Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo search link redirects


  • Please log in to reply
17 replies to this topic

#1 dcdeh

dcdeh

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 14 April 2010 - 03:28 PM

I just removed XP Antispyware from my computer. Tried removing with Malwarebyte's Anti-Malware first but wouldn't work so I bought Spyware Doctor and it removed the pop-ups. But now when I search something on Yahoo it redirects me to another website. I have run the DDS log. Tried to create a GMER log but it shuts down my computer when I try. I used the instructions to do this from the preparation guide (unchecking IAT/EAT, and Show all). Here is the DDS report:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 14:11:09.53 on Wed 04/14/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.403 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\DOWNLO~1\MyWebEx\319\atnthost.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\DOWNLO~1\MyWebEx\319\RAAGTAPP.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Pitney Bowes\mailstation 2\mailstationAssistant.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\DOWNLO~1\MyWebEx\319\raagtx.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: PrxcnBHO Class: {7d9e713d-0388-4384-bdd8-2a42eb1c4f04} - c:\program files\netwitz nitro\PrxcnBrsrCtrl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [PRISMSVR.EXE] "c:\windows\system32\PRISMSVR.EXE" /APPLY
mRun: [Mailstation Assistant] c:\program files\pitney bowes\mailstation 2\mailstationAssistant minimize
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\windows\downlo~1\mywebex\319\raagtx.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144511096390
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144511275453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37865.4503935185
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://qb.webex.com/client/v_mywebex-qb20/ra/ieatgpc.cab
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab
TCP: {85AFF3EC-43E4-41A5-B18F-5F3AB95B2819} = 206.80.87.124,206.80.87.120
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-16 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-12 217032]
R2 atnthost;WebEx Remote Access Agent;c:\windows\downlo~1\mywebex\319\atnthost.exe [2010-3-11 16776]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-4-12 112592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\DM150Drv.sys [2008-7-14 20600]
S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-4-15 174976]

=============== Created Last 30 ================

2010-04-14 19:07:00 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-12 21:14:13 882 ----a-w- c:\windows\RegSDImport.xml
2010-04-12 21:14:13 879 ----a-w- c:\windows\RegISSImport.xml
2010-04-12 21:14:13 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-12 21:14:13 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-12 21:14:13 131 ----a-w- c:\windows\IDB.zip
2010-04-12 21:14:12 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-12 21:14:12 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-12 21:14:12 1152444 ----a-w- c:\windows\UDB.zip
2010-04-12 21:11:52 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-04-12 21:11:51 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-12 21:11:40 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-12 21:11:40 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-04-12 21:11:40 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-04-12 21:11:40 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-12 21:11:31 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-04-12 21:11:31 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-12 21:11:20 0 d-----w- c:\program files\Spyware Doctor
2010-04-12 21:11:20 0 d-----w- c:\program files\common files\PC Tools
2010-04-12 21:11:20 0 d-----w- c:\docume~1\owner\applic~1\PC Tools
2010-04-12 21:11:20 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-04-12 15:05:44 0 d-----w- c:\docume~1\owner\applic~1\GetRightToGo
2010-04-12 13:07:26 169984 ----a-w- c:\windows\Fsetab.exe
2010-04-08 20:29:28 189952 ----a-w- c:\windows\Fsetaa.exe
2010-04-06 13:39:12 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-29 13:52:33 0 d-----w- c:\documents and settings\owner\.sv
2010-03-29 13:52:31 0 d-----w- c:\documents and settings\owner\.jogl_ext
2010-03-29 13:51:53 0 d-----w- c:\docume~1\owner\applic~1\Octoshape
2010-03-23 18:54:50 0 d-----w- c:\program files\Windows Live SkyDrive
2010-03-23 18:53:54 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition

==================== Find3M ====================

2010-03-11 20:36:56 50652 ----a-w- c:\windows\system32\drivers\atntwink.sys
2010-03-11 20:36:56 196681 ----a-w- c:\windows\system32\atrant40.dll
2010-03-11 20:36:47 128312 ----a-w- c:\windows\atagtctl.exe
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:54 2054144 ----a-w- c:\windows\system32\wevgiy.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-01 15:46:17 15688 ----a-w- c:\windows\system32\lsdelete.exe
2008-10-14 17:31:26 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101420081015\index.dat
2008-12-23 21:43:41 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-12-23 21:43:41 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat

============= FINISH: 14:13:28.56 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:08:01 PM

Posted 18 April 2010 - 10:22 AM

Hello, dcdeh

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 dcdeh

dcdeh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 19 April 2010 - 09:41 AM

Jat,
Here is the log.

