Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multi-Infections: Win32/Mebroot.DT Trojan, and more ...


  • This topic is locked This topic is locked
17 replies to this topic

#1 darmster

darmster

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 02 May 2010 - 10:50 PM

Thanks for helping!

The issue is that the hard drive runs like crazy, and the CPU is running more than normal. There's a process called SERVICES.EXE and McShield.EXE that take up considerably more CPU time than normal resulting in noticeable degradation of computer performance. In addition, at the time of initial infection a pop-up window from FireFox warned that the computer had been infected was displayed for a fleeting moment. Then FireFox crashed. After reboot FireFox will successfully start up only on a second attempt. The first attempt is a complete failure with no warning. In addition, Google searches are redirected to ridiculous websites that are obviously meant for further infection.

Tragically, my gmail and hotmail accounts have already been compromised. Upon logging into my gmail account, it was found that the account had been disabled due to suspicious activity. I had to reset the password, in order to use the account again. The hotmail account simply said that there had been a number of attempts to access the account. CRAZY!

ESET and SpyWare Dr have successfully removed the viruses and spyware. I made sure to run both apps until no more problems were found. However, when starting up the computer the same symptoms are there with excessive hard drive and CPU activity. In addition, FireFox redirects Google searches to other locations. ESET and SpyWare Dr are fired up and more spyware and viruses are found!

I tried using the GMER application, but it hangs the computer. So, there's not ARK.TXT file to upload. After the DDS data is the esetScan result.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 1:12:21.17 on Sun 05/02/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1310 [GMT -7:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Zend\Apache2\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Zend\MySQL51\bin\mysqld.exe
C:\Program Files\Zend\Apache2\bin\httpd.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Zend\ZendServer\bin\php-cgi.exe
C:\Program Files\Zend\ZendServer\bin\php-cgi.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Zend\ZendServer\bin\JavaServer.exe
C:\Program Files\Zend\ZendServer\bin\MonitorNode.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Zend\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\Zend\ZendServer\bin\zendcontroller.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
uRun: [ATI Launchpad] "c:\program files\ati multimedia\main\launchpd.exe"
uRun: [ATI Remote Control] c:\program files\ati multimedia\remctrl\ATIRW.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
uRun: [WebEQ XP] "c:\progra~1\blazea~1\webeqt~1\WebEQ.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXE
mRun: [wcmdmgr] c:\windows\wt\updater\wcmdmgrl.exe -launch
mRun: [SetDefPrt] c:\program files\brother\brmflp03\BrStDvPt.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [MPFEXE] "c:\program files\mcafee.com\personal firewall\MPFTray.exe"
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\McAgent.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apache~1.lnk - c:\program files\zend\apache2\bin\ApacheMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\privoxy.lnk - c:\program files\vidalia bundle\privoxy\privoxy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zendco~1.lnk - c:\program files\zend\zendserver\bin\zendcontroller.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Namo SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272754128343
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272754103921
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - hxxp://www.swiftview.com/product/public/svinstall_a_green.exe
DPF: {858B4F85-E945-4F0C-AF65-059E0AD9EEC0} - file:///D:/Interface/IntraLaunch.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {A78856A6-334B-43AF-96F5-58574005910D} - hxxp://w.s0.gc.sj.ipixmedia.com/code/Einstaller.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8xhghl3q.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-28 207280]
R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2005-3-12 80640]
R2 Apache2.2-Zend;Apache2.2-Zend;c:\program files\zend\apache2\bin\httpd.exe [2009-8-6 29488]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-4-28 112592]
R2 MySQL_ZendServer51;MySQL_ZendServer51;"c:\program files\zend\mysql51\bin\mysqld" --defaults-file="c:\program files\zend\mysql51\my.ini" mysql_zendserver51 --> c:\program files\zend\mysql51\bin\mysqld [?]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-28 365280]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-28 1141712]
R2 ZendJavaBridge;Zend Java Bridge;c:\program files\zend\zendserver\bin\JavaServer.exe [2009-8-6 25792]
R2 ZendMonitor;Zend Monitor;c:\program files\zend\zendserver\bin\MonitorNode.exe [2009-8-6 307904]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2008-10-29 31896]
S2 XAMPP;XAMPP Service;c:\xampp\service.exe --> c:\xampp\service.exe [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2005-6-1 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2006-12-12 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2005-6-1 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2005-6-1 10368]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-3-12 23888]
S3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys --> c:\windows\system32\drivers\scrcap.sys [?]
S3 TipCtrl;TipCtrl;c:\program files\utipu\TipCtrl.exe [2009-2-3 314504]
S4 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-12-16 126976]
S4 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2005-3-12 225401]
S4 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-12-16 122368]
S4 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-3-12 245760]
S4 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2005-3-12 131072]

