Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible directdr infestion


  • This topic is locked This topic is locked
10 replies to this topic

#1 taize

taize

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 19 May 2010 - 07:07 AM

I think I have a directdr infection. I'm getting random new tabs being created in firefox. These new tabs start with a directdr url and then get redirected somewhere else. They seem to be more frequent when using google but can appear at any time.

Malwarebytes and supernatispyware are not picking up anything. TDSSKiller is detecting a virus but a reboot does not fix the issue.

I've included below the gmer log, TDSSKiller log, DDS log and attached attach.txt

Thanks for the help

Kym


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-19 19:51:19
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Kym\LOCALS~1\Temp\fxldypog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAACAAC7A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAACAAB36]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xAACAB0EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAACAB014]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAACAA70C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAACAAC10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAACAA64C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAACAA6B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAACAAD30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xAACAB1B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAACAACF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAACAAE70]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xAACB7AC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xAACB78EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xAACB7A24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2468 80501CA0 4 Bytes JMP DAAACAB0
PAGE ntkrnlpa.exe!ZwLoadDriver 805795FA 7 Bytes JMP AACB7A28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805A075C 7 Bytes JMP AACB78EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CE0 5 Bytes JMP AACB3536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805B8B58 5 Bytes JMP AACB4EC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP AACB7ACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.rsrc C:\WINDOWS\system32\DRIVERS\kbdclass.sys entry point in ".rsrc" section [0xF7913E14]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1584] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[1584] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1584] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006C000C
.text C:\WINDOWS\System32\svchost.exe[1584] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0162000A
.text C:\WINDOWS\System32\svchost.exe[1584] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0161000A
.text C:\WINDOWS\Explorer.EXE[2996] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[2996] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[2996] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[5320] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0131000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5320] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0132000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5320] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0130000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
Device tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 86960AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\kbdclass.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

19:50:50:765 2908 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
19:50:50:765 2908 ================================================================================
19:50:50:765 2908 SystemInfo:

