Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Google Redirect Virus


  • This topic is locked This topic is locked
10 replies to this topic

#1 bryansjag

bryansjag

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 15 April 2010 - 12:35 AM

Hello, Google has started occasionally redirecting me sites other than the one I select. Sometimes it is to a site relating to the same google search topic I have entereed and other times to completely unrelated sites. I occasionally have a page load stating ' your request is loading'. If I return back to the Google page and reselect the website I initially wanted it will then take me there. This is happening in both Explorer & Safari.



DDS (Ver_10-03-17.01) - NTFSx86
Run by RCDS at 15:02:11.68 on Thu 15/04/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3325.1745 [GMT 10:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WIBUKEY\Server\WkSvMgr.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\atashost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Safari\Safari.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\RCDS\Downloads\dds.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/ig
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: ArchiBar Toolbar: {24cc1362-11c6-4918-a2c0-b9ee5a563185} - c:\program files\archibar\tbArch.dll
mURLSearchHooks: ArchiBar Toolbar: {24cc1362-11c6-4918-a2c0-b9ee5a563185} - c:\program files\archibar\tbArch.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ArchiBar Toolbar: {24cc1362-11c6-4918-a2c0-b9ee5a563185} - c:\program files\archibar\tbArch.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: ArchiBar Toolbar: {24cc1362-11c6-4918-a2c0-b9ee5a563185} - c:\program files\archibar\tbArch.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\networ~1.lnk - c:\program files\wibukey\server\WkSvMgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-2-4 207792]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-2-4 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-2-4 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-2-4 233136]
R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2010-2-3 20376]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-2-4 112592]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-5 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2009-7-14 1443584]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-2-4 33552]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-2-4 21504]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-2-4 70408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-2-4 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-2-4 1141712]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]

============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-04-15 04:52:38 0 ----a-w- c:\users\rcds\defogger_reenable
2010-04-14 08:08:39 204 ----a-w- c:\windows\system32\MRT.INI
2010-04-13 22:14:19 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-13 22:14:19 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-13 22:14:18 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-13 22:14:13 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-13 22:14:10 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-13 22:14:10 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-13 22:14:08 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-13 22:14:07 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-13 22:14:07 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-13 22:13:27 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 22:12:57 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-09 08:15:56 183876 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-09 08:05:52 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-04-09 08:05:52 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-04-09 08:05:14 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-09 07:38:41 0 d-----w- c:\program files\Bonjour
2010-04-02 03:52:45 0 d-----w- c:\program files\common files\xing shared
2010-03-28 21:58:19 0 d-----w- c:\programdata\NOS
2010-03-17 11:53:42 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-03-17 11:53:42 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2010-04-09 07:39:59 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-09 07:39:59 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-09 07:39:59 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53:34 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-12 01:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 01:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-08 16:19:42 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-08 05:55:45 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-02-08 01:50:29 174 --sha-w- c:\program files\desktop.ini
2010-02-08 01:11:11 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-02-08 01:11:10 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-02-03 10:05:32 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-02-03 10:05:32 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-02-03 10:05:32 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-02-03 10:05:32 23552 ----a-w- c:\windows\system32\lpk.dll
2010-02-03 10:05:32 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-02-03 10:05:32 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-02-03 10:03:23 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-02-03 10:03:22 272896 ----a-w- c:\windows\system32\polstore.dll
2010-02-03 10:01:14 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-02-03 10:01:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-02-03 10:01:14 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-02-03 10:01:14 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-02-03 10:01:14 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-02-03 10:01:14 17920 ----a-w- c:\windows\system32\netevent.dll
2010-02-03 10:01:14 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-02-03 10:01:14 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-02-03 10:01:14 10240 ----a-w- c:\windows\system32\finger.exe
2010-02-03 09:59:39 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2010-02-03 09:59:39 65024 ----a-w- c:\windows\system32\wlanapi.dll
2010-02-03 09:59:39 513536 ----a-w- c:\windows\system32\wlansvc.dll
2010-02-03 09:59:39 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-02-03 09:59:39 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-02-03 09:59:39 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-02-03 09:59:37 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
2010-02-03 09:59:06 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-02-03 09:59:06 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-02-03 09:59:05 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-02-03 09:59:05 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-02-03 09:58:33 218624 ----a-w- c:\windows\system32\msv1_0.dll
2010-02-03 09:58:33 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-02-03 09:58:32 9728 ----a-w- c:\windows\system32\lsass.exe
2010-02-03 09:58:32 72704 ----a-w- c:\windows\system32\secur32.dll
2010-02-03 09:58:32 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2010-02-03 09:57:34 98816 ----a-w- c:\windows\system32\mfps.dll
2010-02-03 09:57:34 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2010-02-03 09:57:34 2868224 ----a-w- c:\windows\system32\mf.dll
2010-02-03 09:57:34 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-02-03 09:57:34 2048 ----a-w- c:\windows\system32\mferror.dll
2010-02-03 09:54:50 71680 ----a-w- c:\windows\system32\atl.dll
2010-02-03 09:50:55 160256 ----a-w- c:\windows\system32\wkssvc.dll
2010-02-03 09:50:29 53248 ----a-w- c:\windows\system32\tsgqec.dll
2010-02-03 09:50:29 2066432 ----a-w- c:\windows\system32\mstscax.dll
2010-02-03 09:50:29 136192 ----a-w- c:\windows\system32\aaclient.dll
2010-02-03 09:44:13 623616 ----a-w- c:\windows\system32\localspl.dll
2010-02-03 09:43:39 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-02-03 09:37:59 6656 ----a-w- c:\windows\system32\kbd106n.dll
2010-02-03 09:32:20 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-02-03 07:56:42 148933 ----a-w- c:\windows\hpoins19.dat
2010-02-03 07:08:24 37888 ----a-w- c:\windows\system32\printcom.dll
2010-02-03 07:07:42 14848 ----a-w- c:\windows\system32\wshrm.dll
2010-02-03 07:06:55 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-02-03 06:46:33 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-02-03 06:34:34 84480 ----a-w- c:\windows\system32\INETRES.dll
2010-02-03 06:34:09 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-02-03 06:32:46 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2010-02-03 06:31:16 243712 ----a-w- c:\windows\system32\rastls.dll
2010-02-03 06:30:57 355328 ----a-w- c:\windows\system32\WSDApi.dll
2010-02-03 06:28:32 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-02-03 06:27:24 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-02-03 06:27:24 310784 ----a-w- c:\windows\system32\unregmp2.exe
2010-02-03 06:27:21 7680 ----a-w- c:\windows\system32\spwmp.dll
2010-02-03 06:27:21 4096 ----a-w- c:\windows\system32\dxmasf.dll
2010-02-03 05:35:10 89 ----a-w- c:\program files\identity.ini
2010-02-03 04:48:58 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-02-03 04:47:55 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-02-03 04:46:43 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-02-03 04:46:43 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-21 23:21:07 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-21 23:21:07 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-21 23:21:06 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-01-21 23:21:05 767952 ----a-w- c:\windows\BDTSupport.dll
2007-08-23 11:46:09 602776 ----a-w- c:\program files\vl.arx
2007-08-23 11:42:44 9931928 ----a-w- c:\program files\acad.exe
2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 15:02:40.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 PM