=============== Created Last 30 ================

2010-05-02 00:50:38 0 d-----w- c:\windows\system32\scripting
2010-05-02 00:50:37 0 d-----w- c:\windows\l2schemas
2010-05-02 00:50:36 0 d-----w- c:\windows\system32\en
2010-05-02 00:50:35 0 d-----w- c:\windows\system32\bits
2010-05-01 23:31:51 0 d-----w- c:\windows\ServicePackFiles
2010-05-01 23:19:30 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-05-01 23:17:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-05-01 23:16:52 353792 ------w- c:\windows\system32\dllcache\srv.sys
2010-05-01 23:14:18 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-05-01 23:14:18 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-05-01 23:13:11 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-05-01 23:07:23 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2010-05-01 23:07:14 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2010-05-01 23:02:29 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-05-01 22:58:48 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-05-01 22:58:47 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-05-01 22:56:31 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-05-01 22:49:23 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-05-01 18:15:00 0 d-----w- c:\program files\ESET
2010-05-01 17:36:41 0 d-----w- c:\program files\Sun
2010-05-01 17:35:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-01 17:35:57 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 06:34:17 882 ----a-w- c:\windows\RegSDImport.xml
2010-04-29 06:34:17 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-29 06:34:16 879 ----a-w- c:\windows\RegISSImport.xml
2010-04-29 06:34:16 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-29 06:34:16 1640400 ----a-w- c:\windows\PCTBDCore.dll.old
2010-04-29 06:34:16 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-29 06:34:16 131 ----a-w- c:\windows\IDB.zip
2010-04-29 06:34:16 1152444 ----a-w- c:\windows\UDB.zip
2010-04-29 06:34:15 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-29 06:02:41 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-04-29 06:02:40 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-29 06:02:24 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-04-29 06:02:23 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-29 06:02:23 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-04-29 06:02:23 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-29 06:02:08 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-04-29 06:02:08 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-29 06:01:38 0 d-----w- c:\program files\common files\PC Tools
2010-04-29 06:01:37 0 d-----w- c:\program files\Spyware Doctor
2010-04-29 06:01:37 0 d-----w- c:\docume~1\owner\applic~1\PC Tools
2010-04-29 06:01:37 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-04-27 14:41:42 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-23 05:05:00 5538 ----a-w- c:\documents and settings\owner\.recently-used.xbel
2010-04-22 07:34:55 0 d-----w- c:\documents and settings\owner\.thumbnails
2010-04-22 07:33:40 0 d-----w- c:\documents and settings\owner\.gimp-2.6
2010-04-22 07:32:16 0 d-----w- c:\program files\GIMP-2.0
2010-04-20 01:54:17 0 d-----w- c:\documents and settings\owner\.netbeans
2010-04-20 01:54:11 0 d-----w- c:\documents and settings\owner\.netbeans-registration
2010-04-20 01:52:09 0 d-----w- c:\program files\NetBeans 6.8
2010-04-20 01:49:25 0 d-----w- c:\documents and settings\owner\.nbi
2010-04-14 19:00:21 0 d-----w- c:\program files\SimpleSites
2010-04-08 20:14:33 2 ----a-w- c:\windows\msoffice.ini

==================== Find3M ====================

2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-09 11:09:18 430080 ------w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-02-23 05:20:02 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2010-02-17 16:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 16:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys

============= FINISH: 1:13:27.93 ===============




esetScan Results:
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\59.tmp a variant of Win32/Mebroot.DT trojan cleaned by deleting - quarantined
C:\Documents and Settings\HelpAssistant\My Documents\Xavier's Folder\Xavier\Xavier_Downloaded Installation Files\fastlynx Installationz\miss.htm JS/AdWare.SearchPage.A virus deleted - quarantined
C:\Documents and Settings\HelpAssistant.POS-3\My Documents\Xavier's Folder\Xavier\Xavier_Downloaded Installation Files\fastlynx Installationz\miss.htm JS/AdWare.SearchPage.A virus deleted - quarantined
C:\Documents and Settings\Owner\My Documents\Xavier's Folder\Xavier\Xavier_Downloaded Installation Files\fastlynx Installationz\miss.htm JS/AdWare.SearchPage.A virus deleted - quarantined
C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent application cleaned by deleting - quarantined
C:\Program Files\WildTangent\Apps\GameChannel\Games\57F31F3F-EC7D-4A32-A9C5-28CAAD7A7215\WebDriverSilentInstall.exe Win32/Adware.WildTangent application deleted - quarantined
C:\Program Files\WildTangent\Apps\GameChannel\Games\6B772EC5-E423-4AA8-9330-BDCAA366DE66\WebDriverSilentInstall.exe Win32/Adware.WildTangent application deleted - quarantined
C:\Program Files\WildTangent\Apps\GameChannel\Games\82B0AB24-273E-4B81-BC0F-B798D5FBD489\WebDriverSilentInstall.exe Win32/Adware.WildTangent application deleted - quarantined
C:\Program Files\WildTangent\Apps\GameChannel\Games\8CE4EEF6-9561-4DB6-9173-7958530CDE25\WebDriverSilentInstall.exe Win32/Adware.WildTangent application deleted - quarantined
C:\Program Files\WildTangent\Apps\GameChannel\Games\B0D390FA-EF25-4295-9847-4A6E3A9D3AFB\WebDriverSilentInstall.exe Win32/Adware.WildTangent application deleted - quarantined
C:\Program Files\WildTangent\Apps\GameChannel\Games\B3CBD606-6898-4B3C-AC65-8A2CB029F8E9\WebDriverSilentInstall.exe Win32/Adware.WildTangent application deleted - quarantined
C:\Program Files\WildTangent\Apps\GameChannel\Games\BAFBA5DB-2BF1-4152-8BBD-FFDEE4EDA3AE\WebDriverSilentInstall.exe Win32/Adware.WildTangent application deleted - quarantined
C:\Program Files\WildTangent\Apps\GameChannel\Games\CC28692B-108D-4E23-8EAC-B6DFD9C74C1A\WebDriverSilentInstall.exe Win32/Adware.WildTangent application deleted - quarantined
C:\Program Files\WildTangent\Apps\GameChannel\Games\D80A9E65-FA85-4162-A56B-FD271794B5A3\WebDriverSilentInstall.exe Win32/Adware.WildTangent application deleted - quarantined
C:\Program Files\WildTangent\Apps\GameChannel\Games\DE79D49C-E756-470A-8F8B-DE80E9FD268B\WebDriverSilentInstall.exe Win32/Adware.WildTangent application deleted - quarantined
C:\WINDOWS\SYSTEM32\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent application cleaned by deleting - quarantined

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:36 AM

Posted 02 May 2010 - 10:58 PM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif

***************************************************

Please download and run HAMeb_check.exe. It will produce a log; please include it in your next reply.

~Blade


In your next reply, please include the following:
HAMeb_check.exe log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 darmster

darmster
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 02 May 2010 - 11:15 PM

Hi, Blade -

Thanks for helping!

Here are the HAlog.log details:

C:\Documents and Settings\Owner\Desktop\HAMeb_check.exe
Sun 05/02/2010 at 21:09:30.31

Account active Yes
Local Group Memberships *Administrators

~~ Checking profile list ~~

S-1-5-21-1597376916-3607699578-3761090083-1004
%SystemDrive%\Documents and Settings\HelpAssistant.POS-3

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.POS-3

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A3CB270]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7757:TCP"=7757:TCP:*:Enabled:Services
"7758:TCP"=7758:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7757:TCP"=7757:TCP:*:Enabled:Services
"7758:TCP"=7758:TCP:*:Enabled:Services


~~ EOF ~~


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:36 AM

Posted 02 May 2010 - 11:19 PM

Hello darmster.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

~Blade


In your next reply, please include the following:
HelpAsst_mebroot_fix Logs (2)