ComboFix 10-04-18.04 - Owner 04/19/2010 9:04.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.601 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\645Xv.jpg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\e0SpSjR.jpg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\pswxoV.jpg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Y8vGM12U.jpg
c:\program files\MW
c:\program files\MW\Malware Wiped 6.6\ignorelist.dat
c:\program files\MW\Malware Wiped 6.6\malwarewipe.ini
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\Downloaded Program Files\MyWebEx
c:\windows\Downloaded Program Files\MyWebEx\319\aasetup.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atagtctl.exe
c:\windows\Downloaded Program Files\MyWebEx\319\atarm.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atas32.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atasanot.exe
c:\windows\Downloaded Program Files\MyWebEx\319\atasctrl.dll
c:\windows\Downloaded Program Files\MyWebEx\319\ataudio.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atauthor.exe
c:\windows\Downloaded Program Files\MyWebEx\319\atcarmcl.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atdl2006.dll
c:\windows\Downloaded Program Files\MyWebEx\319\ateditor.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atinet.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atjpeg60.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atkbctl.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atmemmgr.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atnetext.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atnthost.exe
c:\windows\Downloaded Program Files\MyWebEx\319\atpack.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atpcapnt.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atpng12.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atprtses.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atrares.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atrcp.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atrecply.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atres.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atrpui.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atscr.scr
c:\windows\Downloaded Program Files\MyWebEx\319\atstmget.dll
c:\windows\Downloaded Program Files\MyWebEx\319\attp.dll
c:\windows\Downloaded Program Files\MyWebEx\319\atwbxui5.dll
c:\windows\Downloaded Program Files\MyWebEx\319\Install.ini
c:\windows\Downloaded Program Files\MyWebEx\319\mwpc.ini
c:\windows\Downloaded Program Files\MyWebEx\319\raagt.dll
c:\windows\Downloaded Program Files\MyWebEx\319\raagtapp.exe
c:\windows\Downloaded Program Files\MyWebEx\319\raagtx.exe
c:\windows\Downloaded Program Files\MyWebEx\319\racfg.exe
c:\windows\Downloaded Program Files\MyWebEx\319\rafilesp.dll
c:\windows\Downloaded Program Files\MyWebEx\319\ramtmgr.dll
c:\windows\Downloaded Program Files\MyWebEx\319\ratrace.dll
c:\windows\Downloaded Program Files\MyWebEx\319\raupdate.exe
c:\windows\Downloaded Program Files\MyWebEx\319\raurl.dll
c:\windows\Downloaded Program Files\MyWebEx\319\trace.txt
c:\windows\Downloaded Program Files\MyWebEx\319\uilibres.dll
c:\windows\Downloaded Program Files\MyWebEx\319\wbxcrypt.dll
c:\windows\Downloaded Program Files\MyWebEx\319\WbxDLDrv.exe
c:\windows\Downloaded Program Files\MyWebEx\319\WbxDLMgr.dll
c:\windows\Downloaded Program Files\MyWebEx\319\xstatus.log
c:\windows\system32\bszip.dll

----- BITS: Possible infected sites -----

hxxp://download.yimg.com
.
((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
.

