Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans, Malware, etc.


  • Please log in to reply
25 replies to this topic

#1 pscott

pscott

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 01 June 2010 - 08:42 PM

I know that my computer has alot of viruses, etc. on it but I'm not sure what they are and definitely don't know how to get rid of them.
Please help!

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-01 21:24:08
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\CASSAN~1\LOCALS~1\Temp\pwdoapow.sys


---- System - GMER 1.0.15 ----

Code 82B584D0 pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 4BF 805B1001 7 Bytes JMP 82BD3660
.reloc C:\WINDOWS\system32\drivers\NDIS.sys section is executable [0x82AF2200, 0x32E2A, 0xE0000060]

---- User code sections - GMER 1.0.15 ----

? C:\WINDOWS\System32\svchost.exe[1024] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[1684] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[1720] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[3172] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: gdiplus.dllunknown module: OLEAUT32.dllunknown module: urlmon.dll
.text C:\WINDOWS\System32\svchost.exe[3172] USER32.dll!SetForegroundWindow 7E4242ED 8 Bytes [B8, 01, 00, 00, 00, C2, 04, ...] {MOV EAX, 0x1; RET 0x4}
? C:\WINDOWS\System32\svchost.exe[3196] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: gdiplus.dllunknown module: OLEAUT32.dllunknown module: urlmon.dll
.text C:\WINDOWS\System32\svchost.exe[3196] USER32.dll!SetForegroundWindow 7E4242ED 8 Bytes [B8, 01, 00, 00, 00, C2, 04, ...] {MOV EAX, 0x1; RET 0x4}

---- Devices - GMER 1.0.15 ----

Device \Driver\NDIS \Device\Ndis [82AF9984] NDIS.sys[.reloc]

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat A7DD5D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\DTSTransform\1033
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\DTSTransform\1033@DTSTransformDescription Write File
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{10010100-740B-11D0-AE7B-00AA004A34D5}
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{10010100-740B-11D0-AE7B-00AA004A34D5}@
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ C:\Program Files\Microsoft SQL Server\80\Tools\Binn\dtspump.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\ProgID@ DTSPump.DataPumpTransformWriteFile.2.0
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\VersionIndependentProgID@ DTSPump.DataPumpTransformWriteFile
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ C:\Program Files\Microsoft SQL Server\80\Tools\Binn\SQLDMO.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\ProgID@ SQLDMO.DistributionArticle.8.0
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\VersionIndependentProgID@ SQLDMO.DistributionArticle

---- Files - GMER 1.0.15 ----

File C:\i386\symndis.sys (size mismatch) 47192/182656 bytes executable
File C:\i386\ndis.sys (size mismatch) 182912/182656 bytes executable
File C:\WINDOWS\system32\dllcache\ndis.sys (size mismatch) 213120/182656 bytes executable
File C:\WINDOWS\system32\drivers\ndis.sys (size mismatch) 213120/182656 bytes executable
File C:\WINDOWS\$NtServicePackUninstall$\ndis.sys (size mismatch) 182912/182656 bytes executable

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 PM

Posted 02 June 2010 - 03:21 PM

Hello.

My name is Extremeboy (or EB for short), and I will be helping you with your log.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy

Edited by extremeboy, 02 June 2010 - 03:21 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 pscott

pscott
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 02 June 2010 - 09:56 PM

Thanks for your prompt reply. The computer has trouble crashing right after start up, with the pointer freezing or the screen going black. At other times an error comes up when surfing the web and windows has to close. Thanks
Below is the Attachments of the files you requested.

Attached File  DDS.txt   12.48KB   9 downloadsAttached File  Attach.txt   14.48KB   7 downloadsAttached File  ark.text.log   8.79KB   1 downloads