Posted 18 April 2010 - 05:27 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.
--
From your previous log, it seems you're infected with one of the TDl3 rootkits.

Post back with the logs and we'll begin disinfecting.

With Regards,
Extremeboy

Edited by extremeboy, 18 April 2010 - 05:28 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 bryansjag

bryansjag
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 18 April 2010 - 08:12 PM

G'day EB

Thanks for responding.

Problems & symptoms remain the same. DDS as per below. Attach.txt & Ark.txt attached.

Thanks for you help.


DDS (Ver_10-03-17.01) - NTFSx86
Run by RCDS at 10:26:20.65 on Mon 19/04/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3325.2077 [GMT 10:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Advanced SystemCare 3\AWC.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WIBUKEY\Server\WkSvMgr.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\atashost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Safari\Safari.exe
C:\Windows\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Users\RCDS\Downloads\dds.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/ig
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: ArchiBar Toolbar: {24cc1362-11c6-4918-a2c0-b9ee5a563185} - c:\program files\archibar\tbArch.dll
mURLSearchHooks: ArchiBar Toolbar: {24cc1362-11c6-4918-a2c0-b9ee5a563185} - c:\program files\archibar\tbArch.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ArchiBar Toolbar: {24cc1362-11c6-4918-a2c0-b9ee5a563185} - c:\program files\archibar\tbArch.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: ArchiBar Toolbar: {24cc1362-11c6-4918-a2c0-b9ee5a563185} - c:\program files\archibar\tbArch.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\networ~1.lnk - c:\program files\wibukey\server\WkSvMgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-2-4 207792]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-2-4 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-2-4 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-2-4 233136]
R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2010-2-3 20376]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-2-4 112592]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-5 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2009-7-14 1443584]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-2-4 21504]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-2-4 70408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-2-4 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-2-4 1141712]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-2-4 33552]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]

============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-04-18 22:25:40 65536 --sha-w- c:\users\rcds\NTUSER.DAT{28988873-4b39-11df-b7c3-001d092ae8d9}.TM.blf
2010-04-18 22:25:40 524288 --sha-w- c:\users\rcds\NTUSER.DAT{28988873-4b39-11df-b7c3-001d092ae8d9}.TMContainer00000000000000000002.regtrans-ms
2010-04-18 22:25:40 524288 --sha-w- c:\users\rcds\NTUSER.DAT{28988873-4b39-11df-b7c3-001d092ae8d9}.TMContainer00000000000000000001.regtrans-ms
2010-04-15 22:43:13 0 d-----w- c:\users\rcds\appdata\roaming\HpUpdate
2010-04-15 22:43:12 0 d-----w- c:\windows\Hewlett-Packard
2010-04-15 04:52:38 0 ----a-w- c:\users\rcds\defogger_reenable
2010-04-14 08:08:39 204 ----a-w- c:\windows\system32\MRT.INI
2010-04-13 22:14:19 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-13 22:14:19 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-13 22:14:18 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-13 22:14:13 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-13 22:14:10 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-13 22:14:10 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-13 22:14:08 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-13 22:14:07 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-13 22:14:07 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-13 22:13:27 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 22:12:57 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-09 08:15:56 183876 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-09 08:05:52 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-04-09 08:05:52 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-04-09 08:05:14 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-09 07:38:41 0 d-----w- c:\program files\Bonjour
2010-04-02 03:52:45 0 d-----w- c:\program files\common files\xing shared
2010-03-28 21:58:19 0 d-----w- c:\programdata\NOS

