files\Design Science
2010-03-02 06:18 . 2009-04-09 22:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-02 06:11 . 2010-03-01 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe(2)
2010-03-02 00:45 . 2010-03-02 00:45 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-01 23:32 . 2010-03-01 23:32 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-03-01 23:24 . 2010-03-01 23:24 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-01 23:13 . 2010-03-01 23:13 -------- d-----w- c:\program files\Common Files\Java
2010-02-25 23:49 . 2009-07-03 05:05 -------- d-----w- c:\program files\Common Files\Kodak
2010-02-25 23:30 . 2009-07-03 05:05 77824 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\bindbins.exe
2010-02-25 23:30 . 2010-02-25 23:30 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\finish.exe
2010-02-25 23:30 . 2010-02-25 23:30 175104 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\reduced_contents_PrintCreation_expanded\setup.exe
2010-02-25 23:26 . 2010-02-25 23:26 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\update.exe
2010-02-25 23:26 . 2010-02-25 23:26 45056 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\sysfiles\kb945060\kb945060.exe
2010-02-25 23:25 . 2010-02-25 23:25 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\start.exe
2010-02-25 23:25 . 2010-02-25 23:25 1187840 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0001_2d93d8\EasyShrx.Dll
2010-02-25 23:25 . 2010-02-25 23:25 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_8.2.30.1.dll
2010-02-25 06:24 . 2004-08-07 18:47 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-02 22:51 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2004-08-07 18:47 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-21 20:34 . 2004-08-07 19:36 -------- d-----w- c:\program files\Java
2010-02-21 20:34 . 2010-02-21 20:34 152576 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-21 20:33 . 2010-02-21 20:09 79488 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-21 00:42 . 2010-02-21 00:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 00:31 . 2010-03-07 21:00 31936 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\ypy8vd9e.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-02-20 00:31 . 2010-03-07 21:00 29344 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\ypy8vd9e.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-02-17 13:10 . 2004-08-07 18:47 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-07 18:46 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-07 18:47 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-02 02:47 . 2010-02-02 02:47 50354 ----a-w- c:\documents and settings\HP_Owner\Application Data\Facebook\uninstall.exe
2010-02-01 20:41 . 2010-02-25 23:25 2635152 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0001_2d93d8\Setup.exe
2010-01-27 03:21 . 2010-01-27 03:21 847040 ----a-w- c:\documents and settings\HP_Owner\Application Data\Facebook\axfbootloader.dll
2010-01-27 03:20 . 2010-01-27 03:20 5578752 ----a-w- c:\documents and settings\HP_Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
2005-07-01 20:15 . 2005-07-01 20:15 0 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
"NetCleaner"="nc.exe" [2002-09-14 86016]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WUSB54Gv2"="c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 24576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-08-19 100056]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2010-1-27 323584]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-03-04 16:01 88209 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-07-09 20:07 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 18:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-04-07 17:07 496752 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 18:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-03-18 22:50 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2002-10-16 23:57 81920 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-15 03:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2004-08-07 21:03 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2004-10-22 16:53 53248 ----a-w- c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [3/2/2010 7:08 PM 270888]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/13/2009 11:19 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [3/2/2010 7:08 PM 65576]
S3 SNDP106;Dual Mode Camera (8001 CIF);c:\windows\system32\drivers\sndp106.sys [3/13/2005 4:11 PM 227072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-04-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2010-04-17 c:\windows\Tasks\Norton AntiVirus - Scan my computer - HP_Owner.job
- c:\progra~1\NORTON~1\Navw32.exe [2004-06-05 00:47]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.gmail.com/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\ypy8vd9e.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\HP_Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\ypy8vd9e.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-17 23:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="system32\drivers\tskADC.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(804)
c:\windows\system32\WININET.dll
c:\windows\system32\nckb.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
c:\windows\system32\nc.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
.
**************************************************************************
.
Completion time: 2010-04-17 23:10:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-18 03:10

Pre-Run: 3,959,828,480 bytes free
Post-Run: 4,368,007,168 bytes free

- - End Of File - - BDF4AAC8F67705AC1B7E302DC8110E17



#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:45 AM

Posted 18 April 2010 - 03:28 AM

Hi srr123,



Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar

Please go into the Control Panel (Classic View) and double-click the Java Icon. (looks like a coffee cup) On the Update tab, click on Update Now buttons. When done, press Apply and OK the button. Then clear your java cache as instructed in this thread .


Step1
  1. Close any open browsers
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  3. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
CODE
File::
C:\system32\drivers\tskADC.tmp
Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,61,00,74,00,61,00,70,00,69,00,2e,\00,73,00,79,00,73,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
DDS::
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Step2
  1. Please download TFC to your desktop
  2. Save any unsaved work. TFC will close all open application windows.
  3. Double-click TFC.exe to run the program.
  4. If prompted, click Yes to reboot.


Step3

Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  1. Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  2. Click Accept button on the "Requirements and limitations".
  3. When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  4. It will be Downloading and installing the program and Updating the database.
  5. When Updating the database have finished, click on Settings.
  6. Make sure all boxes are checked. then click on the Save button.
  7. Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  8. Once the scan is completed, Click on View Scan Report.
  9. You may see a list of infected items over there. Click on Save Report As.
  10. Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  11. Please post the contents in your next reply.
  12. You can refer to this animation

Note for Internet Explorer 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please post back the logs in your next reply.