2010-04-15 21:02 . 2010-04-15 21:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2010-04-15 20:22 . 2010-04-15 20:26 -------- dc-h--w- c:\windows\ie8
2010-04-14 18:56 . 2010-04-14 18:56 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth
2010-04-12 21:14 . 2010-01-22 14:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-12 21:14 . 2010-01-22 14:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-12 21:14 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2010-04-12 21:14 . 2010-01-22 14:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-12 21:14 . 2010-01-22 14:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-12 21:14 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2010-04-12 21:11 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-12 21:11 . 2010-03-10 16:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-12 21:11 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-12 21:11 . 2010-02-05 14:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-12 21:11 . 2010-04-19 14:29 -------- d-----w- c:\program files\Spyware Doctor
2010-04-12 21:11 . 2010-04-12 21:14 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-12 21:11 . 2010-04-12 21:11 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2010-04-12 21:11 . 2010-04-12 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-12 15:05 . 2010-04-12 15:06 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo
2010-04-12 13:07 . 2010-04-12 13:06 169984 ----a-w- c:\windows\Fsetab.exe
2010-04-09 13:46 . 2010-04-09 13:46 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2010-04-08 20:29 . 2010-04-08 20:29 189952 ----a-w- c:\windows\Fsetaa.exe
2010-04-06 13:39 . 2010-04-06 13:39 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-29 13:52 . 2010-03-29 13:52 -------- d-----w- c:\documents and settings\Owner\.sv
2010-03-29 13:52 . 2010-03-29 15:29 -------- d-----w- c:\documents and settings\Owner\.jogl_ext
2010-03-29 13:51 . 2010-03-29 13:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Octoshape
2010-03-23 18:54 . 2010-03-23 18:54 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-23 18:54 . 2010-03-23 18:55 -------- d-----w- c:\program files\Windows Live
2010-03-23 18:53 . 2010-03-23 18:53 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 14:31 . 2006-12-23 13:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-19 13:58 . 2007-10-05 11:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-16 21:28 . 2010-03-05 19:21 139776 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-16 21:27 . 2010-03-04 19:52 3195 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\qbbackup.sys
2010-04-16 14:15 . 2009-01-23 19:19 -------- d-----w- c:\program files\Lavasoft
2010-04-15 20:27 . 2008-03-24 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2010-04-15 20:27 . 2006-01-20 20:00 -------- d-----w- c:\program files\Yahoo!
2010-04-14 18:49 . 2007-08-20 14:11 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-04-12 20:26 . 2010-04-08 21:49 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-12 20:26 . 2010-01-26 14:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-08 21:15 . 2010-04-12 20:40 243662 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat
2010-04-08 12:59 . 2010-03-05 14:08 211720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-04-08 12:59 . 2010-03-05 14:08 1352968 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-04-07 03:50 . 2010-04-07 03:50 3693160 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\yau\{458D9290-B2D6-4189-96E4-7723E0C6634A}\ytb_8.1.4.26_2.1.3_ysp_2.0.1.13_mail_bts_pub_us_setup_.exe
2010-03-11 20:36 . 2010-03-11 20:36 50652 ----a-w- c:\windows\system32\drivers\atntwink.sys
2010-03-11 20:36 . 2010-03-11 20:36 196681 ----a-w- c:\windows\system32\atrant40.dll
2010-03-11 20:36 . 2010-03-11 20:37 128312 ----a-w- c:\windows\atagtctl.exe
2010-03-11 12:38 . 2010-03-11 12:38 2054144 ----a-w- c:\windows\system32\wevgiy.dll
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 22:38 . 2010-03-04 22:38 975136 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch2.exe
2010-03-04 22:38 . 2010-03-04 22:38 44832 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2010-03-04 22:37 . 2010-03-04 22:38 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2010-03-04 22:37 . 2010-03-04 22:38 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll
2010-03-04 20:24 . 2005-03-04 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-03-04 19:51 . 2010-03-04 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
2010-03-04 19:36 . 2003-09-01 22:38 -------- d-----w- c:\program files\Common Files\Intuit
2010-03-04 19:35 . 2010-03-04 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2010-03-04 19:35 . 2003-09-01 23:26 -------- d-----w- c:\program files\Intuit
2010-03-04 19:33 . 2010-03-04 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\COMMON FILES
2010-03-04 19:33 . 2010-03-04 19:33 -------- d-----w- c:\program files\MSXML 4.0
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-12 04:33 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-03 18:30 . 2009-10-01 17:31 143976 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2010-02-03 18:30 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll
2010-02-03 18:29 . 2010-02-03 18:29 1794456 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2010-01-19 16:08 . 2010-01-19 16:08 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-19 16:08 . 2010-01-19 16:08 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mailstation Assistant"="c:\program files\Pitney Bowes\mailstation 2\mailstationAssistant minimize" [X]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-11-26 1087752]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-03-09 1286608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-02-28 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD LT Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD LT Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD LT Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
2002-09-24 21:39 147456 ----a-w- c:\program files\Iomega\AutoDisk\ADUserMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-02-10 16:51 118784 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-02-10 16:55 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2003-05-15 23:41 163840 ----a-w- c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 09:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tfwmon]
2006-04-08 16:42 520192 ----a-w- c:\program files\Track4Win Monitor\STMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
2003-05-15 23:45 114688 ----a-w- c:\program files\Microsoft IntelliType Pro\type32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Track4Win Monitor\\STMonitor.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pitney Bowes\\mailstation 2\\mailstationAssistant.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/12/2010 4:11 PM 217032]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/12/2010 4:14 PM 112592]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/12/2010 4:11 PM 366840]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 atnthost;WebEx Remote Access Agent;"c:\windows\DOWNLO~1\MyWebEx\319\atnthost.exe" --> c:\windows\DOWNLO~1\MyWebEx\319\atnthost.exe [?]
S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\DM150Drv.sys [7/14/2008 10:50 AM 20600]
S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [4/15/2002 6:18 PM 174976]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-04-19 c:\windows\Tasks\User_Feed_Synchronization-{179C22FF-DE32-4246-A26A-E624A0311729}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearchAssistant = hxxp://www.google.com/ie
TCP: {85AFF3EC-43E4-41A5-B18F-5F3AB95B2819} = 206.80.87.124,206.80.87.120
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PRISMSVR.EXE - c:\windows\system32\PRISMSVR.EXE
MSConfigStartUp-Iomega Automatic Backup - c:\program files\Iomega\Iomega Automatic Backup\iBackup.exe
AddRemove-SiS7012 - c:\progra~1\SiS7012\Uninst\uninst2k.exe PCI\VEN_1039&DEV_7012
AddRemove-{f50bc8dc-2ee0-46d3-bcd4-247fa737e62a} - c:\windows\system32\rlvknlg.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-19 09:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys atapi.sys >>UNKNOWN [0x86B668C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf751af28
\Driver\ACPI -> ACPI.sys @ 0xf746dcb8
\Driver\atapi -> atapi.sys @ 0xf7402b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel® PRO/100 M Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf72e0bb0
PacketIndicateHandler -> NDIS.sys @ 0xf72eda21
SendHandler -> NDIS.sys @ 0xf72cb87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1644)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\brss01a.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\program files\Pitney Bowes\mailstation 2\mailstationAssistant.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
.
**************************************************************************
.
Completion time: 2010-04-19 09:38:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-19 14:38