==================== Find3M ====================

2010-04-09 07:39:59 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-09 07:39:59 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-09 07:39:59 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53:34 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-12 01:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 01:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-08 16:19:42 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-08 05:55:45 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-02-08 01:50:29 174 --sha-w- c:\program files\desktop.ini
2010-02-08 01:11:11 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-02-08 01:11:10 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-02-03 10:05:32 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-02-03 10:05:32 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-02-03 10:05:32 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-02-03 10:05:32 23552 ----a-w- c:\windows\system32\lpk.dll
2010-02-03 10:05:32 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-02-03 10:05:32 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-02-03 10:03:23 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-02-03 10:03:22 272896 ----a-w- c:\windows\system32\polstore.dll
2010-02-03 10:01:14 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-02-03 10:01:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-02-03 10:01:14 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-02-03 10:01:14 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-02-03 10:01:14 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-02-03 10:01:14 17920 ----a-w- c:\windows\system32\netevent.dll
2010-02-03 10:01:14 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-02-03 10:01:14 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-02-03 10:01:14 10240 ----a-w- c:\windows\system32\finger.exe
2010-02-03 09:59:39 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2010-02-03 09:59:39 65024 ----a-w- c:\windows\system32\wlanapi.dll
2010-02-03 09:59:39 513536 ----a-w- c:\windows\system32\wlansvc.dll
2010-02-03 09:59:39 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-02-03 09:59:39 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-02-03 09:59:39 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-02-03 09:59:37 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
2010-02-03 09:59:06 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-02-03 09:59:06 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-02-03 09:59:05 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-02-03 09:59:05 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-02-03 09:58:33 218624 ----a-w- c:\windows\system32\msv1_0.dll
2010-02-03 09:58:33 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-02-03 09:58:32 9728 ----a-w- c:\windows\system32\lsass.exe
2010-02-03 09:58:32 72704 ----a-w- c:\windows\system32\secur32.dll
2010-02-03 09:58:32 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2010-02-03 09:57:34 98816 ----a-w- c:\windows\system32\mfps.dll
2010-02-03 09:57:34 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2010-02-03 09:57:34 2868224 ----a-w- c:\windows\system32\mf.dll
2010-02-03 09:57:34 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-02-03 09:57:34 2048 ----a-w- c:\windows\system32\mferror.dll
2010-02-03 09:54:50 71680 ----a-w- c:\windows\system32\atl.dll
2010-02-03 09:50:55 160256 ----a-w- c:\windows\system32\wkssvc.dll
2010-02-03 09:50:29 53248 ----a-w- c:\windows\system32\tsgqec.dll
2010-02-03 09:50:29 2066432 ----a-w- c:\windows\system32\mstscax.dll
2010-02-03 09:50:29 136192 ----a-w- c:\windows\system32\aaclient.dll
2010-02-03 09:44:13 623616 ----a-w- c:\windows\system32\localspl.dll
2010-02-03 09:43:39 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-02-03 09:37:59 6656 ----a-w- c:\windows\system32\kbd106n.dll
2010-02-03 09:32:20 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-02-03 07:56:42 148933 ----a-w- c:\windows\hpoins19.dat
2010-02-03 07:08:24 37888 ----a-w- c:\windows\system32\printcom.dll
2010-02-03 07:07:42 14848 ----a-w- c:\windows\system32\wshrm.dll
2010-02-03 07:06:55 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-02-03 06:46:33 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-02-03 06:34:34 84480 ----a-w- c:\windows\system32\INETRES.dll
2010-02-03 06:34:09 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-02-03 06:32:46 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2010-02-03 06:31:16 243712 ----a-w- c:\windows\system32\rastls.dll
2010-02-03 06:30:57 355328 ----a-w- c:\windows\system32\WSDApi.dll
2010-02-03 06:28:32 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-02-03 06:27:24 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-02-03 06:27:24 310784 ----a-w- c:\windows\system32\unregmp2.exe
2010-02-03 06:27:21 7680 ----a-w- c:\windows\system32\spwmp.dll
2010-02-03 06:27:21 4096 ----a-w- c:\windows\system32\dxmasf.dll
2010-02-03 05:35:10 89 ----a-w- c:\program files\identity.ini
2010-02-03 04:48:58 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-02-03 04:47:55 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-02-03 04:46:43 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-02-03 04:46:43 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-21 23:21:07 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-21 23:21:07 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-21 23:21:06 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-01-21 23:21:05 767952 ----a-w- c:\windows\BDTSupport.dll
2007-08-23 11:46:09 602776 ----a-w- c:\program files\vl.arx
2007-08-23 11:42:44 9931928 ----a-w- c:\program files\acad.exe
2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 10:27:29.42 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 PM

Posted 18 April 2010 - 09:10 PM

Hello.