DDS (Ver_10-03-17.01) - NTFSx86
Run by Cassandra and Meliss at 21:55:39.43 on Mon 05/31/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.82 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\Belkinwcui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cassandra and Meliss\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/login.php
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://maxsun.biz/in.cgi?9&key=ashley+tisdale+interviews
mSearchAssistant = hxxp://www.google.com/ie
BHO: : {4e8e1866-43a1-4b49-86db-4049288df10f} - c:\windows\system32\mhsyqjs.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
EB: Internet Speed Monitor: {1ed6a320-8af3-4f06-868a-9ba95585712e} - c:\program files\ism\BndDrive7.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [delltransferagent] "c:\documents and settings\all users\application data\dell\transferagent\TransferAgent.exe"
uRun: [dellsupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ysearchprotection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [realtray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dvdlauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [syntplpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [syntpenh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [pronomgrwired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [isusscheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [isuspm startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [hp software update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [groovemonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [dell wireless manager ui] c:\windows\system32\WLTRAY
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\belkin 802.11g wireless card configuration utility\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: e&xport to microsoft excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272982219296
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232569447453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: qufmoaub - mhsyqjs.dll
AppInit_DLLs: c:\docume~1\cassan~1\locals~1\temp\380796320mxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 urbqhvfe;urbqhvfe;c:\windows\system32\drivers\urbqhvfe.sys [2004-8-10 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-21 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-21 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-21 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-5-21 308064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-6 24652]
S0 irkb;irkb;c:\windows\system32\drivers\ouqcbvtk.sys --> c:\windows\system32\drivers\ouqcbvtk.sys [?]
S1 158f027f;158f027f;c:\windows\system32\drivers\158f027f.sys --> c:\windows\system32\drivers\158f027f.sys [?]
S1 400fb0a3;400fb0a3;c:\windows\system32\drivers\400fb0a3.sys --> c:\windows\system32\drivers\400fb0a3.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-5-18 38224]

=============== Created Last 30 ================

2010-06-01 01:52:39 0 ----a-w- c:\documents and settings\cassandra and meliss\defogger_reenable
2010-05-28 14:01:57 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-28 14:01:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-28 13:33:09 0 d-----w- c:\program files\Trend Micro
2010-05-24 01:45:24 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-05-24 01:45:24 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-05-21 16:56:55 0 d--h--w- C:\$AVG
2010-05-21 16:27:19 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-21 16:27:15 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-21 16:27:06 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-21 16:26:51 0 d-----w- c:\windows\system32\drivers\Avg
2010-05-21 16:23:02 0 d-----w- c:\program files\AVG
2010-05-21 16:22:37 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-05-18 16:32:33 0 d-----w- c:\docume~1\cassan~1\applic~1\Malwarebytes
2010-05-18 16:32:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-18 16:32:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-18 16:32:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-18 16:32:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-18 16:01:42 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys
2010-05-18 16:01:42 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2010-05-18 16:01:42 142592 ----a-w- c:\windows\system32\dllcache\aec.sys
2010-05-06 18:35:30 0 d-----w- c:\docume~1\cassan~1\applic~1\HpUpdate
2010-05-06 18:34:59 0 d-----w- c:\windows\Hewlett-Packard
2010-05-04 13:59:48 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-04 13:54:36 149 ----a-w- C:\xcrashdump.dat

==================== Find3M ====================

2009-01-06 16:11:22 56 --sh--r- c:\windows\system32\640B3FA46B.sys
2009-01-06 16:11:22 1786 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-28 10:49:31 32768 -csha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2009-06-14 04:35:55 16384 -csha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-02-20 02:08:24 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021920090220\index.dat
2009-05-25 10:16:09 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051820090525\index.dat
2009-05-25 22:21:29 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052520090526\index.dat
2009-05-26 11:29:30 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052620090527\index.dat
2009-05-28 03:00:21 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052720090528\index.dat
2009-05-28 10:49:31 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052820090529\index.dat

============= FINISH: 21:56:57.87 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/15/2005 9:24:16 PM
System Uptime: 5/31/2010 6:36:58 PM (3 hours ago)

Motherboard: Dell Inc. | | 0U6962
Processor: Intel® Celeron® M processor 1.40GHz | Microprocessor | 1396/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 52 GiB total, 40.301 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
AOLIcon
AVG Free 9.0
Conexant D110 MDC V.9x Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Driver Reset Tool
Dell System Restore
Dell Wireless WLAN Card
DellSupport
Digital Line Detect
EarthLink setup files
HiJackThis
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Update
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internal Network Card Power Management
Internet Explorer Default Page
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro 8 Dell Edition
Jasc Paint Shop Pro Studio, Dell Editon
Java Auto Updater
Java™ 6 Update 20
Java™ 6 Update 3
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server Desktop Engine (SOSHOME22)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Modem Helper
Norton Security Center
PowerDVD 5.5
QuickSet
QuickTime
RealPlayer Basic
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Outlook 2007 Junk Email Filter (kb968503)
Update for Outlook 2007 Junk Email Filter (kb970012)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB960763)
Update for Windows XP (KB967715)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar
WebEx
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Office 12
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