1.ComboFix log
2.Kas Online Scan Report

Tell me how things are going now.

#7 srr123

srr123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 April 2010 - 02:24 PM

URGENT- EMERGENCY

I can not get onto my computer at this point. I was following the steps above and I did the combo log fix and then I did TFC and it cleaned out my computer, asked me to reboot and now the computer will not reboot. Message saying "windows did not start successfully a recent hardware or software change might have caused this" is all I am getting now. I have three options: 1- start windows normally 2- start in safe mode or 3- start in last known configuration. None of those three are working. The only thing that I can do is either press F1 for setup or F10 for system recovery. Please advice ASAP!

#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:45 AM

Posted 18 April 2010 - 07:52 PM

Hi srr123,



Step1

1. Restart your computer.
2. Before Windows loads, you will be prompted to choose which Operating System to start.
3. Use the up and down arrow key to select Microsoft Windows Recovery Console.



4.You must enter which Windows installation to log onto. Type 1 and press enter.



5.At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

6.At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con



7.The erunt backups will begin copying.
8.At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

Let me know how things went.

#9 srr123

srr123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 April 2010 - 08:24 PM

I went through the steps and recieved the same message again as windows was rebooting. I went ahead and tried restore to last known configuration and was able to get to the welcome screen. Then I got the message "windows cannot find c:\combofix\res.bat" I clicked okay and was taken to my desktop. Everything seems to be okay. Is there anything else I should be doing next? I do not know where it restored to and am uncertain if the TFC or the combofix changes have taken effect. Please advise.

Edited by srr123, 18 April 2010 - 08:38 PM.


#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:45 AM

Posted 18 April 2010 - 08:59 PM

Hi srr123,



Please post the Combofix log in your next reply. and do the following:

Step1

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    *atapi*
    :reg
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi /s

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

In your next reply, please post back:

1.ComboFix log
2.SystemLook log Thanks

#11 srr123

srr123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 April 2010 - 09:30 PM

Posted below is the last Combofix log from before the crash and the SystemLook log. Thanks.


ComboFix 10-04-17.02 - HP_Owner 04/18/2010 14:40:15.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.486 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
FW: Norton Personal Firewall *disabled* {825036E0-9F94-4752-8789-8B92454AF49B}

FILE ::
"c:\system32\drivers\tskADC.tmp"
.

((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-18 18:34 . 2010-04-18 18:34 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-16 19:03 . 2010-04-16 19:03 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\SupportSoft
2010-04-16 19:03 . 2010-04-16 19:03 -------- d-----w- c:\program files\Common Files\SupportSoft
2010-04-12 19:59 . 2010-04-12 19:59 503808 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4aa2ad25-n\msvcp71.dll
2010-04-12 19:59 . 2010-04-12 19:59 499712 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4aa2ad25-n\jmc.dll
2010-04-12 19:59 . 2010-04-12 19:59 348160 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4aa2ad25-n\msvcr71.dll
2010-04-12 04:59 . 2010-04-12 04:59 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-26 21:59 . 2010-03-26 21:59 61440 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-77d2ded7-n\decora-sse.dll
2010-03-26 21:59 . 2010-03-26 21:59 12800 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-77d2ded7-n\decora-d3d.dll
2010-03-23 01:08 . 2010-03-23 01:08 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\KodakCredentialStore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 18:34 . 2004-08-08 14:56 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-18 18:30 . 2005-01-09 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-18 02:51 . 2004-08-04 05:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-18 01:55 . 2010-04-18 01:55 96512 ----a-w- c:\windows\system32\drivers\tskADC.tmp
2010-04-17 19:52 . 2009-04-17 13:49 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-12 05:02 . 2009-07-03 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-04-12 04:59 . 2004-08-07 21:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-08 21:07 . 2010-04-12 04:56 185482 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-04-03 03:31 . 2009-04-30 13:59 -------- d-----w- c:\program files\iTunes
2010-03-17 04:00 . 2005-01-16 02:19 63344 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 06:15 . 2004-08-07 18:47 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 21:08 . 2010-03-01 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-07 21:04 . 2005-01-20 23:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-07 21:02 . 2010-03-07 21:03 38784 ----a-w- c:\documents and settings\HP_Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-07 21:00 . 2010-03-07 21:00 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-07 21:00 . 2010-03-07 21:00 -------- d-----w- c:\program files\NOS
2010-03-02 23:23 . 2005-02-01 23:44 -------- d-----w- c:\program files\Design Science
2010-03-02 06:11 . 2010-03-01 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe(2)
2010-03-02 00:45 . 2010-03-02 00:45 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-01 23:32 . 2010-03-01 23:32 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-03-01 23:24 . 2010-03-01 23:24 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-01 23:13 . 2010-03-01 23:13 -------- d-----w- c:\program files\Common Files\Java
2010-02-25 23:49 . 2009-07-03 05:05 -------- d-----w- c:\program files\Common Files\Kodak
2010-02-25 23:30 . 2009-07-03 05:05 77824 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\bindbins.exe
2010-02-25 23:30 . 2010-02-25 23:30 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\finish.exe
2010-02-25 23:30 . 2010-02-25 23:30 175104 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\reduced_contents_PrintCreation_expanded\setup.exe
2010-02-25 23:26 . 2010-02-25 23:26 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\update.exe
2010-02-25 23:26 . 2010-02-25 23:26 45056 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\sysfiles\kb945060\kb945060.exe
2010-02-25 23:25 . 2010-02-25 23:25 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\start.exe
2010-02-25 23:25 . 2010-02-25 23:25 1187840 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0001_2d93d8\EasyShrx.Dll
2010-02-25 23:25 . 2010-02-25 23:25 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_8.2.30.1.dll
2010-02-25 06:24 . 2004-08-07 18:47 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-02 22:51 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2004-08-07 18:47 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-21 20:34 . 2004-08-07 19:36 -------- d-----w- c:\program files\Java
2010-02-21 20:34 . 2010-02-21 20:34 152576 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-21 20:33 . 2010-02-21 20:09 79488 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-21 00:42 . 2010-02-21 00:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 00:31 . 2010-03-07 21:00 31936 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\ypy8vd9e.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-02-20 00:31 . 2010-03-07 21:00 29344 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\ypy8vd9e.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-02-17 13:10 . 2004-08-07 18:47 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-07 18:46 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-07 18:47 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-02 02:47 . 2010-02-02 02:47 50354 ----a-w- c:\documents and settings\HP_Owner\Application Data\Facebook\uninstall.exe
2010-02-01 20:41 . 2010-02-25 23:25 2635152 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0001_2d93d8\Setup.exe
2010-01-27 03:21 . 2010-01-27 03:21 847040 ----a-w- c:\documents and settings\HP_Owner\Application Data\Facebook\axfbootloader.dll
2010-01-27 03:20 . 2010-01-27 03:20 5578752 ----a-w- c:\documents and settings\HP_Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
2005-07-01 20:15 . 2005-07-01 20:15 0 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
"NetCleaner"="nc.exe" [2002-09-14 86016]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WUSB54Gv2"="c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 24576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-08-19 100056]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2010-1-27 323584]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-03-04 16:01 88209 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-07-09 20:07 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 18:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-04-07 17:07 496752 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 18:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-03-18 22:50 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2002-10-16 23:57 81920 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-15 03:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2004-08-07 21:03 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2004-10-22 16:53 53248 ----a-w- c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [3/2/2010 7:08 PM 270888]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [3/2/2010 7:08 PM 65576]
S3 SNDP106;Dual Mode Camera (8001 CIF);c:\windows\system32\drivers\sndp106.sys [3/13/2005 4:11 PM 227072]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*NewlyCreated* - JAVAQUICKSTARTERSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-04-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2010-04-17 c:\windows\Tasks\Norton AntiVirus - Scan my computer - HP_Owner.job
- c:\progra~1\NORTON~1\Navw32.exe [2004-06-05 00:47]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.gmail.com/
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\ypy8vd9e.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\HP_Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\ypy8vd9e.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 14:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="s\00y\00s\00t\00e\00m\003\002\00\\00D\00R\00I\00V\00E\00R\00S\00\\00a\00t\00a\00p\00i\00."
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(744)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-18 14:49:14
ComboFix-quarantined-files.txt 2010-04-18 18:49
ComboFix2.txt 2010-04-18 03:10