I see the infection you have. Let's deal with that. It's the TDL3 Rootkit, more information here: http://rootbiez.blogspot.com/2009/11/rootk...s-lets-put.html

If you wish to continue, let's start off with Combofix and then proceed from there.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 bryansjag

bryansjag
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 18 April 2010 - 11:28 PM

Hello EB

Here we go

ComboFix 10-04-17.07 - RCDS 19/04/2010 14:07:46.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3325.1611 [GMT 10:00]
Running from: c:\users\RCDS\Desktop\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\windows\system32\spool\prtprocs\w32x86\000008c9.tmp
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
.

2010-04-19 04:15 . 2010-04-19 04:16 -------- d-----w- c:\users\RCDS\AppData\Local\temp
2010-04-15 22:43 . 2010-04-15 22:43 -------- d-----w- c:\users\RCDS\AppData\Roaming\HpUpdate
2010-04-15 22:43 . 2010-04-15 22:43 -------- d-----w- c:\windows\Hewlett-Packard
2010-04-15 04:58 . 2010-04-15 04:58 -------- d-----w- c:\users\RCDS\AppData\Local\Apps
2010-04-14 22:48 . 2010-04-15 02:53 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-13 22:14 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-13 22:14 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-13 22:14 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-13 22:14 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-13 22:14 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-13 22:14 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-13 22:14 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-13 22:13 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 22:12 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-09 08:15 . 2010-04-09 08:15 183876 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-09 08:15 . 2010-04-09 08:15 -------- d-----w- c:\program files\Safari
2010-04-09 08:14 . 2010-04-09 08:14 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-09 08:05 . 2009-05-18 03:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-04-09 08:05 . 2008-04-17 02:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-04-09 08:05 . 2010-04-09 08:05 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-09 08:02 . 2010-04-09 08:02 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-09 07:42 . 2010-04-09 07:42 -------- d-----w- c:\program files\QuickTime
2010-04-09 07:38 . 2010-04-09 07:38 -------- d-----w- c:\program files\Bonjour
2010-04-02 03:53 . 2010-04-02 03:53 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-04-02 03:53 . 2010-04-02 03:53 49152 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-04-02 03:53 . 2010-04-02 03:53 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-04-02 03:53 . 2010-04-02 03:53 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-04-02 03:53 . 2010-04-02 03:53 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-04-02 03:53 . 2010-04-02 03:53 40960 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-04-02 03:53 . 2010-04-02 03:53 308808 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-04-02 03:53 . 2010-04-02 03:53 14848 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-04-02 03:52 . 2010-04-02 03:52 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-28 21:58 . 2010-03-30 05:32 -------- d-----w- c:\programdata\NOS
2010-03-24 08:04 . 2010-03-24 18:17 952768 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\27404\AdobeARM.exe
2010-03-24 08:04 . 2010-03-24 18:17 70584 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\27404\AdobeExtractFiles.dll
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\27404\ReaderUpdater.exe
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\27404\AcrobatUpdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 22:25 . 2010-02-04 04:16 -------- d-----w- c:\program files\Advanced SystemCare 3
2010-04-17 13:04 . 2010-02-05 03:44 -------- d-----w- c:\users\RCDS\AppData\Roaming\BitTorrent
2010-04-15 04:34 . 2010-02-04 05:31 -------- d-----w- c:\program files\Spyware Doctor
2010-04-14 22:38 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-13 05:18 . 2010-02-11 23:06 -------- d-----w- c:\users\RCDS\AppData\Roaming\PrimoPDF
2010-04-09 08:16 . 2010-02-05 10:18 -------- d-----w- c:\users\RCDS\AppData\Roaming\Apple Computer
2010-04-09 08:05 . 2010-02-05 10:17 -------- d-----w- c:\program files\iTunes
2010-04-09 08:05 . 2010-02-11 08:44 -------- d-----w- c:\program files\iPod
2010-04-09 08:05 . 2010-02-05 10:13 -------- d-----w- c:\program files\Common Files\Apple
2010-04-09 05:52 . 2010-02-03 05:17 -------- d-----w- c:\program files\Help
2010-04-06 22:12 . 2010-02-04 05:08 -------- d-----w- c:\users\RCDS\AppData\Roaming\GetRight
2010-04-02 03:53 . 2010-02-23 23:21 341600 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-04-02 03:53 . 2010-02-23 23:20 -------- d-----w- c:\program files\Common Files\Real
2010-03-29 02:05 . 2010-02-04 05:08 -------- d-----w- c:\program files\GetRight
2010-03-09 02:57 . 2010-02-04 05:11 -------- d-----w- c:\users\RCDS\AppData\Roaming\Winamp
2010-03-01 21:48 . 2010-03-01 21:43 -------- d-----w- c:\program files\CalorieKing Nutrition and Exercise Manager - Australian Edition for Windows
2010-03-01 21:46 . 2010-03-01 21:46 -------- d-----w- c:\users\RCDS\AppData\Roaming\fhnetwork.com
2010-02-27 06:22 . 2010-02-27 06:22 -------- d-----w- c:\program files\ArchiBar
2010-02-27 06:22 . 2010-02-27 06:22 -------- d-----w- c:\program files\Conduit
2010-02-26 11:39 . 2010-02-26 03:36 -------- d-----w- c:\program files\Java
2010-02-26 03:59 . 2010-02-26 03:55 -------- d-----w- c:\users\RCDS\AppData\Roaming\Graphisoft
2010-02-26 03:50 . 2010-02-26 03:37 -------- d-----w- c:\program files\Graphisoft
2010-02-26 03:42 . 2010-02-26 03:42 -------- d-----w- c:\program files\WIBUKEY
2010-02-26 03:42 . 2010-02-26 03:42 -------- d-----w- c:\program files\WIBU-SYSTEMS
2010-02-26 03:41 . 2010-02-26 03:41 -------- d-----w- c:\program files\Common Files\Graphisoft Shared
2010-02-26 02:11 . 2010-02-26 02:11 -------- d-----w- c:\users\RCDS\AppData\Roaming\vlc
2010-02-26 02:09 . 2010-02-26 02:09 -------- d-----w- c:\program files\VideoLAN
2010-02-26 02:05 . 2010-02-26 02:05 -------- d-----w- c:\users\RCDS\AppData\Roaming\DivX
2010-02-26 02:05 . 2010-02-26 02:04 -------- d-----w- c:\program files\DivX
2010-02-26 02:05 . 2010-02-26 02:04 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-02-25 00:09 . 2010-02-03 04:07 111024 ----a-w- c:\users\RCDS\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 23:21 . 2010-02-23 23:20 -------- d-----w- c:\program files\Real
2010-02-23 06:39 . 2010-03-31 04:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 04:51 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 04:51 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 04:51 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-10 16:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 16:00 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 16:00 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-18 23:21 . 2010-02-18 23:20 -------- d-----w- c:\program files\TWC