19:50:50:765 2908 OS Version: 5.1.2600 ServicePack: 3.0
19:50:50:765 2908 Product type: Workstation
19:50:50:765 2908 ComputerName: MOSES
19:50:50:765 2908 UserName: Kym
19:50:50:765 2908 Windows directory: C:\WINDOWS
19:50:50:765 2908 Processor architecture: Intel x86
19:50:50:765 2908 Number of processors: 1
19:50:50:765 2908 Page size: 0x1000
19:50:50:765 2908 Boot type: Normal boot
19:50:50:765 2908 ================================================================================
19:50:50:796 2908 UnloadDriverW: NtUnloadDriver error 2
19:50:50:796 2908 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
19:50:51:156 2908 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
19:50:51:156 2908 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:50:51:156 2908 wfopen_ex: Trying to KLMD file open
19:50:51:156 2908 wfopen_ex: File opened ok (Flags 2)
19:50:51:156 2908 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
19:50:51:156 2908 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:50:51:156 2908 wfopen_ex: Trying to KLMD file open
19:50:51:156 2908 wfopen_ex: File opened ok (Flags 2)
19:50:51:156 2908 Initialize success
19:50:51:156 2908
19:50:51:156 2908 Scanning Services ...
19:50:53:718 2908 Raw services enum returned 388 services
19:50:53:734 2908
19:50:53:734 2908 Scanning Kernel memory ...
19:50:53:734 2908 Devices to scan: 4
19:50:53:734 2908
19:50:53:734 2908 Driver Name: Disk
19:50:53:734 2908 IRP_MJ_CREATE : F75FDBB0
19:50:53:734 2908 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:50:53:734 2908 IRP_MJ_CLOSE : F75FDBB0
19:50:53:734 2908 IRP_MJ_READ : F75F7D1F
19:50:53:734 2908 IRP_MJ_WRITE : F75F7D1F
19:50:53:734 2908 IRP_MJ_QUERY_INFORMATION : 804F355A
19:50:53:734 2908 IRP_MJ_SET_INFORMATION : 804F355A
19:50:53:734 2908 IRP_MJ_QUERY_EA : 804F355A
19:50:53:734 2908 IRP_MJ_SET_EA : 804F355A
19:50:53:734 2908 IRP_MJ_FLUSH_BUFFERS : F75F82E2
19:50:53:734 2908 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:50:53:734 2908 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:50:53:734 2908 IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:50:53:734 2908 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:50:53:734 2908 IRP_MJ_DEVICE_CONTROL : F75F83BB
19:50:53:734 2908 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75FBF28
19:50:53:734 2908 IRP_MJ_SHUTDOWN : F75F82E2
19:50:53:734 2908 IRP_MJ_LOCK_CONTROL : 804F355A
19:50:53:734 2908 IRP_MJ_CLEANUP : 804F355A
19:50:53:734 2908 IRP_MJ_CREATE_MAILSLOT : 804F355A
19:50:53:734 2908 IRP_MJ_QUERY_SECURITY : 804F355A
19:50:53:734 2908 IRP_MJ_SET_SECURITY : 804F355A
19:50:53:734 2908 IRP_MJ_POWER : F75F9C82
19:50:53:734 2908 IRP_MJ_SYSTEM_CONTROL : F75FE99E
19:50:53:734 2908 IRP_MJ_DEVICE_CHANGE : 804F355A
19:50:53:734 2908 IRP_MJ_QUERY_QUOTA : 804F355A
19:50:53:734 2908 IRP_MJ_SET_QUOTA : 804F355A
19:50:53:812 2908 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:50:53:812 2908
19:50:53:812 2908 Driver Name: usbstor
19:50:53:812 2908 IRP_MJ_CREATE : F7834218
19:50:53:812 2908 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:50:53:812 2908 IRP_MJ_CLOSE : F7834218
19:50:53:812 2908 IRP_MJ_READ : F783423C
19:50:53:812 2908 IRP_MJ_WRITE : F783423C
19:50:53:812 2908 IRP_MJ_QUERY_INFORMATION : 804F355A
19:50:53:812 2908 IRP_MJ_SET_INFORMATION : 804F355A
19:50:53:812 2908 IRP_MJ_QUERY_EA : 804F355A
19:50:53:812 2908 IRP_MJ_SET_EA : 804F355A
19:50:53:812 2908 IRP_MJ_FLUSH_BUFFERS : 804F355A
19:50:53:812 2908 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:50:53:812 2908 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:50:53:812 2908 IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:50:53:812 2908 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:50:53:812 2908 IRP_MJ_DEVICE_CONTROL : F7834180
19:50:53:812 2908 IRP_MJ_INTERNAL_DEVICE_CONTROL : F782F9E6
19:50:53:812 2908 IRP_MJ_SHUTDOWN : 804F355A
19:50:53:812 2908 IRP_MJ_LOCK_CONTROL : 804F355A
19:50:53:812 2908 IRP_MJ_CLEANUP : 804F355A
19:50:53:812 2908 IRP_MJ_CREATE_MAILSLOT : 804F355A
19:50:53:812 2908 IRP_MJ_QUERY_SECURITY : 804F355A
19:50:53:812 2908 IRP_MJ_SET_SECURITY : 804F355A
19:50:53:812 2908 IRP_MJ_POWER : F78335F0
19:50:53:812 2908 IRP_MJ_SYSTEM_CONTROL : F7831A6E
19:50:53:812 2908 IRP_MJ_DEVICE_CHANGE : 804F355A
19:50:53:812 2908 IRP_MJ_QUERY_QUOTA : 804F355A