5/31/2010 5:13:49 PM, error: System Error [1003] - Error code 00000025, parameter1 000b0108, parameter2 00000000, parameter3 00000000, parameter4 00000000.
5/31/2010 5:13:36 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/31/2010 5:11:28 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
5/31/2010 5:00:57 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
5/31/2010 4:31:14 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The paging file is too small for this operation to complete.
5/31/2010 4:31:13 PM, error: Service Control Manager [7034] - The Automatic LiveUpdate Scheduler service terminated unexpectedly. It has done this 1 time(s).
5/31/2010 4:31:13 PM, error: Service Control Manager [7001] - The SSDP Discovery Service service depends on the HTTP service which failed to start because of the following error: The specified driver is invalid.
5/31/2010 4:31:13 PM, error: Service Control Manager [7001] - The SSDP Discovery Service service depends on the HTTP service which failed to start because of the following error: Insufficient system resources exist to complete the requested service.
5/31/2010 4:31:13 PM, error: Service Control Manager [7000] - The HTTP service failed to start due to the following error: Insufficient system resources exist to complete the requested service.
5/31/2010 4:31:13 PM, error: Service Control Manager [7000] - The AVG Free WatchDog service failed to start due to the following error: Insufficient system resources exist to complete the requested service.
5/31/2010 4:31:13 PM, error: NLA [0] -
5/31/2010 4:31:12 PM, error: Service Control Manager [7000] - The HTTP service failed to start due to the following error: The specified driver is invalid.
5/31/2010 4:31:03 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
5/31/2010 4:31:03 PM, error: Service Control Manager [7023] - The Terminal Services service terminated with the following error: The paging file is too small for this operation to complete.
5/31/2010 4:31:03 PM, error: Service Control Manager [7001] - The Fast User Switching Compatibility service depends on the Terminal Services service which failed to start because of the following error: The paging file is too small for this operation to complete.
5/31/2010 4:31:03 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The paging file is too small for this operation to complete.
5/31/2010 4:30:58 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\mlang.dll. Reference error message: Error Message is unavailable .
5/28/2010 9:57:56 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ACER-6E40E97492 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{BE4B4DA8-7D1. The master browser is stopping or an election is being forced.
5/28/2010 9:17:29 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
5/28/2010 12:14:13 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk0\D.
5/28/2010 11:15:56 AM, error: PlugPlayManager [12] - The device 'SONY DVD+-RW DW-D56A' (IDE\CdRomSONY_DVD+-RW_DW-D56A____________________PDS7____\5&2c66fe68&0&0.1.0) disappeared from the system without first being prepared for removal.
5/28/2010 11:15:46 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
5/28/2010 11:15:46 AM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
5/28/2010 1:53:35 PM, error: Service Control Manager [7022] - The Windows Image Acquisition (WIA) service hung on starting.
5/28/2010 1:41:27 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8291aa00, parameter3 8291ab74, parameter4 805c8c88.
5/28/2010 1:39:11 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8290b3b0, parameter3 8290b524, parameter4 805c8c88.
5/27/2010 9:54:58 PM, error: Service Control Manager [7022] - The Fax service hung on starting.
5/27/2010 9:36:52 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
5/27/2010 9:34:00 PM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The system cannot find the file specified.
5/27/2010 9:34:00 PM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
5/27/2010 9:24:30 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
5/27/2010 9:24:30 PM, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/27/2010 9:24:27 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
5/27/2010 9:20:02 PM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The system cannot find the file specified.
5/27/2010 9:20:02 PM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
5/27/2010 9:19:50 PM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
5/25/2010 10:14:16 PM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service BITS with arguments "" in order to run the server: {F087771F-D74F-4C1A-BB8A-E16ACA9124EA}
5/24/2010 10:16:36 AM, error: System Error [1003] - Error code 0000007a, parameter1 c07c1688, parameter2 c0000015, parameter3 f82d1a35, parameter4 0f27e860.
5/24/2010 10:14:24 AM, error: Service Control Manager [7022] - The HP Network Devices Support service hung on starting.