Pre-Run: 4,271,685,632 bytes free
Post-Run: 4,241,006,592 bytes free

- - End Of File - - 46019AA19AF4FE31D087E029B2F52CD8



SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:25 on 18/04/2010 by HP_Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi*"
C:\cmdcons\atapi.sy_ --a--- 49558 bytes [21:05 09/01/2005] [12:00 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\Downloads\funpeggy-whatapile.wmv --a--- 2875437 bytes [06:44 05/03/2005] [06:47 05/03/2005] B37737716704AEE5BC9D4125AEF3D556
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [16:22 18/09/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [18:45 21/02/2010] [02:51 18/04/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\I386\ATAPI.SY_ ------ 49558 bytes [22:04 16/08/2004] [12:00 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\WINDOWS\I386\COMPDATA\DECATAPI.HTM ------ 881 bytes [22:04 16/08/2004] [12:00 04/08/2004] FDA00ABB8831E4903E9442E9B01843ED
C:\WINDOWS\I386\COMPDATA\DECATAPI.TXT ------ 449 bytes [22:04 16/08/2004] [12:00 04/08/2004] F5A5EAC5B4790D90031B913DD5D559A5
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [20:48 17/09/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--c 96512 bytes [05:59 04/08/2004] [22:46 16/04/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [05:59 04/08/2004] [02:51 18/04/2010] 9F3A2F5AA6875C72BF062C712CFA2674