19:50:53:812 2908 IRP_MJ_SET_QUOTA : 804F355A
19:50:53:875 2908 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
19:50:53:875 2908
19:50:53:875 2908 Driver Name: Disk
19:50:53:875 2908 IRP_MJ_CREATE : F75FDBB0
19:50:53:875 2908 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:50:53:875 2908 IRP_MJ_CLOSE : F75FDBB0
19:50:53:875 2908 IRP_MJ_READ : F75F7D1F
19:50:53:875 2908 IRP_MJ_WRITE : F75F7D1F
19:50:53:875 2908 IRP_MJ_QUERY_INFORMATION : 804F355A
19:50:53:875 2908 IRP_MJ_SET_INFORMATION : 804F355A
19:50:53:875 2908 IRP_MJ_QUERY_EA : 804F355A
19:50:53:875 2908 IRP_MJ_SET_EA : 804F355A
19:50:53:875 2908 IRP_MJ_FLUSH_BUFFERS : F75F82E2
19:50:53:875 2908 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:50:53:875 2908 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:50:53:875 2908 IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:50:53:875 2908 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:50:53:875 2908 IRP_MJ_DEVICE_CONTROL : F75F83BB
19:50:53:875 2908 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75FBF28
19:50:53:875 2908 IRP_MJ_SHUTDOWN : F75F82E2
19:50:53:875 2908 IRP_MJ_LOCK_CONTROL : 804F355A
19:50:53:875 2908 IRP_MJ_CLEANUP : 804F355A
19:50:53:875 2908 IRP_MJ_CREATE_MAILSLOT : 804F355A
19:50:53:875 2908 IRP_MJ_QUERY_SECURITY : 804F355A
19:50:53:875 2908 IRP_MJ_SET_SECURITY : 804F355A
19:50:53:875 2908 IRP_MJ_POWER : F75F9C82
19:50:53:875 2908 IRP_MJ_SYSTEM_CONTROL : F75FE99E
19:50:53:875 2908 IRP_MJ_DEVICE_CHANGE : 804F355A
19:50:53:875 2908 IRP_MJ_QUERY_QUOTA : 804F355A
19:50:53:875 2908 IRP_MJ_SET_QUOTA : 804F355A
19:50:53:890 2908 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:50:53:890 2908
19:50:53:890 2908 Driver Name: atapi
19:50:53:890 2908 IRP_MJ_CREATE : 86351AC8
19:50:53:890 2908 IRP_MJ_CREATE_NAMED_PIPE : 86351AC8
19:50:53:890 2908 IRP_MJ_CLOSE : 86351AC8
19:50:53:890 2908 IRP_MJ_READ : 86351AC8
19:50:53:890 2908 IRP_MJ_WRITE : 86351AC8
19:50:53:890 2908 IRP_MJ_QUERY_INFORMATION : 86351AC8
19:50:53:890 2908 IRP_MJ_SET_INFORMATION : 86351AC8
19:50:53:890 2908 IRP_MJ_QUERY_EA : 86351AC8
19:50:53:890 2908 IRP_MJ_SET_EA : 86351AC8
19:50:53:890 2908 IRP_MJ_FLUSH_BUFFERS : 86351AC8
19:50:53:890 2908 IRP_MJ_QUERY_VOLUME_INFORMATION : 86351AC8
19:50:53:890 2908 IRP_MJ_SET_VOLUME_INFORMATION : 86351AC8
19:50:53:890 2908 IRP_MJ_DIRECTORY_CONTROL : 86351AC8
19:50:53:890 2908 IRP_MJ_FILE_SYSTEM_CONTROL : 86351AC8
19:50:53:890 2908 IRP_MJ_DEVICE_CONTROL : 86351AC8
19:50:53:890 2908 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86351AC8
19:50:53:890 2908 IRP_MJ_SHUTDOWN : 86351AC8
19:50:53:890 2908 IRP_MJ_LOCK_CONTROL : 86351AC8
19:50:53:890 2908 IRP_MJ_CLEANUP : 86351AC8
19:50:53:890 2908 IRP_MJ_CREATE_MAILSLOT : 86351AC8
19:50:53:890 2908 IRP_MJ_QUERY_SECURITY : 86351AC8
19:50:53:890 2908 IRP_MJ_SET_SECURITY : 86351AC8
19:50:53:890 2908 IRP_MJ_POWER : 86351AC8
19:50:53:890 2908 IRP_MJ_SYSTEM_CONTROL : 86351AC8
19:50:53:890 2908 IRP_MJ_DEVICE_CHANGE : 86351AC8
19:50:53:890 2908 IRP_MJ_QUERY_QUOTA : 86351AC8
19:50:53:890 2908 IRP_MJ_SET_QUOTA : 86351AC8
19:50:53:890 2908 Driver "atapi" infected by TDSS rootkit!
19:50:53:906 2908 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
19:50:53:906 2908 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 19:50:53:906 2908 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
19:50:53:906 2908 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
19:50:54:656 2908 vfvi6
19:50:54:937 2908 !dsvbh1
19:50:59:531 2908 dsvbh2
19:50:59:531 2908 fdfb2
19:50:59:531 2908 Backup copy found, using it..
19:51:00:031 2908 will be cured on next reboot
19:51:00:031 2908 Reboot required for cure complete..
19:51:00:031 2908 Cure on reboot scheduled successfully
19:51:00:031 2908
19:51:00:031 2908 Completed
19:51:00:031 2908
19:51:00:031 2908 Results:
19:51:00:031 2908 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
19:51:00:031 2908 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:51:00:031 2908 File objects infected / cured / cured on reboot: 1 / 0 / 1
19:51:00:031 2908
19:51:00:046 2908 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
19:51:00:046 2908 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
19:51:00:046 2908 UnloadDriverW: NtUnloadDriver error 1
19:51:00:046 2908 KLMD(ARK) unloaded successfully