==== End Of File ===========================


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-01 21:24:08
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\CASSAN~1\LOCALS~1\Temp\pwdoapow.sys


---- System - GMER 1.0.15 ----

Code 82B584D0 pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 4BF 805B1001 7 Bytes JMP 82BD3660
.reloc C:\WINDOWS\system32\drivers\NDIS.sys section is executable [0x82AF2200, 0x32E2A, 0xE0000060]

---- User code sections - GMER 1.0.15 ----

? C:\WINDOWS\System32\svchost.exe[1024] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[1684] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[1720] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[3172] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: gdiplus.dllunknown module: OLEAUT32.dllunknown module: urlmon.dll
.text C:\WINDOWS\System32\svchost.exe[3172] USER32.dll!SetForegroundWindow 7E4242ED 8 Bytes [B8, 01, 00, 00, 00, C2, 04, ...] {MOV EAX, 0x1; RET 0x4}
? C:\WINDOWS\System32\svchost.exe[3196] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: gdiplus.dllunknown module: OLEAUT32.dllunknown module: urlmon.dll
.text C:\WINDOWS\System32\svchost.exe[3196] USER32.dll!SetForegroundWindow 7E4242ED 8 Bytes [B8, 01, 00, 00, 00, C2, 04, ...] {MOV EAX, 0x1; RET 0x4}

---- Devices - GMER 1.0.15 ----

Device \Driver\NDIS \Device\Ndis [82AF9984] NDIS.sys[.reloc]

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat A7DD5D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\DTSTransform\1033
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\DTSTransform\1033@DTSTransformDescription Write File
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{10010100-740B-11D0-AE7B-00AA004A34D5}
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{10010100-740B-11D0-AE7B-00AA004A34D5}@
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ C:\Program Files\Microsoft SQL Server\80\Tools\Binn\dtspump.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\ProgID@ DTSPump.DataPumpTransformWriteFile.2.0
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\VersionIndependentProgID@ DTSPump.DataPumpTransformWriteFile
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ C:\Program Files\Microsoft SQL Server\80\Tools\Binn\SQLDMO.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\ProgID@ SQLDMO.DistributionArticle.8.0
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\VersionIndependentProgID@ SQLDMO.DistributionArticle

---- Files - GMER 1.0.15 ----

File C:\i386\symndis.sys (size mismatch) 47192/182656 bytes executable
File C:\i386\ndis.sys (size mismatch) 182912/182656 bytes executable
File C:\WINDOWS\system32\dllcache\ndis.sys (size mismatch) 213120/182656 bytes executable
File C:\WINDOWS\system32\drivers\ndis.sys (size mismatch) 213120/182656 bytes executable
File C:\WINDOWS\$NtServicePackUninstall$\ndis.sys (size mismatch) 182912/182656 bytes executable

---- EOF - GMER 1.0.15 ----



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 PM

Posted 03 June 2010 - 02:55 PM

Hello.

Let's begin with Combofix first.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 pscott

pscott
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 03 June 2010 - 07:50 PM

Below is the Combo Fix log.

ComboFix 10-06-03.01 - Cassandra and Meliss 06/03/2010 17:09:19.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.259 [GMT -4:00]
Running from: c:\documents and settings\Cassandra and Meliss\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1737606864
C:\419.tmp
C:\41C.tmp
C:\41D.tmp
C:\41E.tmp
c:\program files\asks~1
c:\program files\Common Files\curity~1
c:\program files\Common Files\dobe~1
c:\program files\Common Files\racle~1
c:\program files\Common Files\scurit~1
c:\program files\Common Files\ystem~1
c:\program files\Common
c:\program files\crosof~1.net
c:\program files\RcvSystem
c:\windows\appatc~1
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
c:\windows\explorer(2).exe
c:\windows\system32\atmli.dll
c:\windows\system32\ckoolca.dll
c:\windows\system32\drivers\klvsffpi.sys
c:\windows\system32\drivers\urbqhvfe.sys
c:\windows\system32\mhsyqjs.dll
c:\windows\system32\scurit~1
c:\windows\system32\uniq.tll
c:\windows\system32\ycxhffzm.dll
c:\windows\Tasks\At1.job
C:\xcrashdump.dat

c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6to4
-------\Legacy_lich
-------\Legacy_MSUPDATE
-------\Legacy_pcmstub
-------\Legacy_URBQHVFE
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_urbqhvfe


((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.