========== reg ==========

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"DisplayName"="Standard IDE/ESDI Hard Disk Controller"
"ErrorControl"= 0x0000000001 (1)
"Group"="SCSI miniport"
"ImagePath"="system32\drivers\tskADC.tmp"
"Start"= 0000000000 (0)
"Tag"= 0x0000000019 (25)
"Type"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi\Parameters]
"AutoEjectZipDevice"="IOMEGA ZIP 100 ATAPI 23.D IOMEGA ZIP 100 ATAPI 21.D IOMEGA ZIP 100 ATAPI 20.D IOMEGA ZIP 100 ATAPI 91.D IOMEGA ZIP 100 B.29 IOMEGA ZIP 100 B.22 "
"DefaultPioAtapiDevice"="TORiSAN DVD-ROM DRD-N216 IDE-CD R/RW 2x2x24"
"EnableBigLba"= 0x0000000001 (1)
"GhostSlave"="SunDisk "
"LegacyDetection"= 0x0000000001 (1)
"NeedIdentDevice"="QUANTUM FIREBALL"
"NoFlushDevice"="QUANTUM_LPS525A SCR-730 "
"NonRemovableMedia"="Kingston Technology DataPak 340 SunDisk SDP5A-10 SunDisk SDCFB-10 SunDisk SDP3B-20 SunDisk SDP3B-175 SunDisk SDP5-2.5 Calluna Technology CT260MC BN-S004AC-S 1.00 Calluna Technology CT520RM Hitachi CV 5.1.1 ATA_FLASH Mitsubishi ATA Card LEXAR ATA_FLASH Micron MTCF004A Micron MTCF008A SunDisk SDP3B-110 SunDisk SDCFB-4 BN-CAB-T MEMORYSTICK MEMORYSTICK 8M 8K"
"NoPowerDownDevice"="RD-DRC001-M CS-R37 0 "
"PioOnlyDevice"=" Conner Peripherals 425MB - CFS425A MATbleepA CR-581 FX600S CD-44E QUANTUM TRB850A QUANTUM MARVERICK 540A MAXTOR MXT-540 AT Maxtor 71260 AT Maxtor 7850 AV Maxtor 7540 AV Maxtor 7213 AT Maxtor 7345 Maxtor 7245 AT Maxtor 7245 Maxtor 7211AU Maxtor 7171 AT CD-316E SAMSUNG_SCR-2430 CR-2801TE"
"UseCheckPowerForFlush"="SAMSUNG WNR-31601A (1600MB) SAMSUNG WNR-31601A (1.6GB) IBM-DTCA-24090 TC6OAA2A IBM-DTCA-24090 TC6IAA2A IBM-DPLA-25120 PL8OAA2A IBM-DPLA-25120 PL8IAA2A IBM-DPLA-25120 PL8IAA4A IBM-DTCA-23240 TC5OAA2A IBM-DTCA-23240 TC5IAA2A IBM-DPLA-24480 PL7OAA2A IBM-DPLA-24480 PL7IAA2A"


-=End Of File=-

#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:45 AM

Posted 18 April 2010 - 09:51 PM

Hi srr123,




OK! Let's do the following manually.

Start>> Run >>Type regedit>> and press enter Then the Registry Editor should prompt. Navigate to and expand the following entry and Click on atapi in the left pane.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi

Double click the Image Path in the right pane, Edit String window should prompt. please edit system32\drivers\tskADC.tmp to system32\DRIVERS\atapi.sys

The right one should be system32\DRIVERS\atapi.sys. Click OK and Restart your pc and recheck if the Image Path data is the right one.

After that, please rerun TDSSKiller as instructed in my previous post. Let me know if you have any remaining issues on your pc.

Edited by sundavis, 18 April 2010 - 09:56 PM.


#13 srr123

srr123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 19 April 2010 - 04:14 PM

The Image Path data is now correct. I ran TDSSKiller again and pasted the log below. Everything seems fine.


17:11:44:765 2852 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
17:11:44:765 2852 ================================================================================
17:11:44:765 2852 SystemInfo:

17:11:44:765 2852 OS Version: 5.1.2600 ServicePack: 3.0
17:11:44:765 2852 Product type: Workstation
17:11:44:765 2852 ComputerName: STEVEN
17:11:44:781 2852 UserName: HP_Owner
17:11:44:781 2852 Windows directory: C:\WINDOWS
17:11:44:781 2852 Processor architecture: Intel x86
17:11:44:781 2852 Number of processors: 1
17:11:44:781 2852 Page size: 0x1000
17:11:44:781 2852 Boot type: Normal boot
17:11:44:781 2852 ================================================================================
17:11:44:781 2852 UnloadDriverW: NtUnloadDriver error 2
17:11:44:781 2852 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:11:44:828 2852 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:11:44:828 2852 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:11:44:828 2852 wfopen_ex: Trying to KLMD file open
17:11:44:828 2852 wfopen_ex: File opened ok (Flags 2)
17:11:44:828 2852 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:11:44:828 2852 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:11:44:828 2852 wfopen_ex: Trying to KLMD file open
17:11:44:828 2852 wfopen_ex: File opened ok (Flags 2)
17:11:44:828 2852 Initialize success
17:11:44:828 2852
17:11:44:828 2852 Scanning Services ...
17:11:45:156 2852 Raw services enum returned 370 services
17:11:45:156 2852
17:11:45:156 2852 Scanning Kernel memory ...
17:11:45:156 2852 Devices to scan: 11
17:11:45:156 2852
17:11:45:156 2852 Driver Name: Disk
17:11:45:156 2852 IRP_MJ_CREATE : F7675BB0
17:11:45:156 2852 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:11:45:156 2852 IRP_MJ_CLOSE : F7675BB0
17:11:45:171 2852 IRP_MJ_READ : F766FD1F
17:11:45:171 2852 IRP_MJ_WRITE : F766FD1F
17:11:45:171 2852 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:11:45:171 2852 IRP_MJ_SET_INFORMATION : 804FA88E
17:11:45:171 2852 IRP_MJ_QUERY_EA : 804FA88E
17:11:45:171 2852 IRP_MJ_SET_EA : 804FA88E
17:11:45:171 2852 IRP_MJ_FLUSH_BUFFERS : F76702E2
17:11:45:171 2852 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:11:45:171 2852 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:11:45:171 2852 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:11:45:171 2852 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:11:45:171 2852 IRP_MJ_DEVICE_CONTROL : F76703BB
17:11:45:171 2852 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7673F28
17:11:45:171 2852 IRP_MJ_SHUTDOWN : F76702E2
17:11:45:171 2852 IRP_MJ_LOCK_CONTROL : 804FA88E
17:11:45:171 2852 IRP_MJ_CLEANUP : 804FA88E
17:11:45:171 2852 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:11:45:171 2852 IRP_MJ_QUERY_SECURITY : 804FA88E
17:11:45:171 2852 IRP_MJ_SET_SECURITY : 804FA88E
17:11:45:171 2852 IRP_MJ_POWER : F7671C82
17:11:45:171 2852 IRP_MJ_SYSTEM_CONTROL : F767699E
17:11:45:171 2852 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:11:45:171 2852 IRP_MJ_QUERY_QUOTA : 804FA88E
17:11:45:171 2852 IRP_MJ_SET_QUOTA : 804FA88E
17:11:45:187 2852 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:11:45:187 2852
17:11:45:187 2852 Driver Name: Disk
17:11:45:187 2852 IRP_MJ_CREATE : F7675BB0
17:11:45:187 2852 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:11:45:187 2852 IRP_MJ_CLOSE : F7675BB0
17:11:45:187 2852 IRP_MJ_READ : F766FD1F
17:11:45:187 2852 IRP_MJ_WRITE : F766FD1F
17:11:45:187 2852 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:11:45:187 2852 IRP_MJ_SET_INFORMATION : 804FA88E
17:11:45:187 2852 IRP_MJ_QUERY_EA : 804FA88E
17:11:45:187 2852 IRP_MJ_SET_EA : 804FA88E
17:11:45:187 2852 IRP_MJ_FLUSH_BUFFERS : F76702E2
17:11:45:187 2852 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:11:45:187 2852 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:11:45:187 2852 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:11:45:187 2852 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:11:45:187 2852 IRP_MJ_DEVICE_CONTROL : F76703BB
17:11:45:187 2852 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7673F28
17:11:45:187 2852 IRP_MJ_SHUTDOWN : F76702E2
17:11:45:187 2852 IRP_MJ_LOCK_CONTROL : 804FA88E
17:11:45:187 2852 IRP_MJ_CLEANUP : 804FA88E
17:11:45:187 2852 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:11:45:187 2852 IRP_MJ_QUERY_SECURITY : 804FA88E
17:11:45:187 2852 IRP_MJ_SET_SECURITY : 804FA88E
17:11:45:187 2852 IRP_MJ_POWER : F7671C82
17:11:45:187 2852 IRP_MJ_SYSTEM_CONTROL : F767699E
17:11:45:187 2852 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:11:45:187 2852 IRP_MJ_QUERY_QUOTA : 804FA88E
17:11:45:187 2852 IRP_MJ_SET_QUOTA : 804FA88E
17:11:45:203 2852 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:11:45:203 2852
17:11:45:203 2852 Driver Name: Disk
17:11:45:203 2852 IRP_MJ_CREATE : F7675BB0
17:11:45:203 2852 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:11:45:203 2852 IRP_MJ_CLOSE : F7675BB0
17:11:45:203 2852 IRP_MJ_READ : F766FD1F
17:11:45:203 2852 IRP_MJ_WRITE : F766FD1F
17:11:45:203 2852 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:11:45:203 2852 IRP_MJ_SET_INFORMATION : 804FA88E
17:11:45:203 2852 IRP_MJ_QUERY_EA : 804FA88E
17:11:45:203 2852 IRP_MJ_SET_EA : 804FA88E
17:11:45:203 2852 IRP_MJ_FLUSH_BUFFERS : F76702E2