2010-02-18 04:48 . 2010-02-18 04:48 -------- d-----w- c:\programdata\{4C0DBD62-F011-4A41-B11D-BE5CFA6DEDD7}
2010-02-18 04:48 . 2010-02-18 04:47 -------- d-----w- c:\program files\Common-Use Signing Interface
2010-02-12 01:46 . 2010-02-12 01:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 01:46 . 2010-02-12 01:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-08 16:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-08 01:11 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-02-08 01:11 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-02-05 05:13 . 2010-02-05 05:10 2458478 ----a-w- c:\users\RCDS\AppData\Roaming\BitTorrent\Reality Killed The Video Star\Bonus Content\START.EXE
2010-02-05 05:11 . 2010-02-05 05:11 80896 ----a-w- c:\users\RCDS\AppData\Roaming\BitTorrent\Reality Killed The Video Star\Bonus Content\DATA\OPENCD.EXE
2010-02-04 06:49 . 2010-02-04 06:49 341256 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-02-03 10:05 . 2010-02-03 10:05 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-02-03 10:05 . 2010-02-03 10:05 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-02-03 10:05 . 2010-02-03 10:05 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-02-03 10:05 . 2010-02-03 10:05 23552 ----a-w- c:\windows\system32\lpk.dll
2010-02-03 10:05 . 2010-02-03 10:05 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-02-03 10:05 . 2010-02-03 10:05 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-02-03 10:03 . 2010-02-03 10:03 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-02-03 10:03 . 2010-02-03 10:03 272896 ----a-w- c:\windows\system32\polstore.dll
2010-02-03 10:01 . 2010-02-03 10:01 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-02-03 10:01 . 2010-02-03 10:01 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-02-03 10:01 . 2010-02-03 10:01 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-02-03 10:01 . 2010-02-03 10:01 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-02-03 10:01 . 2010-02-03 10:01 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-02-03 10:01 . 2010-02-03 10:01 17920 ----a-w- c:\windows\system32\netevent.dll
2010-02-03 10:01 . 2010-02-03 10:01 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-02-03 10:01 . 2010-02-03 10:01 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-02-03 10:01 . 2010-02-03 10:01 10240 ----a-w- c:\windows\system32\finger.exe
2010-02-03 09:59 . 2010-02-03 09:59 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2010-02-03 09:59 . 2010-02-03 09:59 65024 ----a-w- c:\windows\system32\wlanapi.dll
2010-02-03 09:59 . 2010-02-03 09:59 513536 ----a-w- c:\windows\system32\wlansvc.dll
2010-02-03 09:59 . 2010-02-03 09:59 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-02-03 09:59 . 2010-02-03 09:59 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-02-03 09:59 . 2010-02-03 09:59 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-02-03 09:59 . 2010-02-03 09:59 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
2010-02-03 09:59 . 2010-02-03 09:59 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-02-03 09:59 . 2010-02-03 09:59 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-02-03 09:59 . 2010-02-03 09:59 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-02-03 09:59 . 2010-02-03 09:59 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-02-03 09:58 . 2010-02-03 09:58 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-02-03 09:58 . 2010-02-03 09:58 218624 ----a-w- c:\windows\system32\msv1_0.dll
2010-02-03 09:58 . 2010-02-03 09:58 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-02-03 09:58 . 2010-02-03 09:58 9728 ----a-w- c:\windows\system32\lsass.exe
2010-02-03 09:58 . 2010-02-03 09:58 72704 ----a-w- c:\windows\system32\secur32.dll
2010-02-03 09:58 . 2010-02-03 09:58 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2010-02-03 09:57 . 2010-02-03 09:57 98816 ----a-w- c:\windows\system32\mfps.dll
2010-02-03 09:57 . 2010-02-03 09:57 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2010-02-03 09:57 . 2010-02-03 09:57 2868224 ----a-w- c:\windows\system32\mf.dll
2010-02-03 09:57 . 2010-02-03 09:57 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-02-03 09:57 . 2010-02-03 09:57 2048 ----a-w- c:\windows\system32\mferror.dll
2010-02-03 09:54 . 2010-02-03 09:54 71680 ----a-w- c:\windows\system32\atl.dll
2010-02-03 09:50 . 2010-02-03 09:50 160256 ----a-w- c:\windows\system32\wkssvc.dll
2010-02-03 09:50 . 2010-02-03 09:50 53248 ----a-w- c:\windows\system32\tsgqec.dll
2010-02-03 09:50 . 2010-02-03 09:50 2066432 ----a-w- c:\windows\system32\mstscax.dll
2010-02-03 09:50 . 2010-02-03 09:50 136192 ----a-w- c:\windows\system32\aaclient.dll
2010-02-03 09:44 . 2010-02-03 09:44 623616 ----a-w- c:\windows\system32\localspl.dll
2010-02-03 09:43 . 2010-02-03 09:43 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-02-03 09:37 . 2010-02-03 09:37 6656 ----a-w- c:\windows\system32\kbd106n.dll
2010-02-03 09:32 . 2010-02-03 09:32 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-02-03 07:56 . 2010-02-03 07:43 148933 ----a-w- c:\windows\hpoins19.dat
2010-02-03 07:28 . 2010-02-03 07:28 242577 ----a-w- c:\programdata\HP\Installer\Temp\ENU-Package.exe
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{24cc1362-11c6-4918-a2c0-b9ee5a563185}"= "c:\program files\ArchiBar\tbArch.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{24cc1362-11c6-4918-a2c0-b9ee5a563185}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24cc1362-11c6-4918-a2c0-b9ee5a563185}]
2010-02-22 01:05 2353176 ----a-w- c:\program files\ArchiBar\tbArch.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{24cc1362-11c6-4918-a2c0-b9ee5a563185}"= "c:\program files\ArchiBar\tbArch.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{24cc1362-11c6-4918-a2c0-b9ee5a563185}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{24CC1362-11C6-4918-A2C0-B9EE5A563185}"= "c:\program files\ArchiBar\tbArch.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{24cc1362-11c6-4918-a2c0-b9ee5a563185}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-07 472112]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-16 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-16 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-16 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-02 202256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-25 142120]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Network Server.lnk - c:\program files\WIBUKEY\Server\WkSvMgr.exe [2010-2-26 3768320]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-5 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-5 9116480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:6e,02,f5,3d,85,a8,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4208565665-2474335761-3571068439-1000]
"EnableNotificationsRef"=dword:00000001