Pre-Run: 19,798,683,648 bytes free
Post-Run: 21,025,976,320 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - D52F066042D4A69584C04E1E41DAC707


#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:08:01 PM

Posted 19 April 2010 - 04:01 PM

Hello,

Let's see if GMER can now scan:

Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 dcdeh

dcdeh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 20 April 2010 - 10:41 AM

Jat,
Had to uncheck Devices for scan to work. Here it is:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-20 10:34:26
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fxtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF73D9E64]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF73B9EEE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF73BA0E0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF73DA652]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF73DA906]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF73D8B64]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF73DAD72]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF73DA124]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF73B9B5C]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF740F780]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[124] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00910001
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[124] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[124] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[124] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[124] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[124] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[260] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 018E0001
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[260] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[260] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[260] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[260] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[260] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\PROGRA~1\Yahoo!\browser\ycommon.exe[340] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 010F0001
.text C:\PROGRA~1\Yahoo!\browser\ycommon.exe[340] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\PROGRA~1\Yahoo!\browser\ycommon.exe[340] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\Yahoo!\browser\ycommon.exe[340] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\Yahoo!\browser\ycommon.exe[340] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\PROGRA~1\Yahoo!\browser\ycommon.exe[340] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1772] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044BC05 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[1996] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01080001
.text C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[1996] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[1996] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[1996] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[1996] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[1996] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\Program Files\Pitney Bowes\mailstation 2\mailstationAssistant.exe[2004] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 04600001
.text C:\Program Files\Pitney Bowes\mailstation 2\mailstationAssistant.exe[2004] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Pitney Bowes\mailstation 2\mailstationAssistant.exe[2004] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\Program Files\Pitney Bowes\mailstation 2\mailstationAssistant.exe[2004] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Pitney Bowes\mailstation 2\mailstationAssistant.exe[2004] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\Program Files\Pitney Bowes\mailstation 2\mailstationAssistant.exe[2004] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[2020] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044B8D9 C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\WINDOWS\system32\ctfmon.exe[2032] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E50001
.text C:\WINDOWS\system32\ctfmon.exe[2032] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2032] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[2032] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2032] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[2032] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\System32\alg.exe[2856] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00840001
.text C:\WINDOWS\System32\alg.exe[2856] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\alg.exe[2856] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\alg.exe[2856] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2856] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\alg.exe[2856] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\wuauclt.exe[3128] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003B0001
.text C:\WINDOWS\system32\wuauclt.exe[3128] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wuauclt.exe[3128] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wuauclt.exe[3128] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wuauclt.exe[3128] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\wuauclt.exe[3128] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[3272] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003C0001
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[3272] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[3272] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[3272] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[3272] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[3272] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:08:01 PM

Posted 20 April 2010 - 05:38 PM

Hello,

Gmer has thrown up the older variant of the TDL rootkit, it is know to have backdoor capabilities:

nuke.gif Backdoor Threat

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 dcdeh

dcdeh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 21 April 2010 - 08:38 AM

Jat,
I still want to clean the machine. I will have my boss bring me another computer but for now lets try it. What do I need to do?