17:11:45:203 2852 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:11:45:203 2852 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:11:45:203 2852 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:11:45:203 2852 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:11:45:203 2852 IRP_MJ_DEVICE_CONTROL : F76703BB
17:11:45:203 2852 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7673F28
17:11:45:203 2852 IRP_MJ_SHUTDOWN : F76702E2
17:11:45:203 2852 IRP_MJ_LOCK_CONTROL : 804FA88E
17:11:45:203 2852 IRP_MJ_CLEANUP : 804FA88E
17:11:45:203 2852 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:11:45:203 2852 IRP_MJ_QUERY_SECURITY : 804FA88E
17:11:45:203 2852 IRP_MJ_SET_SECURITY : 804FA88E
17:11:45:203 2852 IRP_MJ_POWER : F7671C82
17:11:45:203 2852 IRP_MJ_SYSTEM_CONTROL : F767699E
17:11:45:203 2852 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:11:45:203 2852 IRP_MJ_QUERY_QUOTA : 804FA88E
17:11:45:203 2852 IRP_MJ_SET_QUOTA : 804FA88E
17:11:45:203 2852 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:11:45:203 2852
17:11:45:203 2852 Driver Name: Disk
17:11:45:203 2852 IRP_MJ_CREATE : F7675BB0
17:11:45:203 2852 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:11:45:203 2852 IRP_MJ_CLOSE : F7675BB0
17:11:45:203 2852 IRP_MJ_READ : F766FD1F
17:11:45:203 2852 IRP_MJ_WRITE : F766FD1F
17:11:45:203 2852 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:11:45:203 2852 IRP_MJ_SET_INFORMATION : 804FA88E
17:11:45:203 2852 IRP_MJ_QUERY_EA : 804FA88E
17:11:45:203 2852 IRP_MJ_SET_EA : 804FA88E
17:11:45:203 2852 IRP_MJ_FLUSH_BUFFERS : F76702E2
17:11:45:203 2852 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:11:45:203 2852 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:11:45:203 2852 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:11:45:203 2852 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:11:45:203 2852 IRP_MJ_DEVICE_CONTROL : F76703BB
17:11:45:203 2852 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7673F28
17:11:45:203 2852 IRP_MJ_SHUTDOWN : F76702E2
17:11:45:203 2852 IRP_MJ_LOCK_CONTROL : 804FA88E
17:11:45:203 2852 IRP_MJ_CLEANUP : 804FA88E
17:11:45:203 2852 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:11:45:203 2852 IRP_MJ_QUERY_SECURITY : 804FA88E
17:11:45:203 2852 IRP_MJ_SET_SECURITY : 804FA88E
17:11:45:203 2852 IRP_MJ_POWER : F7671C82
17:11:45:203 2852 IRP_MJ_SYSTEM_CONTROL : F767699E
17:11:45:203 2852 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:11:45:203 2852 IRP_MJ_QUERY_QUOTA : 804FA88E
17:11:45:203 2852 IRP_MJ_SET_QUOTA : 804FA88E
17:11:45:203 2852 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:11:45:203 2852
17:11:45:203 2852 Driver Name: USBSTOR
17:11:45:203 2852 IRP_MJ_CREATE : F7904218
17:11:45:203 2852 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:11:45:203 2852 IRP_MJ_CLOSE : F7904218
17:11:45:203 2852 IRP_MJ_READ : F790423C
17:11:45:203 2852 IRP_MJ_WRITE : F790423C
17:11:45:203 2852 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:11:45:203 2852 IRP_MJ_SET_INFORMATION : 804FA88E
17:11:45:203 2852 IRP_MJ_QUERY_EA : 804FA88E
17:11:45:203 2852 IRP_MJ_SET_EA : 804FA88E
17:11:45:203 2852 IRP_MJ_FLUSH_BUFFERS : 804FA88E
17:11:45:203 2852 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:11:45:203 2852 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:11:45:203 2852 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:11:45:203 2852 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:11:45:203 2852 IRP_MJ_DEVICE_CONTROL : F7904180
17:11:45:203 2852 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78FF9E6
17:11:45:203 2852 IRP_MJ_SHUTDOWN : 804FA88E
17:11:45:203 2852 IRP_MJ_LOCK_CONTROL : 804FA88E
17:11:45:203 2852 IRP_MJ_CLEANUP : 804FA88E
17:11:45:203 2852 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:11:45:203 2852 IRP_MJ_QUERY_SECURITY : 804FA88E
17:11:45:203 2852 IRP_MJ_SET_SECURITY : 804FA88E
17:11:45:203 2852 IRP_MJ_POWER : F79035F0
17:11:45:203 2852 IRP_MJ_SYSTEM_CONTROL : F7901A6E
17:11:45:203 2852 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:11:45:203 2852 IRP_MJ_QUERY_QUOTA : 804FA88E
17:11:45:203 2852 IRP_MJ_SET_QUOTA : 804FA88E
17:11:45:218 2852 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
17:11:45:218 2852
17:11:45:218 2852 Driver Name: USBSTOR
17:11:45:218 2852 IRP_MJ_CREATE : F7904218
17:11:45:218 2852 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:11:45:218 2852 IRP_MJ_CLOSE : F7904218
17:11:45:218 2852 IRP_MJ_READ : F790423C
17:11:45:218 2852 IRP_MJ_WRITE : F790423C
17:11:45:218 2852 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:11:45:218 2852 IRP_MJ_SET_INFORMATION : 804FA88E
17:11:45:218 2852 IRP_MJ_QUERY_EA : 804FA88E
17:11:45:218 2852 IRP_MJ_SET_EA : 804FA88E
17:11:45:218 2852 IRP_MJ_FLUSH_BUFFERS : 804FA88E
17:11:45:218 2852 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:11:45:218 2852 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:11:45:218 2852 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:11:45:218 2852 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:11:45:218 2852 IRP_MJ_DEVICE_CONTROL : F7904180