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 darmster

darmster
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 03 May 2010 - 12:26 AM

Hi, Blade -

Here are the contents of the HelpAsst.log:

C:\Documents and Settings\Owner\Desktop\HelpAsst_mebroot_fix.exe
Sun 05/02/2010 at 21:26:47.64

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"7757:TCP"=-
"7758:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"7757:TCP"=-
"7758:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1597376916-3607699578-3761090083-1004
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.POS-3 ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant.POS-3 files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sun 05/02/2010 at 22:19:38.35

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A104878]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

S-1-5-21-1597376916-3607699578-3761090083-1004
%SystemDrive%\Documents and Settings\HelpAssistant.POS-3

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.POS-3

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7757:TCP"=7757:TCP:*:Enabled:Services
"7758:TCP"=7758:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7757:TCP"=7757:TCP:*:Enabled:Services
"7758:TCP"=7758:TCP:*:Enabled:Services


~~ EOF ~~


#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:36 AM

Posted 03 May 2010 - 12:32 AM

Hello darmster

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 darmster

darmster
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 03 May 2010 - 05:16 AM

Hi, Blade -

Shortly after starting up the ComboFix app, a message appeared saying that the installation files were corrupt. Here's a screenshot of the error message:
http://www.freedomlibertycorp.com/zephon/pic1.htm




Warm Regards,

Doug

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:36 AM

Posted 03 May 2010 - 09:04 PM

Hi darmster.

Please re-download a new copy of ComboFix and try again. Tell me if you continue to get the error message.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 darmster

darmster
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 04 May 2010 - 10:17 PM

Hi, BladeZephon -

Here is the ComboFix Log:

ComboFix 10-05-04.04 - Owner 05/04/2010 19:50:34.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1649 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\renamed.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WindowsUpdate
c:\windows\Downloaded Program Files\Temp

.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.