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:08:01 PM

Posted 21 April 2010 - 03:23 PM

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 dcdeh

dcdeh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 21 April 2010 - 03:46 PM

Jat,
When I try to run Combo Fix it tells me:
You cannot remane ComboFix as ComboFix(1). Pleas use another name, preferable made up of alphanumeric characters.

It doesn't give me a box to name it. What should I do?

#10 dcdeh

dcdeh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 21 April 2010 - 03:47 PM

I meant to type rename, not remane. Sorry!

#11 dcdeh

dcdeh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 21 April 2010 - 04:07 PM

My computer just shut down and restarted on it's own.

#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:08:01 PM

Posted 21 April 2010 - 06:50 PM

Delete the copy you have then download it again.

If that doesn't work try running it in safe mode.

This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 dcdeh

dcdeh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 23 April 2010 - 11:12 AM

ComboFix 10-04-21.01 - Owner 04/23/2010 10:44:34.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.607 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-03-23 to 2010-04-23 )))))))))))))))))))))))))))))))
.

2010-04-23 15:14 . 2010-04-23 15:14 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-04-23 15:14 . 2010-04-23 15:14 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-15 21:02 . 2010-04-15 21:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2010-04-15 20:22 . 2010-04-15 20:26 -------- dc-h--w- c:\windows\ie8
2010-04-14 18:56 . 2010-04-14 18:56 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth
2010-04-12 21:14 . 2010-01-22 14:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-12 21:14 . 2010-01-22 14:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-12 21:14 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2010-04-12 21:14 . 2010-01-22 14:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-12 21:14 . 2010-01-22 14:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-12 21:14 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2010-04-12 21:11 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-12 21:11 . 2010-03-10 16:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-12 21:11 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-12 21:11 . 2010-02-05 14:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-12 21:11 . 2010-04-23 15:49 -------- d-----w- c:\program files\Spyware Doctor
2010-04-12 21:11 . 2010-04-12 21:14 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-12 21:11 . 2010-04-12 21:11 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2010-04-12 21:11 . 2010-04-12 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-12 15:05 . 2010-04-12 15:06 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo
2010-04-12 13:07 . 2010-04-12 13:06 169984 ----a-w- c:\windows\Fsetab.exe
2010-04-09 13:46 . 2010-04-09 13:46 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2010-04-08 21:49 . 2010-04-12 20:26 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-08 20:29 . 2010-04-08 20:29 189952 ----a-w- c:\windows\Fsetaa.exe
2010-04-07 03:50 . 2010-04-07 03:50 3693160 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\yau\{458D9290-B2D6-4189-96E4-7723E0C6634A}\ytb_8.1.4.26_2.1.3_ysp_2.0.1.13_mail_bts_pub_us_setup_.exe
2010-04-06 13:39 . 2010-04-06 13:39 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-29 13:52 . 2010-03-29 13:52 -------- d-----w- c:\documents and settings\Owner\.sv
2010-03-29 13:52 . 2010-03-29 15:29 -------- d-----w- c:\documents and settings\Owner\.jogl_ext
2010-03-29 13:51 . 2010-03-29 13:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Octoshape