DDS.txt will not post as txt or an attachment. here it is the attach.txt file

Trying with a zipped DDS file

Merged 4 posts. ~ OB

Attached Files


Edited by Orange Blossom, 19 May 2010 - 02:58 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:23 PM

Posted 20 May 2010 - 07:34 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 taize

taize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 20 May 2010 - 09:11 PM

confirming I'm subscribed and watching this thread with anticipation

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:23 PM

Posted 21 May 2010 - 04:59 PM

TDSSKiller isn't able to kill this newer variant so let's try Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 taize

taize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 21 May 2010 - 08:54 PM

Cobofix has been run. When running it I got the following error messages:

the application or DLL c: WINDOWS\system32\riched32.dll is not a valid Windows image. Please check this against your intallation diskette

this application has failed to start because ConnAPI.DLL was not found. Re-installing the application may fix this problem


Combofix seemed to run sucessfully



The log is as follows:

___________________________________________________________

ComboFix 10-05-21.04 - Kym 22/05/2010 11:13:04.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1015.619 [GMT 10:00]
Running from: c:\documents and settings\Kym\Desktop\ComFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\kbdclass.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-22 01:13 . 2010-05-22 01:13 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2010-05-21 03:05 . 2010-05-21 03:05 -------- d-----w- c:\documents and settings\Kym\Application Data\wsInspector
2010-05-21 03:02 . 2010-05-21 03:04 -------- d-----w- c:\program files\Startup Inspector for Windows
2010-05-10 08:32 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-05-10 08:31 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-05-10 07:30 . 2010-05-10 07:30 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-10 07:30 . 2010-05-10 07:30 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-10 07:30 . 2010-05-10 07:30 57679 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-05-10 07:29 . 2010-05-10 07:29 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-05-10 07:29 . 2010-05-10 07:29 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-10 07:28 . 2010-05-10 07:28 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-05-10 07:28 . 2010-05-10 07:28 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-05-10 07:28 . 2010-05-10 07:28 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-05-10 07:28 . 2010-05-10 07:28 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-10 07:25 . 2010-05-10 07:25 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-05-03 10:45 . 2010-05-03 11:58 -------- d-----w- c:\documents and settings\Kym\Application Data\FileZilla
2010-05-03 10:45 . 2010-05-03 10:45 -------- d-----w- c:\program files\FileZilla FTP Client
2010-05-03 08:05 . 2006-09-28 06:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-05-03 08:04 . 2010-05-03 08:04 -------- d-----w- c:\documents and settings\Kym\Local Settings\Application Data\PassMark
2010-05-01 02:06 . 2010-05-14 04:58 334776 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-30 05:35 . 2001-08-17 12:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-04-30 05:35 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-04-30 05:35 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-04-30 05:35 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-04-29 03:58 . 2010-04-29 03:58 -------- d-----w- c:\documents and settings\Kym\Local Settings\Application Data\CounterPath Corporation
2010-04-29 03:58 . 2010-04-29 03:58 -------- d-----w- c:\documents and settings\Kym\Local Settings\Application Data\CounterPath
2010-04-29 03:57 . 2010-04-29 03:57 -------- d-----w- c:\program files\CounterPath
2010-04-25 06:53 . 2010-04-25 06:53 323624 ----a-w- c:\windows\system32\wiaaut.dll
2010-04-24 11:22 . 2010-04-24 11:22 -------- d-----w- c:\documents and settings\Steph\Application Data\PC Suite
2010-04-24 10:54 . 2010-04-24 08:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-24 08:42 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-24 08:42 . 2010-04-24 08:42 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-24 08:27 . 2010-04-24 08:27 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-24 08:27 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-04-24 08:26 . 2010-04-24 08:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-24 08:26 . 2010-04-24 08:27 -------- d-----w- c:\program files\Lavasoft
2010-04-24 02:50 . 2010-04-24 02:52 -------- d-----w- c:\documents and settings\Kym\Application Data\Nokia
2010-04-24 02:48 . 2010-04-24 02:48 -------- d-----w- c:\program files\Common Files\PCSuite
2010-04-24 02:45 . 2010-04-24 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2010-04-23 22:15 . 2010-04-24 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2010-04-23 22:15 . 2010-04-24 02:53 -------- d-----w- c:\documents and settings\Kym\Application Data\PC Suite
2010-04-23 22:15 . 2008-04-13 18:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-04-23 22:15 . 2008-04-13 18:45 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-04-23 22:14 . 2008-11-07 08:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-04-23 22:11 . 2010-04-23 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2010-04-23 21:59 . 2010-04-24 02:50 -------- d-----w- c:\program files\DIFX
2010-04-23 21:59 . 2008-08-25 23:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-04-23 21:58 . 2010-04-23 21:58 -------- d-----w- c:\program files\PC Connectivity Solution
2010-04-23 21:58 . 2010-02-26 03:21 8320 ----a-w- c:\windows\system32\drivers\nmwcdnsuc.sys
2010-04-23 21:58 . 2010-02-26 03:21 137344 ----a-w- c:\windows\system32\drivers\nmwcdnsu.sys
2010-04-23 21:58 . 2010-02-26 03:32 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-04-23 21:58 . 2010-02-26 03:32 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-04-23 21:58 . 2010-02-26 03:32 22528 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-04-23 21:58 . 2010-02-26 03:32 662016 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-04-23 21:58 . 2010-02-26 03:32 18176 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-04-23 21:58 . 2010-02-26 03:19 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2010-04-23 21:58 . 2010-02-26 03:32 92672 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-04-23 21:56 . 2010-04-24 02:48 -------- d-----w- c:\program files\Common Files\Nokia
2010-04-23 21:56 . 2010-04-24 02:48 -------- d-----w- c:\program files\Nokia
2010-04-23 21:56 . 2010-04-23 21:53 35362608 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4186FEBC-F0CC-4185-A406-24292BC9877A}\NokiaSoftwareUpdaterSetup_en.exe
2010-04-23 21:54 . 2010-04-23 21:54 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4186FEBC-F0CC-4185-A406-24292BC9877A}\Installer\CommonCustomActions\msxml6Exec.exe
2010-04-23 21:54 . 2010-04-23 21:54 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4186FEBC-F0CC-4185-A406-24292BC9877A}\Installer\CommonCustomActions\Sleep.exe
2010-04-23 21:54 . 2010-04-23 21:54 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4186FEBC-F0CC-4185-A406-24292BC9877A}\Installer\CommonCustomActions\vcredistExec.exe
2010-04-23 21:53 . 2010-04-23 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-04-23 04:34 . 2010-04-23 04:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-22 11:34 . 2008-12-19 04:11 230656 ----a-w- c:\windows\system32\cplsp.dll
2010-04-22 11:34 . 2010-04-22 11:34 -------- d-----w- c:\program files\CyberPatrol LLC
2010-04-22 11:34 . 2010-04-22 11:34 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberPatrol

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 01:11 . 2008-07-29 11:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-22 01:09 . 2009-07-28 10:36 -------- d-----w- c:\documents and settings\Kym\Application Data\Skype
2010-05-22 00:48 . 2009-07-28 23:39 -------- d-----w- c:\documents and settings\Kym\Application Data\Free Download Manager
2010-05-22 00:39 . 2009-07-28 10:37 -------- d-----w- c:\documents and settings\Kym\Application Data\skypePM
2010-05-21 22:40 . 2009-08-04 02:12 -------- d-----w- c:\documents and settings\Kym\Application Data\RssPopper
2010-05-21 22:33 . 2009-09-08 00:45 -------- d-----w- c:\documents and settings\Kym\Application Data\EndNote
2010-05-19 10:07 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-05-19 09:38 . 2009-08-23 01:28 -------- d-----w- c:\program files\MP4 Player
2010-05-19 08:09 . 2009-07-28 23:39 -------- d-----w- c:\program files\Free Download Manager
2010-05-16 21:25 . 2010-04-20 07:51 117760 ----a-w- c:\documents and settings\Kym\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-16 13:04 . 2010-04-18 22:37 -------- d-----w- c:\program files\iviewnapper
2010-05-16 10:56 . 2009-08-22 21:13 -------- d-----w- c:\documents and settings\Kym\Application Data\uTorrent
2010-05-14 05:27 . 2009-11-20 02:38 60 ----a-w- c:\windows\wpd99.drv
2010-05-14 05:27 . 2009-11-20 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-05-13 05:50 . 2008-07-29 12:37 188152 ----a-w- c:\documents and settings\Kym\Application Data\Mozilla\Firefox\Profiles\q0pxv36t.default\FlashGot.exe
2010-05-11 05:27 . 2009-07-28 23:38 -------- d-----w- c:\documents and settings\Kym\Application Data\TeamViewer
2010-05-10 10:23 . 2009-08-22 21:13 -------- d-----w- c:\program files\uTorrent
2010-05-10 07:31 . 2010-04-19 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-10 07:31 . 2010-04-19 21:55 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-10 07:30 . 2008-07-29 11:37 -------- d-----w- c:\program files\DivX
2010-05-10 07:25 . 2010-04-19 20:48 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-05-10 07:24 . 2010-04-19 20:48 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-07 17:26 . 2010-04-20 10:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-06 20:59 . 2010-04-21 10:09 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2010-04-21 10:09 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2010-04-21 10:09 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2010-04-21 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2010-04-21 10:09 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2010-04-21 10:09 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2010-04-21 10:09 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2010-04-21 10:09 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-03 18:48 . 2010-04-07 07:04 -------- d-----w- c:\documents and settings\Kym\Application Data\vlc
2010-05-03 13:52 . 2009-11-17 04:41 -------- d-----w- c:\program files\Paint.NET
2010-05-01 18:56 . 2008-07-29 11:49 -------- d-----w- c:\documents and settings\Kym\Application Data\Internode
2010-04-25 22:06 . 2008-07-29 04:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-25 21:23 . 2010-03-03 00:53 -------- d-----w- c:\documents and settings\Kym\Application Data\Dropbox
2010-04-24 07:06 . 2009-07-28 11:37 84160 ----a-w- c:\documents and settings\Kym\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-24 02:51 . 2010-04-24 02:51 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2010-04-24 02:51 . 2010-04-24 02:51 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2010-04-23 22:14 . 2010-04-23 22:14 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
2010-04-23 22:14 . 2010-04-23 22:14 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-04-23 08:03 . 2009-07-30 03:42 -------- d-----w- c:\documents and settings\Steph\Application Data\Skype
2010-04-23 06:00 . 2009-07-30 07:39 -------- d-----w- c:\documents and settings\Steph\Application Data\skypePM
2010-04-22 11:05 . 2010-04-20 22:44 -------- d-----w- c:\documents and settings\Kym\Application Data\Libronix DLS
2010-04-22 10:15 . 2010-04-20 22:44 -------- d-----w- c:\program files\Libronix DLS
2010-04-21 23:53 . 2010-04-21 23:52 -------- d-----w- c:\program files\Unlocker
2010-04-21 22:15 . 2008-07-29 05:05 -------- d-----w- c:\program files\Altiris
2010-04-21 10:09 . 2010-04-21 10:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-21 10:09 . 2008-07-29 05:40 -------- d-----w- c:\program files\Alwil Software
2010-04-21 09:47 . 2009-07-31 10:42 -------- d-----w- c:\documents and settings\Kym\Application Data\DivX
2010-04-21 09:47 . 2010-01-13 02:55 -------- d-----w- c:\program files\JDownloader
2010-04-21 09:02 . 2010-04-19 00:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 22:44 . 2010-04-20 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Libronix DLS
2010-04-20 07:53 . 2010-04-20 07:53 -------- d-----w- c:\program files\Enigma Software Group
2010-04-20 07:52 . 2010-04-20 07:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-20 07:51 . 2010-04-20 07:51 52224 ----a-w- c:\documents and settings\Kym\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-20 07:49 . 2010-04-20 07:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-20 07:49 . 2010-04-20 07:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-20 07:48 . 2010-04-20 07:48 -------- d-----w- c:\documents and settings\Kym\Application Data\SUPERAntiSpyware.com
2010-04-20 06:56 . 2010-04-19 04:06 -------- d-----w- c:\program files\Free DVD Creator
2010-04-19 20:48 . 2010-04-19 20:48 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-04-19 20:47 . 2010-04-19 20:47 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-04-19 20:47 . 2010-04-19 20:47 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-04-19 20:47 . 2010-04-19 20:47 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-04-19 20:46 . 2010-04-19 20:46 54629 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-04-19 20:46 . 2010-04-19 20:46 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-04-19 20:46 . 2010-04-19 20:46 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-19 20:46 . 2010-04-19 20:46 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-04-19 20:46 . 2009-07-28 10:28 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-04-19 20:46 . 2010-04-19 20:46 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-04-19 20:22 . 2004-08-04 12:00 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-04-19 08:28 . 2010-04-19 08:28 -------- d-----w- c:\documents and settings\Kym\Application Data\Xilisoft
2010-04-19 07:30 . 2010-04-19 07:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2010-04-19 06:15 . 2010-04-19 06:15 -------- d-----w- c:\documents and settings\Kym\Application Data\Video DVD Maker FREE