2010-05-03 05:32 . 2010-05-03 05:32 -------- d-----w- c:\documents and settings\HelpAssistant.POS-3\workspace
2010-05-03 05:32 . 2010-05-03 05:32 -------- d-----w- c:\documents and settings\HelpAssistant.POS-3\WINDOWS
2010-05-03 05:32 . 2010-05-03 05:32 -------- d-----w- c:\documents and settings\HelpAssistant.POS-3\UserData
2010-05-03 05:26 . 2010-05-03 05:26 -------- d-----w- c:\documents and settings\HelpAssistant.POS-3\logs
2010-05-03 05:19 . 2008-11-29 01:52 60744 ----a-w- c:\documents and settings\HelpAssistant.POS-3\g2mdlhlpx.exe
2010-05-03 05:17 . 2010-05-03 05:17 -------- d-----w- c:\documents and settings\HelpAssistant.POS-3\Contacts
2010-05-03 05:13 . 2010-05-03 05:13 -------- d-----w- c:\documents and settings\HelpAssistant.POS-3\.thumbnails
2010-05-03 05:13 . 2010-05-03 05:13 -------- d-----w- c:\documents and settings\HelpAssistant.POS-3\.netbeans-registration
2010-05-03 05:12 . 2010-05-03 05:12 -------- d-----w- c:\documents and settings\HelpAssistant.POS-3\.netbeans
2010-05-03 05:12 . 2010-05-03 05:12 -------- d-----w- c:\documents and settings\HelpAssistant.POS-3\.nbi
2010-05-03 05:12 . 2010-05-03 05:12 -------- d-----w- c:\documents and settings\HelpAssistant.POS-3\.gimp-2.6
2010-05-03 04:26 . 2010-05-03 04:26 -------- d-----w- C:\HelpAsst_backup
2010-05-02 00:50 . 2010-05-02 00:50 -------- d-----w- c:\windows\system32\scripting
2010-05-02 00:50 . 2010-05-02 00:50 -------- d-----w- c:\windows\l2schemas
2010-05-02 00:50 . 2010-05-02 00:50 -------- d-----w- c:\windows\system32\en
2010-05-02 00:50 . 2010-05-02 00:50 -------- d-----w- c:\windows\system32\bits
2010-05-01 23:31 . 2010-05-02 00:45 -------- d-----w- c:\windows\ServicePackFiles
2010-05-01 23:19 . 2010-02-24 13:11 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-05-01 23:17 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-05-01 23:16 . 2009-12-31 16:50 353792 ------w- c:\windows\system32\dllcache\srv.sys
2010-05-01 23:14 . 2009-10-15 16:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-05-01 23:14 . 2009-10-15 16:28 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-05-01 23:13 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-05-01 23:07 . 2009-08-13 15:16 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2010-05-01 23:07 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2010-05-01 23:02 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-05-01 22:59 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2010-05-01 22:59 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2010-05-01 22:59 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2010-05-01 22:59 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-05-01 22:59 . 2009-06-25 08:25 730112 ------w- c:\windows\system32\dllcache\lsasrv.dll
2010-05-01 22:59 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2010-05-01 22:59 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2010-05-01 22:59 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-05-01 22:59 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2010-05-01 22:59 . 2010-02-16 14:08 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-05-01 22:59 . 2010-02-17 16:10 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-05-01 22:59 . 2010-02-16 13:25 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-05-01 22:58 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-05-01 22:58 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-05-01 22:56 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-05-01 18:15 . 2010-05-01 18:15 -------- d-----w- c:\program files\ESET
2010-05-01 18:12 . 2010-05-01 18:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2010-05-01 17:39 . 2010-05-01 17:39 -------- d-----w- c:\program files\Common Files\Java
2010-05-01 17:36 . 2010-05-01 17:36 -------- d-----w- c:\program files\Sun
2010-05-01 17:35 . 2010-05-01 17:35 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 06:34 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-29 06:34 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-29 06:34 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-29 06:34 . 2009-10-28 08:36 1152444 ----a-w- c:\windows\UDB.zip
2010-04-29 06:34 . 2008-11-26 19:08 131 ----a-w- c:\windows\IDB.zip
2010-04-29 06:34 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-29 06:02 . 2010-02-05 16:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-29 06:02 . 2009-10-06 23:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-29 06:02 . 2009-09-23 23:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-29 06:02 . 2010-02-05 16:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-29 06:01 . 2010-04-29 06:34 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-29 06:01 . 2010-05-03 05:38 -------- d-----w- c:\program files\Spyware Doctor
2010-04-29 06:01 . 2010-04-29 06:01 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2010-04-29 06:01 . 2010-04-29 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-27 14:41 . 2010-04-27 14:41 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-27 10:10 . 2010-04-27 14:38 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-04-27 10:10 . 2010-04-27 10:10 -------- d-----w- c:\documents and settings\HelpAssistant\workspace
2010-04-27 09:59 . 2010-04-27 09:59 -------- d-----w- c:\documents and settings\HelpAssistant\logs
2010-04-27 04:46 . 2010-04-27 14:40 -------- d-----w- c:\documents and settings\HelpAssistant\Contacts
2010-04-27 04:42 . 2010-04-27 04:42 -------- d-----w- c:\documents and settings\HelpAssistant\.thumbnails
2010-04-27 04:42 . 2010-04-27 04:42 -------- d-----w- c:\documents and settings\HelpAssistant\.netbeans-registration
2010-04-27 04:42 . 2010-04-27 14:40 -------- d-----w- c:\documents and settings\HelpAssistant\.nbi
2010-04-27 04:42 . 2010-04-27 04:42 -------- d-----w- c:\documents and settings\HelpAssistant\.netbeans
2010-04-27 04:42 . 2010-04-27 14:40 -------- d-----w- c:\documents and settings\HelpAssistant\.gimp-2.6
2010-04-27 04:41 . 2010-04-27 14:40 -------- d-s---w- c:\documents and settings\HelpAssistant
2010-04-22 07:35 . 2010-04-23 05:05 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2010-04-22 07:34 . 2010-04-22 07:34 -------- d-----w- c:\documents and settings\Owner\.thumbnails
2010-04-22 07:33 . 2010-04-23 05:55 -------- d-----w- c:\documents and settings\Owner\.gimp-2.6
2010-04-22 07:32 . 2010-04-22 07:32 -------- d-----w- c:\program files\GIMP-2.0
2010-04-20 01:54 . 2010-04-20 01:57 -------- d-----w- c:\documents and settings\Owner\.netbeans
2010-04-20 01:54 . 2010-04-20 01:54 -------- d-----w- c:\documents and settings\Owner\.netbeans-registration
2010-04-20 01:52 . 2010-04-26 18:57 -------- d-----w- c:\program files\NetBeans 6.8
2010-04-20 01:49 . 2010-04-20 01:49 -------- d-----w- c:\documents and settings\Owner\.nbi
2010-04-14 19:00 . 2010-04-14 19:00 -------- d-----w- c:\program files\SimpleSites