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-23 15:43 . 2006-12-23 13:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-23 15:12 . 2010-03-05 19:21 139776 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-23 15:05 . 2010-03-04 19:52 3195 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\qbbackup.sys
2010-04-19 13:58 . 2007-10-05 11:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-16 14:15 . 2009-01-23 19:19 -------- d-----w- c:\program files\Lavasoft
2010-04-15 20:27 . 2008-03-24 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2010-04-15 20:27 . 2006-01-20 20:00 -------- d-----w- c:\program files\Yahoo!
2010-04-14 18:49 . 2007-08-20 14:11 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-04-12 20:26 . 2010-01-26 14:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-08 21:15 . 2010-04-12 20:40 243662 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat
2010-04-08 12:59 . 2010-03-05 14:08 211720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-04-08 12:59 . 2010-03-05 14:08 1352968 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-03-23 18:55 . 2010-03-23 18:54 -------- d-----w- c:\program files\Windows Live
2010-03-23 18:54 . 2010-03-23 18:54 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-23 18:53 . 2010-03-23 18:53 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-03-11 20:36 . 2010-03-11 20:36 50652 ----a-w- c:\windows\system32\drivers\atntwink.sys
2010-03-11 20:36 . 2010-03-11 20:36 196681 ----a-w- c:\windows\system32\atrant40.dll
2010-03-11 20:36 . 2010-03-11 20:37 128312 ----a-w- c:\windows\atagtctl.exe
2010-03-11 12:38 . 2010-03-11 12:38 2054144 ----a-w- c:\windows\system32\wevgiy.dll
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 22:38 . 2010-03-04 22:38 975136 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch2.exe
2010-03-04 22:38 . 2010-03-04 22:38 44832 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2010-03-04 22:37 . 2010-03-04 22:38 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2010-03-04 22:37 . 2010-03-04 22:38 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll
2010-03-04 20:24 . 2005-03-04 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-03-04 19:51 . 2010-03-04 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
2010-03-04 19:36 . 2003-09-01 22:38 -------- d-----w- c:\program files\Common Files\Intuit
2010-03-04 19:35 . 2010-03-04 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2010-03-04 19:35 . 2003-09-01 23:26 -------- d-----w- c:\program files\Intuit
2010-03-04 19:33 . 2010-03-04 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\COMMON FILES
2010-03-04 19:33 . 2010-03-04 19:33 -------- d-----w- c:\program files\MSXML 4.0
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-12 04:33 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-03 18:30 . 2009-10-01 17:31 143976 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2010-02-03 18:30 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll
2010-02-03 18:29 . 2010-02-03 18:29 1794456 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mailstation Assistant"="c:\program files\Pitney Bowes\mailstation 2\mailstationAssistant minimize" [X]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-11-26 1087752]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-03-09 1286608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-02-28 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD LT Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD LT Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD LT Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
2002-09-24 21:39 147456 ----a-w- c:\program files\Iomega\AutoDisk\ADUserMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-02-10 16:51 118784 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-02-10 16:55 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2003-05-15 23:41 163840 ----a-w- c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 09:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tfwmon]
2006-04-08 16:42 520192 ----a-w- c:\program files\Track4Win Monitor\STMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
2003-05-15 23:45 114688 ----a-w- c:\program files\Microsoft IntelliType Pro\type32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Track4Win Monitor\\STMonitor.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pitney Bowes\\mailstation 2\\mailstationAssistant.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/12/2010 4:11 PM 217032]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/12/2010 4:14 PM 112592]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/12/2010 4:11 PM 366840]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 atnthost;WebEx Remote Access Agent;"c:\windows\DOWNLO~1\MyWebEx\319\atnthost.exe" --> c:\windows\DOWNLO~1\MyWebEx\319\atnthost.exe [?]
S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\DM150Drv.sys [7/14/2008 10:50 AM 20600]
S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [4/15/2002 6:18 PM 174976]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\User_Feed_Synchronization-{179C22FF-DE32-4246-A26A-E624A0311729}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearchAssistant = hxxp://www.google.com/ie
TCP: {85AFF3EC-43E4-41A5-B18F-5F3AB95B2819} = 206.80.87.124,206.80.87.120
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-23 11:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys PCTCore.sys atapi.sys >>UNKNOWN [0x86B668C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf751af28
\Driver\ACPI -> ACPI.sys @ 0xf746dcb8
\Driver\atapi -> atapi.sys @ 0xf7402b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel® PRO/100 M Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf72e0bb0
PacketIndicateHandler -> NDIS.sys @ 0xf72eda21
SendHandler -> NDIS.sys @ 0xf72cb87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2010-04-23 11:09:15
ComboFix-quarantined-files.txt 2010-04-23 16:09
ComboFix2.txt 2010-04-19 14:38

Pre-Run: 20,316,467,200 bytes free
Post-Run: 20,926,033,920 bytes free

- - End Of File - - 218E95C9F402B109AF8776D81D6809F9


#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:08:01 PM

Posted 23 April 2010 - 12:58 PM

Hello,

TDSS Killer
  1. Go to this page and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Vista Start logo >All Programs> Accessories> RIGHT-click on Command Prompt and Select Run As Administrator. Copy/paste the following bolded command and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  4. If TDSSKiller alerts you that the system needs to reboot, please consent.
  5. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 dcdeh

dcdeh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 23 April 2010 - 02:07 PM

13:59:18:218 2324 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
13:59:18:218 2324 ================================================================================
13:59:18:218 2324 SystemInfo:

13:59:18:218 2324 OS Version: 5.1.2600 ServicePack: 3.0
13:59:18:218 2324 Product type: Workstation
13:59:18:218 2324 ComputerName: CATHY
13:59:18:218 2324 UserName: Owner
13:59:18:218 2324 Windows directory: C:\WINDOWS
13:59:18:218 2324 Processor architecture: Intel x86
13:59:18:218 2324 Number of processors: 1
13:59:18:218 2324 Page size: 0x1000
13:59:18:218 2324 Boot type: Normal boot
13:59:18:218 2324 ================================================================================
13:59:18:234 2324 UnloadDriverW: NtUnloadDriver error 2
13:59:18:234 2324 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
13:59:18:281 2324 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
13:59:18:281 2324 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:59:18:281 2324 wfopen_ex: Trying to KLMD file open
13:59:18:281 2324 wfopen_ex: File opened ok (Flags 2)
13:59:18:281 2324 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
13:59:18:281 2324 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:59:18:281 2324 wfopen_ex: Trying to KLMD file open
13:59:18:281 2324 wfopen_ex: File opened ok (Flags 2)
13:59:18:281 2324 Initialize success
13:59:18:281 2324
13:59:18:281 2324 Scanning Services ...
13:59:18:859 2324 Raw services enum returned 360 services
13:59:18:875 2324
13:59:18:875 2324 Scanning Kernel memory ...
13:59:18:890 2324 Devices to scan: 3
13:59:18:890 2324
13:59:18:890 2324 Driver Name: Disk
13:59:18:890 2324 IRP_MJ_CREATE : F751CBB0
13:59:18:890 2324 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
13:59:18:890 2324 IRP_MJ_CLOSE : F751CBB0
13:59:18:890 2324 IRP_MJ_READ : F7516D1F
13:59:18:890 2324 IRP_MJ_WRITE : F7516D1F
13:59:18:890 2324 IRP_MJ_QUERY_INFORMATION : 804FA88E
13:59:18:890 2324 IRP_MJ_SET_INFORMATION : 804FA88E
13:59:18:890 2324 IRP_MJ_QUERY_EA : 804FA88E
13:59:18:890 2324 IRP_MJ_SET_EA : 804FA88E
13:59:18:890 2324 IRP_MJ_FLUSH_BUFFERS : F75172E2
13:59:18:890 2324 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
13:59:18:890 2324 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
13:59:18:890 2324 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
13:59:18:890 2324 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
13:59:18:890 2324 IRP_MJ_DEVICE_CONTROL : F75173BB
13:59:18:890 2324 IRP_MJ_INTERNAL_DEVICE_CONTROL : F751AF28
13:59:18:890 2324 IRP_MJ_SHUTDOWN : F75172E2
13:59:18:890 2324 IRP_MJ_LOCK_CONTROL : 804FA88E
13:59:18:890 2324 IRP_MJ_CLEANUP : 804FA88E
13:59:18:890 2324 IRP_MJ_CREATE_MAILSLOT : 804FA88E
13:59:18:890 2324 IRP_MJ_QUERY_SECURITY : 804FA88E
13:59:18:890 2324 IRP_MJ_SET_SECURITY : 804FA88E
13:59:18:890 2324 IRP_MJ_POWER : F7518C82
13:59:18:890 2324 IRP_MJ_SYSTEM_CONTROL : F751D99E
13:59:18:890 2324 IRP_MJ_DEVICE_CHANGE : 804FA88E
13:59:18:890 2324 IRP_MJ_QUERY_QUOTA : 804FA88E
13:59:18:890 2324 IRP_MJ_SET_QUOTA : 804FA88E
13:59:18:968 2324 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:59:18:968 2324
13:59:18:968 2324 Driver Name: Disk
13:59:18:968 2324 IRP_MJ_CREATE : F751CBB0
13:59:18:968 2324 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
13:59:18:968 2324 IRP_MJ_CLOSE : F751CBB0
13:59:18:968 2324 IRP_MJ_READ : F7516D1F
13:59:18:968 2324 IRP_MJ_WRITE : F7516D1F
13:59:18:968 2324 IRP_MJ_QUERY_INFORMATION : 804FA88E
13:59:18:968 2324 IRP_MJ_SET_INFORMATION : 804FA88E
13:59:18:968 2324 IRP_MJ_QUERY_EA : 804FA88E
13:59:18:968 2324 IRP_MJ_SET_EA : 804FA88E
13:59:18:968 2324 IRP_MJ_FLUSH_BUFFERS : F75172E2
13:59:18:968 2324 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
13:59:18:968 2324 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