17:11:45:218 2852 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78FF9E6
17:11:45:218 2852 IRP_MJ_SHUTDOWN : 804FA88E
17:11:45:218 2852 IRP_MJ_LOCK_CONTROL : 804FA88E
17:11:45:218 2852 IRP_MJ_CLEANUP : 804FA88E
17:11:45:218 2852 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:11:45:218 2852 IRP_MJ_QUERY_SECURITY : 804FA88E
17:11:45:218 2852 IRP_MJ_SET_SECURITY : 804FA88E
17:11:45:218 2852 IRP_MJ_POWER : F79035F0
17:11:45:218 2852 IRP_MJ_SYSTEM_CONTROL : F7901A6E
17:11:45:218 2852 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:11:45:218 2852 IRP_MJ_QUERY_QUOTA : 804FA88E
17:11:45:218 2852 IRP_MJ_SET_QUOTA : 804FA88E
17:11:45:218 2852 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
17:11:45:218 2852
17:11:45:218 2852 Driver Name: USBSTOR
17:11:45:218 2852 IRP_MJ_CREATE : F7904218
17:11:45:218 2852 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:11:45:218 2852 IRP_MJ_CLOSE : F7904218
17:11:45:218 2852 IRP_MJ_READ : F790423C
17:11:45:218 2852 IRP_MJ_WRITE : F790423C
17:11:45:218 2852 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:11:45:218 2852 IRP_MJ_SET_INFORMATION : 804FA88E
17:11:45:218 2852 IRP_MJ_QUERY_EA : 804FA88E
17:11:45:218 2852 IRP_MJ_SET_EA : 804FA88E
17:11:45:218 2852 IRP_MJ_FLUSH_BUFFERS : 804FA88E
17:11:45:218 2852 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:11:45:218 2852 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:11:45:218 2852 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:11:45:218 2852 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:11:45:218 2852 IRP_MJ_DEVICE_CONTROL : F7904180
17:11:45:218 2852 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78FF9E6
17:11:45:218 2852 IRP_MJ_SHUTDOWN : 804FA88E
17:11:45:218 2852 IRP_MJ_LOCK_CONTROL : 804FA88E
17:11:45:218 2852 IRP_MJ_CLEANUP : 804FA88E
17:11:45:218 2852 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:11:45:218 2852 IRP_MJ_QUERY_SECURITY : 804FA88E
17:11:45:218 2852 IRP_MJ_SET_SECURITY : 804FA88E
17:11:45:218 2852 IRP_MJ_POWER : F79035F0
17:11:45:218 2852 IRP_MJ_SYSTEM_CONTROL : F7901A6E
17:11:45:218 2852 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:11:45:218 2852 IRP_MJ_QUERY_QUOTA : 804FA88E
17:11:45:218 2852 IRP_MJ_SET_QUOTA : 804FA88E
17:11:45:218 2852 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
17:11:45:218 2852
17:11:45:218 2852 Driver Name: USBSTOR
17:11:45:218 2852 IRP_MJ_CREATE : F7904218
17:11:45:218 2852 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:11:45:218 2852 IRP_MJ_CLOSE : F7904218
17:11:45:218 2852 IRP_MJ_READ : F790423C
17:11:45:218 2852 IRP_MJ_WRITE : F790423C
17:11:45:218 2852 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:11:45:218 2852 IRP_MJ_SET_INFORMATION : 804FA88E
17:11:45:218 2852 IRP_MJ_QUERY_EA : 804FA88E
17:11:45:218 2852 IRP_MJ_SET_EA : 804FA88E
17:11:45:218 2852 IRP_MJ_FLUSH_BUFFERS : 804FA88E
17:11:45:218 2852 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:11:45:218 2852 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:11:45:218 2852 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:11:45:218 2852 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:11:45:218 2852 IRP_MJ_DEVICE_CONTROL : F7904180
17:11:45:218 2852 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78FF9E6
17:11:45:218 2852 IRP_MJ_SHUTDOWN : 804FA88E
17:11:45:218 2852 IRP_MJ_LOCK_CONTROL : 804FA88E
17:11:45:218 2852 IRP_MJ_CLEANUP : 804FA88E
17:11:45:218 2852 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:11:45:218 2852 IRP_MJ_QUERY_SECURITY : 804FA88E
17:11:45:218 2852 IRP_MJ_SET_SECURITY : 804FA88E
17:11:45:218 2852 IRP_MJ_POWER : F79035F0
17:11:45:218 2852 IRP_MJ_SYSTEM_CONTROL : F7901A6E
17:11:45:218 2852 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:11:45:218 2852 IRP_MJ_QUERY_QUOTA : 804FA88E
17:11:45:218 2852 IRP_MJ_SET_QUOTA : 804FA88E
17:11:45:218 2852 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
17:11:45:218 2852
17:11:45:218 2852 Driver Name: Disk
17:11:45:218 2852 IRP_MJ_CREATE : F7675BB0
17:11:45:218 2852 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:11:45:218 2852 IRP_MJ_CLOSE : F7675BB0
17:11:45:218 2852 IRP_MJ_READ : F766FD1F
17:11:45:234 2852 IRP_MJ_WRITE : F766FD1F
17:11:45:234 2852 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:11:45:234 2852 IRP_MJ_SET_INFORMATION : 804FA88E
17:11:45:234 2852 IRP_MJ_QUERY_EA : 804FA88E
17:11:45:234 2852 IRP_MJ_SET_EA : 804FA88E
17:11:45:234 2852 IRP_MJ_FLUSH_BUFFERS : F76702E2
17:11:45:234 2852 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:11:45:234 2852 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:11:45:234 2852 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:11:45:234 2852 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:11:45:234 2852 IRP_MJ_DEVICE_CONTROL : F76703BB
17:11:45:234 2852 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7673F28
17:11:45:234 2852 IRP_MJ_SHUTDOWN : F76702E2
17:11:45:234 2852 IRP_MJ_LOCK_CONTROL : 804FA88E
17:11:45:234 2852 IRP_MJ_CLEANUP : 804FA88E
17:11:45:234 2852 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:11:45:234 2852 IRP_MJ_QUERY_SECURITY : 804FA88E