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 02:48 . 2007-04-11 05:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-05 02:16 . 2009-10-22 16:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Vidalia
2010-05-05 02:07 . 2005-03-25 21:34 38144 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-03 03:38 . 2010-02-14 07:02 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-05-02 00:55 . 2004-08-11 23:25 87263 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2010-05-01 17:20 . 2005-03-12 18:46 -------- d-----w- c:\program files\Java
2010-04-30 23:59 . 2009-10-22 16:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Tor
2010-04-22 15:42 . 2009-02-28 20:23 -------- d-----w- c:\program files\Notepad++
2010-04-22 15:42 . 2009-02-28 20:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Notepad++
2010-04-17 05:59 . 2009-02-22 04:49 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-13 19:23 . 2009-09-27 08:46 -------- d-----w- c:\program files\FTP Commander
2010-04-08 20:15 . 2005-03-12 18:57 -------- d-----w- c:\program files\Common Files\AOL
2010-04-08 20:15 . 2005-03-12 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-04-08 19:56 . 2009-09-12 18:42 -------- d-----w- c:\program files\Aptana
2010-03-11 12:38 . 2004-08-04 11:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 11:00 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 11:00 430080 ------w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2004-08-04 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 16:10 . 2004-08-04 11:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 11:00 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 11:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 11:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\launchpd.exe" [2004-06-16 106571]
"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 196608]
"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2009-07-12 5113430]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-11 339968]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-16 69705]
"wcmdmgr"="c:\windows\wt\updater\wcmdmgrl.exe" [2003-09-23 20480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"MPFEXE"="c:\program files\McAfee.com\Personal Firewall\MPFTray.exe" [2005-11-12 1005096]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\McAgent.exe" [2005-09-23 303104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Apache Web Server Monitor.lnk - c:\program files\Zend\Apache2\bin\ApacheMonitor.exe [2009-8-6 45896]
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]
Zend Controller.lnk - c:\program files\Zend\ZendServer\bin\zendcontroller.exe [2009-8-6 258752]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UPS WorldShip PLD Reminder Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UPS WorldShip PLD Reminder Utility.lnk
backup=c:\windows\pss\UPS WorldShip PLD Reminder Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=c:\windows\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
2002-09-24 23:39 147456 ----a-w- c:\program files\Iomega\AutoDisk\ADUserMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]
2002-07-16 17:55 32768 ----a-w- c:\program files\Iomega\DriveIcons\deskup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
2002-08-13 21:30 86016 ----a-w- c:\program files\Iomega\DriveIcons\Imgicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
2005-09-23 01:29 303104 ----a-w- c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
2006-01-11 19:05 212992 ----a-w- c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
2005-11-12 00:00 1005096 ----a-w- c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2006-07-30 02:34 5354792 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 22:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient 2.6]
2004-02-27 17:29 61440 ----a-w- c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-12-08 23:28 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup 2.5]
2004-05-20 16:40 188416 ----a-w- c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
2005-03-19 03:28 196608 ----a-w- c:\progra~1\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
2005-03-03 02:19 143360 ----a-w- c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"_IOMEGA_ACTIVE_DISK_SERVICE_"=2 (0x2)
"MpfService"=2 (0x2)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=3 (0x3)
"McDetect.exe"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Namo\\WebCanvas 2006\\bin\\WebCanvas.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Zend\\Apache2\\bin\\httpd.exe"=
"c:\\Program Files\\Notepad++\\notepad++.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Xavier's Folder\\mIRC\\mirc32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"7757:TCP"= 7757:TCP:Services
"7758:TCP"= 7758:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [4/28/2010 11:02 PM 207280]
R2 Apache2.2-Zend;Apache2.2-Zend;c:\program files\Zend\Apache2\bin\httpd.exe [8/6/2009 7:21 PM 29488]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/28/2010 11:34 PM 112592]
R2 MySQL_ZendServer51;MySQL_ZendServer51;"c:\program files\Zend\MySQL51\bin\mysqld" --defaults-file="c:\program files\Zend\MySQL51\my.ini" MySQL_ZendServer51 --> c:\program files\Zend\MySQL51\bin\mysqld [?]
R2 ZendJavaBridge;Zend Java Bridge;c:\program files\Zend\ZendServer\bin\JavaServer.exe [8/6/2009 7:21 PM 25792]
R2 ZendMonitor;Zend Monitor;c:\program files\Zend\ZendServer\bin\MonitorNode.exe [8/6/2009 7:21 PM 307904]
R3 dfmirage;dfmirage;c:\windows\SYSTEM32\DRIVERS\dfmirage.sys [10/29/2008 4:05 PM 31896]
S2 XAMPP;XAMPP Service;c:\xampp\service.exe --> c:\xampp\service.exe [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [6/1/2005 1:39 PM 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [12/12/2006 9:13 AM 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\SYSTEM32\DRIVERS\BrUsbMdm.sys [6/1/2005 1:39 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\SYSTEM32\DRIVERS\BrUsbScn.sys [6/1/2005 1:42 PM 10368]
S3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [3/12/2005 11:55 AM 23888]
S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys --> c:\windows\system32\DRIVERS\scrcap.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/28/2010 11:01 PM 365280]
S3 TipCtrl;TipCtrl;c:\program files\uTIPu\TipCtrl.exe [2/3/2009 12:15 PM 314504]
.
Contents of the 'Scheduled Tasks' folder