R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [2009-09-02 70408]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-10-30 359624]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-11-11 33552]
R3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-09 207792]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-11-11 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-11-11 59664]
S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2009-10-30 233136]
S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2009-03-06 20376]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-21 112592]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-04 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-15 20480]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2009-07-14 1443584]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]


--- Other Services/Drivers In Memory ---

*Deregistered* - pwryapod

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-04-18 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\Advanced SystemCare 3\AutoSweep.exe [2010-02-04 04:11]

2010-04-19 c:\windows\Tasks\AWC Startup.job
- c:\program files\Advanced SystemCare 3\AWC.exe [2010-02-04 04:54]

2010-04-19 c:\windows\Tasks\AWC Update.job
- c:\program files\Advanced SystemCare 3\IObitUpdate.exe [2010-02-04 03:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/ig
uInternet Settings,ProxyOverride = *.local
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-19 14:16
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys atapi.sys >>UNKNOWN [0x87EDB8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8b99fd24
\Driver\ACPI -> acpi.sys @ 0x806c3d68
\Driver\atapi -> atapi.sys @ 0x807c89b0
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-19 14:19:52
ComboFix-quarantined-files.txt 2010-04-19 04:19

Pre-Run: 328,755,847,168 bytes free
Post-Run: 328,808,321,024 bytes free

- - End Of File - - 5C8F91CA487C8527EB7BD1AF4CE5EF9C


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 PM

Posted 20 April 2010 - 06:35 PM

Hello.

Could you re-run GMER for me once more.

Are the re-directs still there? Complete a TDSSKiller scan...
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 bryansjag

bryansjag
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 21 April 2010 - 02:30 AM

Hello EB

Ran GMER ark.txt attached. Ran TDSSKILLER, here is log. Redirect is now gone, in fact machine seems to be running a whole lot better overall.

Many thanks.