2010-04-19 05:03 . 2010-04-19 04:42 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-04-19 04:56 . 2010-04-19 04:53 -------- d-----w- c:\documents and settings\Kym\Application Data\Media Player Classic
2010-04-19 00:44 . 2010-04-19 00:44 -------- d-----w- c:\documents and settings\Kym\Application Data\Malwarebytes
2010-04-19 00:43 . 2010-04-19 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-14 16:47 . 2010-04-21 10:09 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-13 00:21 . 2010-04-13 00:21 -------- d-----w- c:\documents and settings\Kym\Application Data\Office Genuine Advantage
2010-04-12 04:55 . 2009-08-06 11:28 73760 ----a-w- c:\documents and settings\Steph\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-10 21:56 . 2010-04-09 21:53 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-10 17:04 . 2009-11-18 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-09 21:52 . 2010-04-09 21:46 -------- d-----w- c:\program files\Microsoft
2010-04-09 21:52 . 2010-04-09 21:52 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2010-04-09 21:51 . 2010-04-09 21:45 -------- d-----w- c:\program files\Windows Live
2010-04-09 21:50 . 2010-04-09 21:50 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-04-09 21:48 . 2010-04-09 21:48 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-04-09 21:45 . 2010-04-09 21:45 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-04-09 21:40 . 2010-04-09 21:40 -------- d-----w- c:\program files\Common Files\Windows Live
2010-04-07 22:45 . 2010-04-07 22:45 -------- d-----w- c:\documents and settings\Kym\Application Data\CloneSpy
2010-04-07 22:45 . 2010-04-07 22:45 -------- d-----w- c:\program files\CloneSpy
2010-04-07 07:02 . 2010-04-07 07:02 -------- d-----w- c:\program files\VideoLAN
2010-04-07 05:34 . 2010-04-07 05:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-06 22:18 . 2009-07-28 23:38 -------- d-----w- c:\program files\TeamViewer
2010-04-06 04:57 . 2010-04-06 04:57 -------- d-----w- c:\program files\KONICA MINOLTA
2010-03-31 01:58 . 2008-07-29 11:37 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58 . 2008-07-29 05:15 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2008-07-29 05:15 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-31 01:58 . 2004-07-12 16:03 44944 ----a-w- c:\windows\system32\drivers\pxhelp20.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 02:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Kym\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Kym\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Kym\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2010-01-04 00:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2010-01-04 00:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather Tracker3"="c:\program files\Weatherzone Tracker\weather_tracker.exe" [2009-07-17 2888403]
"InternodeUsage"="c:\progra~1\INTERN~2\mum.exe" [2010-02-07 1363456]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-08 26100520]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-13 1388544]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-04-26 122941]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-28 148888]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"AGRSMMSG"="AGRSMMSG.exe" [2005-11-16 88209]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-06-19 101144]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-06-19 84760]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-06-19 125720]
"CertificateRegistration"="aetcrss1.exe" [2006-10-12 40960]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"CyberPatrolNew"="c:\program files\CyberPatrol LLC\CyberPatrol\cphq.exe" [2008-12-19 1975552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2010-1-4 2893624]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-3-24 969792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 05:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
2005-11-26 04:41 40960 ------w- c:\windows\VM_STI.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
2004-12-03 03:24 290816 ----a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-08 11:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP4 Player]
2008-11-06 17:23 772096 ----a-w- c:\program files\MP4 Player\Mp4Player.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
2006-11-28 04:12 222720 ----a-w- c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 15:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2005-07-04 06:47 184320 ----a-w- c:\program files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-18 10:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\X-Lite Beta]
2010-01-19 06:44 2028344 ----a-w- c:\program files\CounterPath\X-Lite Beta\X-Lite.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009-10\\QBDBMgrN.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CyberPatrol LLC\\CyberPatrol\\cpserver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Kym\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
"5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [24/04/2010 6:42 PM 64288]
R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [29/07/2008 9:31 PM 127520]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [21/04/2010 8:09 PM 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 11:15 AM 66632]
R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [29/07/2008 9:32 PM 86560]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21/04/2010 8:09 PM 19024]
R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [29/07/2008 9:31 PM 1239584]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [16/04/2010 5:18 PM 173352]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [4/05/2004 2:26 AM 88192]
S2 gupdate1ca0f6e252a9278;Google Update Service (gupdate1ca0f6e252a9278);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 CyberPatrol UpdateService;CyberPatrol UpdateService;c:\program files\CyberPatrol LLC\CyberPatrol\UpdateService.exe [22/04/2010 9:34 PM 144704]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [17/12/2009 10:29 PM 87424]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [5/02/2010 1:52 AM 1265264]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [24/04/2010 7:58 AM 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [24/04/2010 7:58 AM 8320]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 11:15 AM 12872]
S3 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [29/07/2008 9:31 PM 69664]
S3 ZSMC302;EZCOOL USB PC Camera;c:\windows\system32\drivers\usbVM31b.sys [8/08/2009 7:44 PM 91263]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\aetsprov]
2006-10-31 04:30 73728 ----a-w- c:\windows\system32\aetsprov.dll
.
Contents of the 'Scheduled Tasks' folder