13:59:18:968 2324 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
13:59:18:968 2324 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
13:59:18:968 2324 IRP_MJ_DEVICE_CONTROL : F75173BB
13:59:18:968 2324 IRP_MJ_INTERNAL_DEVICE_CONTROL : F751AF28
13:59:18:968 2324 IRP_MJ_SHUTDOWN : F75172E2
13:59:18:968 2324 IRP_MJ_LOCK_CONTROL : 804FA88E
13:59:18:968 2324 IRP_MJ_CLEANUP : 804FA88E
13:59:18:968 2324 IRP_MJ_CREATE_MAILSLOT : 804FA88E
13:59:18:968 2324 IRP_MJ_QUERY_SECURITY : 804FA88E
13:59:18:968 2324 IRP_MJ_SET_SECURITY : 804FA88E
13:59:18:968 2324 IRP_MJ_POWER : F7518C82
13:59:18:968 2324 IRP_MJ_SYSTEM_CONTROL : F751D99E
13:59:18:968 2324 IRP_MJ_DEVICE_CHANGE : 804FA88E
13:59:18:968 2324 IRP_MJ_QUERY_QUOTA : 804FA88E
13:59:18:968 2324 IRP_MJ_SET_QUOTA : 804FA88E
13:59:19:000 2324 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:59:19:000 2324
13:59:19:000 2324 Driver Name: atapi
13:59:19:000 2324 IRP_MJ_CREATE : F7402B3A
13:59:19:000 2324 IRP_MJ_CREATE_NAMED_PIPE : F7402B3A
13:59:19:000 2324 IRP_MJ_CLOSE : F7402B3A
13:59:19:000 2324 IRP_MJ_READ : F7402B3A
13:59:19:000 2324 IRP_MJ_WRITE : F7402B3A
13:59:19:000 2324 IRP_MJ_QUERY_INFORMATION : F7402B3A
13:59:19:000 2324 IRP_MJ_SET_INFORMATION : F7402B3A
13:59:19:000 2324 IRP_MJ_QUERY_EA : F7402B3A
13:59:19:000 2324 IRP_MJ_SET_EA : F7402B3A
13:59:19:000 2324 IRP_MJ_FLUSH_BUFFERS : F7402B3A
13:59:19:000 2324 IRP_MJ_QUERY_VOLUME_INFORMATION : F7402B3A
13:59:19:000 2324 IRP_MJ_SET_VOLUME_INFORMATION : F7402B3A
13:59:19:000 2324 IRP_MJ_DIRECTORY_CONTROL : F7402B3A
13:59:19:000 2324 IRP_MJ_FILE_SYSTEM_CONTROL : F7402B3A
13:59:19:000 2324 IRP_MJ_DEVICE_CONTROL : F7402B3A
13:59:19:000 2324 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7402B3A
13:59:19:000 2324 IRP_MJ_SHUTDOWN : F7402B3A
13:59:19:000 2324 IRP_MJ_LOCK_CONTROL : F7402B3A
13:59:19:000 2324 IRP_MJ_CLEANUP : F7402B3A
13:59:19:000 2324 IRP_MJ_CREATE_MAILSLOT : F7402B3A
13:59:19:000 2324 IRP_MJ_QUERY_SECURITY : F7402B3A
13:59:19:000 2324 IRP_MJ_SET_SECURITY : F7402B3A
13:59:19:000 2324 IRP_MJ_POWER : F7402B3A
13:59:19:000 2324 IRP_MJ_SYSTEM_CONTROL : F7402B3A
13:59:19:000 2324 IRP_MJ_DEVICE_CHANGE : F7402B3A
13:59:19:000 2324 IRP_MJ_QUERY_QUOTA : F7402B3A
13:59:19:000 2324 IRP_MJ_SET_QUOTA : F7402B3A
13:59:19:000 2324 Driver "atapi" infected by TDSS rootkit!
13:59:19:031 2324 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
13:59:19:031 2324 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 13:59:19:031 2324 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
13:59:19:031 2324 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
13:59:19:265 2324 vfvi6
13:59:19:390 2324 !dsvbh1
13:59:19:968 2324 dsvbh2
13:59:19:968 2324 fdfb2
13:59:19:968 2324 Backup copy found, using it..
13:59:20:015 2324 will be cured on next reboot
13:59:20:015 2324 Reboot required for cure complete..
13:59:20:078 2324 Cure on reboot scheduled successfully
13:59:20:078 2324
13:59:20:078 2324 Completed
13:59:20:078 2324
13:59:20:078 2324 Results:
13:59:20:078 2324 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
13:59:20:078 2324 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
13:59:20:078 2324 File objects infected / cured / cured on reboot: 1 / 0 / 1
13:59:20:078 2324
13:59:20:093 2324 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
13:59:20:093 2324 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
13:59:20:093 2324 UnloadDriverW: NtUnloadDriver error 1
13:59:20:093 2324 KLMD(ARK) unloaded successfully





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users