2010-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-04-30 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (POS-3-Owner).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-03-12 02:19]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Namo SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {858B4F85-E945-4F0C-AF65-059E0AD9EEC0} - file:///D:/Interface/IntraLaunch.CAB
DPF: {A78856A6-334B-43AF-96F5-58574005910D} - hxxp://w.s0.gc.sj.ipixmedia.com/code/Einstaller.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8xhghl3q.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-WebEQ XP - c:\progra~1\BLAZEA~1\WEBEQT~1\WebEQ.exe
HKLM-Run-SetDefPrt - c:\program files\Brother\Brmflp03\BrStDvPt.exe
Notify-WgaLogon - (no file)
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-PDFServiceEngine - c:\program files\PDF Suite\PDFServiceEngine.exe
MSConfigStartUp-QUICKCARE - c:\program files\Qwest\QuickCare\bin\sprtcmd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 20:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MPFEXE = "c:\program files\McAfee.com\Personal Firewall\MPFTray.exe"????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x89F237B8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76bbf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf7488852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> 0x89e175c0
PacketIndicateHandler -> NDIS.sys @ 0xf7b30a21
SendHandler -> NDIS.sys @ 0xf7b0e87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL_ZendServer51]
"ImagePath"="\"c:\program files\Zend\MySQL51\bin\mysqld\" --defaults-file=\"c:\program files\Zend\MySQL51\my.ini\" MySQL_ZendServer51"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-05-04 20:09:34
ComboFix-quarantined-files.txt 2010-05-05 03:09

Pre-Run: 937,005,056 bytes free
Post-Run: 1,612,877,824 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 06DB6747C33774E3E7738108F4A2A931


#10 darmster

darmster
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 04 May 2010 - 10:36 PM

Hi, BladeZephon -

Here are the results of the HelpAsst Log:

C:\Documents and Settings\Owner\Desktop\HelpAsst_mebroot_fix.exe
Sun 05/02/2010 at 21:26:47.64

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"7757:TCP"=-
"7758:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"7757:TCP"=-
"7758:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1597376916-3607699578-3761090083-1004
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.POS-3 ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant.POS-3 files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sun 05/02/2010 at 22:19:38.35

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A104878]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

S-1-5-21-1597376916-3607699578-3761090083-1004
%SystemDrive%\Documents and Settings\HelpAssistant.POS-3

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.POS-3

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7757:TCP"=7757:TCP:*:Enabled:Services
"7758:TCP"=7758:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7757:TCP"=7757:TCP:*:Enabled:Services
"7758:TCP"=7758:TCP:*:Enabled:Services