2010-05-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 08:40]

2010-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com
uInternet Settings,ProxyOverride = *.local
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Subscribe in RSS Popper - c:\program files\RSS Popper\ie_subscribe.htm
LSP: c:\windows\system32\cplsp.dll
FF - ProfilePath - c:\documents and settings\Kym\Application Data\Mozilla\Firefox\Profiles\q0pxv36t.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\Kym\Application Data\Mozilla\Firefox\Profiles\q0pxv36t.default\extensions\{5bf36ed7-22ce-4e58-9f6f-7e7cc353e15a}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Kym\Application Data\Mozilla\Firefox\Profiles\q0pxv36t.default\extensions\{5bf36ed7-22ce-4e58-9f6f-7e7cc353e15a}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Kym\Application Data\Mozilla\Firefox\Profiles\q0pxv36t.default\extensions\{c7a8271f-34a6-44cd-bc10-8a1bca6ac2cc}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Kym\Application Data\Mozilla\Firefox\Profiles\q0pxv36t.default\extensions\{c7a8271f-34a6-44cd-bc10-8a1bca6ac2cc}\components\RadioWMPCore.dll
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast -
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: general.useragent.extra.zencast - );user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-22 11:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????0?1?8?9??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1100)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-22 11:28:11
ComboFix-quarantined-files.txt 2010-05-22 01:27