11:55:21:814 6232 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
11:55:21:814 6232 ================================================================================
11:55:21:814 6232 SystemInfo:

11:55:21:814 6232 OS Version: 6.0.6002 ServicePack: 2.0
11:55:21:814 6232 Product type: Workstation
11:55:21:814 6232 ComputerName: OFFICE-PC
11:55:21:814 6232 UserName: RCDS
11:55:21:815 6232 Windows directory: C:\Windows
11:55:21:815 6232 Processor architecture: Intel x86
11:55:21:815 6232 Number of processors: 4
11:55:21:815 6232 Page size: 0x1000
11:55:21:816 6232 Boot type: Normal boot
11:55:21:816 6232 ================================================================================
11:55:21:819 6232 UnloadDriverW: NtUnloadDriver error 2
11:55:21:819 6232 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
11:55:21:911 6232 wfopen_ex: Trying to open file C:\Windows\system32\config\system
11:55:21:911 6232 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:55:21:911 6232 wfopen_ex: Trying to KLMD file open
11:55:21:911 6232 wfopen_ex: File opened ok (Flags 2)
11:55:21:932 6232 wfopen_ex: Trying to open file C:\Windows\system32\config\software
11:55:21:932 6232 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:55:21:932 6232 wfopen_ex: Trying to KLMD file open
11:55:21:933 6232 wfopen_ex: File opened ok (Flags 2)
11:55:21:933 6232 Initialize success
11:55:21:933 6232
11:55:21:933 6232 Scanning Services ...
11:55:22:880 6232 Raw services enum returned 430 services
11:55:22:889 6232
11:55:22:890 6232 Scanning Kernel memory ...
11:55:22:890 6232 Devices to scan: 2
11:55:22:890 6232
11:55:22:890 6232 Driver Name: USBSTOR
11:55:22:890 6232 IRP_MJ_CREATE : 90CD8FC8
11:55:22:890 6232 IRP_MJ_CREATE_NAMED_PIPE : 82A6EA22
11:55:22:890 6232 IRP_MJ_CLOSE : 90CD9040
11:55:22:890 6232 IRP_MJ_READ : 90CD90B8
11:55:22:890 6232 IRP_MJ_WRITE : 90CD90B8
11:55:22:890 6232 IRP_MJ_QUERY_INFORMATION : 82A6EA22
11:55:22:890 6232 IRP_MJ_SET_INFORMATION : 82A6EA22
11:55:22:890 6232 IRP_MJ_QUERY_EA : 82A6EA22
11:55:22:890 6232 IRP_MJ_SET_EA : 82A6EA22
11:55:22:890 6232 IRP_MJ_FLUSH_BUFFERS : 82A6EA22
11:55:22:890 6232 IRP_MJ_QUERY_VOLUME_INFORMATION : 82A6EA22
11:55:22:890 6232 IRP_MJ_SET_VOLUME_INFORMATION : 82A6EA22
11:55:22:890 6232 IRP_MJ_DIRECTORY_CONTROL : 82A6EA22
11:55:22:890 6232 IRP_MJ_FILE_SYSTEM_CONTROL : 82A6EA22
11:55:22:890 6232 IRP_MJ_DEVICE_CONTROL : 90CD8BC4
11:55:22:890 6232 IRP_MJ_INTERNAL_DEVICE_CONTROL : 90CCC7E4
11:55:22:890 6232 IRP_MJ_SHUTDOWN : 82A6EA22
11:55:22:890 6232 IRP_MJ_LOCK_CONTROL : 82A6EA22
11:55:22:890 6232 IRP_MJ_CLEANUP : 82A6EA22
11:55:22:890 6232 IRP_MJ_CREATE_MAILSLOT : 82A6EA22
11:55:22:890 6232 IRP_MJ_QUERY_SECURITY : 82A6EA22
11:55:22:891 6232 IRP_MJ_SET_SECURITY : 82A6EA22
11:55:22:891 6232 IRP_MJ_POWER : 90CD759C
11:55:22:891 6232 IRP_MJ_SYSTEM_CONTROL : 90CD47A2
11:55:22:891 6232 IRP_MJ_DEVICE_CHANGE : 82A6EA22
11:55:22:891 6232 IRP_MJ_QUERY_QUOTA : 82A6EA22
11:55:22:891 6232 IRP_MJ_SET_QUOTA : 82A6EA22
11:55:22:909 6232 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
11:55:22:909 6232
11:55:22:909 6232 Driver Name: atapi
11:55:22:909 6232 IRP_MJ_CREATE : 807D29B0
11:55:22:909 6232 IRP_MJ_CREATE_NAMED_PIPE : 807D29B0
11:55:22:909 6232 IRP_MJ_CLOSE : 807D29B0
11:55:22:909 6232 IRP_MJ_READ : 807D29B0
11:55:22:909 6232 IRP_MJ_WRITE : 807D29B0
11:55:22:909 6232 IRP_MJ_QUERY_INFORMATION : 807D29B0
11:55:22:909 6232 IRP_MJ_SET_INFORMATION : 807D29B0
11:55:22:909 6232 IRP_MJ_QUERY_EA : 807D29B0
11:55:22:909 6232 IRP_MJ_SET_EA : 807D29B0
11:55:22:909 6232 IRP_MJ_FLUSH_BUFFERS : 807D29B0
11:55:22:909 6232 IRP_MJ_QUERY_VOLUME_INFORMATION : 807D29B0
11:55:22:909 6232 IRP_MJ_SET_VOLUME_INFORMATION : 807D29B0
11:55:22:909 6232 IRP_MJ_DIRECTORY_CONTROL : 807D29B0
11:55:22:909 6232 IRP_MJ_FILE_SYSTEM_CONTROL : 807D29B0
11:55:22:909 6232 IRP_MJ_DEVICE_CONTROL : 807D29B0
11:55:22:909 6232 IRP_MJ_INTERNAL_DEVICE_CONTROL : 807D29B0
11:55:22:909 6232 IRP_MJ_SHUTDOWN : 807D29B0
11:55:22:909 6232 IRP_MJ_LOCK_CONTROL : 807D29B0
11:55:22:909 6232 IRP_MJ_CLEANUP : 807D29B0
11:55:22:909 6232 IRP_MJ_CREATE_MAILSLOT : 807D29B0
11:55:22:909 6232 IRP_MJ_QUERY_SECURITY : 807D29B0
11:55:22:909 6232 IRP_MJ_SET_SECURITY : 807D29B0
11:55:22:909 6232 IRP_MJ_POWER : 807D29B0
11:55:22:909 6232 IRP_MJ_SYSTEM_CONTROL : 807D29B0
11:55:22:909 6232 IRP_MJ_DEVICE_CHANGE : 807D29B0
11:55:22:909 6232 IRP_MJ_QUERY_QUOTA : 807D29B0
11:55:22:909 6232 IRP_MJ_SET_QUOTA : 807D29B0
11:55:22:909 6232 Driver "atapi" infected by TDSS rootkit!
11:55:22:917 6232 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
11:55:22:917 6232 File "C:\Windows\system32\drivers\atapi.sys" infected by TDSS rootkit ... 11:55:22:917 6232 Processing driver file: C:\Windows\system32\drivers\atapi.sys
11:55:23:035 6232 vfvi6
11:55:23:121 6232 dsvbh1
11:55:23:189 6232 fdfb1
11:55:23:189 6232 Backup copy found, using it..
11:55:23:196 6232 will be cured on next reboot
11:55:23:196 6232 Reboot required for cure complete..
11:55:23:203 6232 Cure on reboot scheduled successfully
11:55:23:203 6232
11:55:23:203 6232 Completed
11:55:23:203 6232
11:55:23:204 6232 Results:
11:55:23:204 6232 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
11:55:23:204 6232 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
11:55:23:204 6232 File objects infected / cured / cured on reboot: 1 / 0 / 1
11:55:23:205 6232
11:55:23:205 6232 fclose_ex: Trying to close file C:\Windows\system32\config\system
11:55:23:205 6232 fclose_ex: Trying to close file C:\Windows\system32\config\software
11:55:23:205 6232 UnloadDriverW: NtUnloadDriver error 1
11:55:23:206 6232 KLMD(ARK) unloaded successfully