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 05/04/2010 at 20:32:23.78

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x89F237B8]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

S-1-5-21-1597376916-3607699578-3761090083-1004
%SystemDrive%\Documents and Settings\HelpAssistant.POS-3

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.POS-3

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7757:TCP"=7757:TCP:*:Enabled:Services
"7758:TCP"=7758:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7757:TCP"=7757:TCP:*:Enabled:Services
"7758:TCP"=7758:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~


#11 darmster

darmster
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 04 May 2010 - 11:21 PM

Hi, BladeZephon -


Here is the HelpAsst Log (the one after the mbr -f, mbr -f, shutdown, restart sequence)L

C:\Documents and Settings\Owner\Desktop\HelpAsst_mebroot_fix.exe
Sun 05/02/2010 at 21:26:47.64

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"7757:TCP"=-
"7758:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"7757:TCP"=-
"7758:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1597376916-3607699578-3761090083-1004
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.POS-3 ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant.POS-3 files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sun 05/02/2010 at 22:19:38.35

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A104878]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

S-1-5-21-1597376916-3607699578-3761090083-1004
%SystemDrive%\Documents and Settings\HelpAssistant.POS-3

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.POS-3

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7757:TCP"=7757:TCP:*:Enabled:Services
"7758:TCP"=7758:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7757:TCP"=7757:TCP:*:Enabled:Services
"7758:TCP"=7758:TCP:*:Enabled:Services


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 05/04/2010 at 20:32:23.78

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x89F237B8]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

S-1-5-21-1597376916-3607699578-3761090083-1004
%SystemDrive%\Documents and Settings\HelpAssistant.POS-3

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.POS-3

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7757:TCP"=7757:TCP:*:Enabled:Services
"7758:TCP"=7758:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7757:TCP"=7757:TCP:*:Enabled:Services
"7758:TCP"=7758:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 05/04/2010 at 21:15:42.31

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A75DDC0]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

S-1-5-21-1597376916-3607699578-3761090083-1004
%SystemDrive%\Documents and Settings\HelpAssistant.POS-3

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.POS-3

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7757:TCP"=7757:TCP:*:Enabled:Services
"7758:TCP"=7758:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"7257:TCP"=7257:TCP:*:Enabled:Services
"7256:TCP"=7256:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7757:TCP"=7757:TCP:*:Enabled:Services
"7758:TCP"=7758:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"7257:TCP"=7257:TCP:*:Enabled:Services
"7256:TCP"=7256:TCP:*:Enabled:Services


~~ EOF ~~


#12 darmster

darmster
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 05 May 2010 - 12:16 AM

Hi, BladeZephon -

Here's the latest log:

C:\Documents and Settings\Owner\Desktop\HelpAsst_mebroot_fix.exe
Tue 05/04/2010 at 21:47:34.68

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"7757:TCP"=-
"7758:TCP"=-
"3389:TCP"=-
"7257:TCP"=-
"7256:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"7757:TCP"=-
"7758:TCP"=-
"3389:TCP"=-
"7257:TCP"=-
"7256:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1597376916-3607699578-3761090083-1004
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.POS-3 ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant.POS-3 files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 05/04/2010 at 22:11:40.81

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll PCTCore.sys atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#13 darmster

darmster
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 05 May 2010 - 12:43 AM

Hi, BladeZephon -


Here's the next log prepared via the -mbrt command:

C:\Documents and Settings\Owner\Desktop\HelpAsst_mebroot_fix.exe
Tue 05/04/2010 at 22:37:19.51

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 05/04/2010 at 22:39:09.79

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll PCTCore.sys atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#14 darmster

darmster
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 05 May 2010 - 01:02 AM

Hi, BladeZephon -


Here's the latest and greatest from -mbrt:

C:\Documents and Settings\Owner\Desktop\HelpAsst_mebroot_fix.exe
Tue 05/04/2010 at 22:37:19.51

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 05/04/2010 at 22:39:09.79

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll PCTCore.sys atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 05/04/2010 at 22:57:45.10

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll PCTCore.sys atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:36 AM

Posted 05 May 2010 - 01:21 AM

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
FireFox::
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8xhghl3q.default\
FF - prefs.js: browser.startup.homepage - about:blank

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade


In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users