Pre-Run: 32,840,785,920 bytes free
Post-Run: 33,357,299,712 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A3ED4731CB54FEBB8A702046FDF0BF21


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:23 PM

Posted 22 May 2010 - 02:03 PM

Please rerun Gmer and post the new log thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#7 taize

taize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 23 May 2010 - 07:19 AM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-23 11:21:30
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Kym\LOCALS~1\Temp\fxldypog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA989BC7A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA989BB36]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA989C0EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA989C014]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA989B70C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA989BC10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA989B64C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA989B6B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA989BD30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA989C1B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA989BCF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA989BE70]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xA98A8AC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA98A88EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA98A8A24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2468 80501CA0 4 Bytes JMP DAA989C0
PAGE ntkrnlpa.exe!ZwLoadDriver 805795FA 7 Bytes JMP A98A8A28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805A075C 7 Bytes JMP A98A88EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CE0 5 Bytes JMP A98A4536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805B8B58 5 Bytes JMP A98A5EC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP A98A8ACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:23 PM

Posted 23 May 2010 - 09:38 AM

Good, the rootkit's gone and the Combofix log looks good.


Please run ESET's online scanner

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#9 taize

taize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 23 May 2010 - 09:05 PM

Here is the eset log

C:\Documents and Settings\Kym\Application Data\Sun\Java\Deployment\cache\6.0\10\cfedf0a-15ceb305 Java/TrojanDownloader.Agent.NAM trojan deleted - quarantined
C:\Documents and Settings\Kym\Application Data\Sun\Java\Deployment\cache\6.0\14\4b06bce-5528b752 a variant of Java/Exploit.Agent.F trojan deleted - quarantined
C:\Documents and Settings\Kym\Application Data\Sun\Java\Deployment\cache\6.0\5\57350345-3da9a9a2 a variant of Java/Exploit.Agent.F trojan deleted - quarantined


I have had no redirects since we ran combofix!



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:23 PM

Posted 24 May 2010 - 02:18 AM

Yes, you are ready to roll...almost...

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it taize, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:23 PM

Posted 28 May 2010 - 06:02 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users