Attached Files

  • Attached File  ark.txt   3.75KB   1 downloads


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 PM

Posted 21 April 2010 - 02:49 PM

I believe that GMER scan was taken BEFORE running TDSSKiller?

Let's get an online scan performed.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.



Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 bryansjag

bryansjag
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 22 April 2010 - 12:43 AM

Hello EB

KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, April 22, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, April 21, 2010 19:27:33
Records in database: 3962586
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
F:\
P:\
Scan statistics
Objects scanned 177787
Threats found 2
Infected objects found 5
Suspicious objects found 0
Scan duration 03:03:43

File name Threat Threats count
C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\000008c9.tmp.vir Infected: Trojan.Win32.FakeAV.jm 1
C:\Users\Public\Downloads\Archicad\ArchiCAD 13 INT 32bit and 64bit with crack - ENGINE\AC13-INT.iso Infected: Trojan-Downloader.Win32.Agent.dibf 2
C:\Users\Public\Downloads\Archicad\ArchiCAD 13 INT 32bit and 64bit with crack - ENGINE\Graphisoft BIM Server\Graphisoft BIM Server-Win32\archive.jar Infected: Trojan-Downloader.Win32.Agent.dibf 1
C:\Users\Public\Downloads\Archicad\ArchiCAD 13 INT 32bit and 64bit with crack - ENGINE\Graphisoft BIM Server\Graphisoft BIM Server-Win64\archive.jar Infected: Trojan-Downloader.Win32.Agent.dibf 1
Selected area has been scanned.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 PM

Posted 22 April 2010 - 08:29 PM

HELLO.

The first item Kaspersky detected was just an item Combofix quarantined. However, the the other items seems like you have downloaded crack/keygenes? This means You have used cracks or key generators.

You should know that use of these is considered illegal activity, as it bypasses copyright laws.

Some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, these sites are infested with a sm?rg?sbord of malware. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling Windows.

Merely visiting such sites without downloading ANYTHING is one of the worst things a user can do online. They are illegal. Cracked software is notorious for carrying malware/infections. How do you think these people make their money... they aren't really giving you this software out of the goodness of their hearts.

Please delete those files, in fact they are infected as well which is possible how you might of got such infection.

Other than that, take a new DDS run and post those logs so I can take a look and see how your computer is.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 PM

Posted 08 May 2010 - 11:51 AM

Hello.

Since the problem appears to be resolved, this topic is now Closed.
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users