17:11:45:234 2852 IRP_MJ_SET_SECURITY : 804FA88E
17:11:45:234 2852 IRP_MJ_POWER : F7671C82
17:11:45:234 2852 IRP_MJ_SYSTEM_CONTROL : F767699E
17:11:45:234 2852 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:11:45:234 2852 IRP_MJ_QUERY_QUOTA : 804FA88E
17:11:45:234 2852 IRP_MJ_SET_QUOTA : 804FA88E
17:11:45:234 2852 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:11:45:234 2852
17:11:45:234 2852 Driver Name: Disk
17:11:45:234 2852 IRP_MJ_CREATE : F7675BB0
17:11:45:234 2852 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:11:45:234 2852 IRP_MJ_CLOSE : F7675BB0
17:11:45:234 2852 IRP_MJ_READ : F766FD1F
17:11:45:234 2852 IRP_MJ_WRITE : F766FD1F
17:11:45:234 2852 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:11:45:234 2852 IRP_MJ_SET_INFORMATION : 804FA88E
17:11:45:234 2852 IRP_MJ_QUERY_EA : 804FA88E
17:11:45:234 2852 IRP_MJ_SET_EA : 804FA88E
17:11:45:234 2852 IRP_MJ_FLUSH_BUFFERS : F76702E2
17:11:45:234 2852 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:11:45:234 2852 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:11:45:234 2852 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:11:45:234 2852 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:11:45:234 2852 IRP_MJ_DEVICE_CONTROL : F76703BB
17:11:45:234 2852 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7673F28
17:11:45:234 2852 IRP_MJ_SHUTDOWN : F76702E2
17:11:45:234 2852 IRP_MJ_LOCK_CONTROL : 804FA88E
17:11:45:234 2852 IRP_MJ_CLEANUP : 804FA88E
17:11:45:234 2852 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:11:45:234 2852 IRP_MJ_QUERY_SECURITY : 804FA88E
17:11:45:234 2852 IRP_MJ_SET_SECURITY : 804FA88E
17:11:45:234 2852 IRP_MJ_POWER : F7671C82
17:11:45:234 2852 IRP_MJ_SYSTEM_CONTROL : F767699E
17:11:45:234 2852 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:11:45:234 2852 IRP_MJ_QUERY_QUOTA : 804FA88E
17:11:45:234 2852 IRP_MJ_SET_QUOTA : 804FA88E
17:11:45:234 2852 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:11:45:234 2852
17:11:45:234 2852 Driver Name: atapi
17:11:45:234 2852 IRP_MJ_CREATE : F75A26F2
17:11:45:234 2852 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:11:45:234 2852 IRP_MJ_CLOSE : F75A26F2
17:11:45:234 2852 IRP_MJ_READ : 804FA88E
17:11:45:234 2852 IRP_MJ_WRITE : 804FA88E
17:11:45:234 2852 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:11:45:234 2852 IRP_MJ_SET_INFORMATION : 804FA88E
17:11:45:234 2852 IRP_MJ_QUERY_EA : 804FA88E
17:11:45:234 2852 IRP_MJ_SET_EA : 804FA88E
17:11:45:234 2852 IRP_MJ_FLUSH_BUFFERS : 804FA88E
17:11:45:234 2852 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:11:45:234 2852 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:11:45:234 2852 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:11:45:234 2852 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:11:45:234 2852 IRP_MJ_DEVICE_CONTROL : F75A2712
17:11:45:234 2852 IRP_MJ_INTERNAL_DEVICE_CONTROL : F759E852
17:11:45:234 2852 IRP_MJ_SHUTDOWN : 804FA88E
17:11:45:234 2852 IRP_MJ_LOCK_CONTROL : 804FA88E
17:11:45:234 2852 IRP_MJ_CLEANUP : 804FA88E
17:11:45:234 2852 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:11:45:234 2852 IRP_MJ_QUERY_SECURITY : 804FA88E
17:11:45:234 2852 IRP_MJ_SET_SECURITY : 804FA88E
17:11:45:234 2852 IRP_MJ_POWER : F75A273C
17:11:45:234 2852 IRP_MJ_SYSTEM_CONTROL : F75A9336
17:11:45:234 2852 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:11:45:234 2852 IRP_MJ_QUERY_QUOTA : 804FA88E
17:11:45:234 2852 IRP_MJ_SET_QUOTA : 804FA88E
17:11:45:250 2852 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
17:11:45:250 2852
17:11:45:250 2852 Completed
17:11:45:250 2852
17:11:45:250 2852 Results:
17:11:45:250 2852 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
17:11:45:250 2852 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:11:45:250 2852 File objects infected / cured / cured on reboot: 0 / 0 / 0
17:11:45:250 2852
17:11:45:250 2852 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:11:45:250 2852 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:11:45:250 2852 KLMD(ARK) unloaded successfully


#14 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:45 AM

Posted 19 April 2010 - 06:33 PM

Hi srr123,



Please delete the following bolded file manually. c:\windows\system32\drivers\tskADC.tmp

Other than that, your system appears clean now. thumbup.gif If you have no remaining issues on your pc, let's do some tidy up and you should be good to go.


Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the x and the /Uninstall, it needs to be there.



This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Step2

Download OTC by OldTimer and save it to your desktop.
  1. Double click OTC and let it run
  2. Then Click the Cleanup button.
  3. You will get a prompt saying "Being Cleanup Process". Please select Yes.
  4. Restart your computer when prompted.

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  3. Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#15 srr123

srr123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 20 April 2010 - 12:13 AM

Thanks for all your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users