2010-05-28 14:01 . 2010-05-28 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-21 16:22 . 2010-05-21 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-18 16:32 . 2010-05-18 16:32 -------- d-----w- c:\documents and settings\Cassandra and Meliss\Application Data\Malwarebytes
2010-05-18 16:32 . 2010-05-18 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-06 18:35 . 2010-05-06 18:37 -------- d-----w- c:\documents and settings\Cassandra and Meliss\Application Data\HpUpdate

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 16:11 . 2005-12-08 21:43 56 --sh--r- c:\windows\system32\640B3FA46B.sys
2009-01-06 16:11 . 2005-12-08 21:43 1786 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"delltransferagent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"dellsupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dell wireless manager ui"="c:\windows\system32\WLTRAY" [X]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-04 98304]
"realtray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-04 26112]
"dvdlauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"syntplpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 98304]
"syntpenh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"pronomgrwired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 86016]
"isusscheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"isuspm startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"hp software update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"groovemonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Belkin Wireless Utility.lnk - c:\program files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\Belkinwcui.exe [2006-8-15 1523712]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-3 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-21 16:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/21/2010 12:27 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/21/2010 12:27 PM 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/21/2010 12:25 PM 308064]
S0 irkb;irkb;c:\windows\system32\drivers\ouqcbvtk.sys --> c:\windows\system32\drivers\ouqcbvtk.sys [?]
S1 158f027f;158f027f;c:\windows\system32\drivers\158f027f.sys --> c:\windows\system32\drivers\158f027f.sys [?]
S1 400fb0a3;400fb0a3;c:\windows\system32\drivers\400fb0a3.sys --> c:\windows\system32\drivers\400fb0a3.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
zohcxaqa
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/login.php
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://maxsun.biz/in.cgi?9&key=ashley+tisdale+interviews
IE: e&xport to microsoft excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ysearchprotection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 17:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x82D7B4D0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8571f28
\Driver\ACPI -> ACPI.sys @ 0xf83f4cb8
\Driver\atapi -> atapi.sys @ 0xf838e852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
NDIS: Dell Wireless 1370 WLAN Mini-PCI Card -> SendCompleteHandler -> NDIS.sys @ 0x82d27bb0
PacketIndicateHandler -> NDIS.sys @ 0x82d34a21
SendHandler -> NDIS.sys @ 0x82d1287b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1388)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\WLTRAY.exe
c:\windows\system32\logon.scr
c:\windows\SoftwareDistribution\Download\65e6ace83d06517bf50827abf6f9a13e\update\update.exe
.
**************************************************************************
.
Completion time: 2010-06-03 18:15:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-03 22:14

Pre-Run: 43,171,557,376 bytes free
Post-Run: 43,823,206,400 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0393150D3C993D5FA64B1866637804F0
Attached File  Combo_Fix_log.txt   10.58KB   3 downloads

#6 pscott

pscott
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 04 June 2010 - 08:07 PM


I think that it's fixed now, thanks so much!

#7 pscott

pscott
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 04 June 2010 - 08:41 PM

OK, nevermind. I had used my computer all day and it didnt give a bit of trouble until I posted that it was fixed... that's when a blue screen came up and it said I would have to restart my computer because a device was not plugged in properly.
Sorry

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 PM

Posted 05 June 2010 - 09:11 PM

Hello.

No, not done yet. Please... if you could stick with me until the end when I give you the all-clean and clear that you are clean then we are done. For now, please if you can follow the instructions and avoid doing too much to cause any changes to the machine. Any problems let me know.

It's looking better, but a main driver is infected and requires to be replaced. We need to check for a few things here.

First...

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    SrPeek::
    C:\Windows\system32\drivers\ndis.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :filefind
    ndis.*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Edited by extremeboy, 05 June 2010 - 09:46 PM.
Update

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 PM

Posted 05 June 2010 - 09:46 PM

Hi again,

I just edited my instructions and information just now, please follow it again if you have already done so. If not, even better, please follow the instructions in my previous post. Thanks,

Sorry about that.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 pscott

pscott
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 06 June 2010 - 10:56 PM


Below is the Combo fix log as well as the systemlook log. Thanks.



ComboFix 10-06-03.01 - Cassandra and Meliss 06/03/2010 17:09:19.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.259 [GMT -4:00]
Running from: c:\documents and settings\Cassandra and Meliss\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1737606864
C:\419.tmp
C:\41C.tmp
C:\41D.tmp
C:\41E.tmp
c:\program files\asks~1
c:\program files\Common Files\curity~1
c:\program files\Common Files\dobe~1
c:\program files\Common Files\racle~1
c:\program files\Common Files\scurit~1
c:\program files\Common Files\ystem~1
c:\program files\Common
c:\program files\crosof~1.net
c:\program files\RcvSystem
c:\windows\appatc~1
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
c:\windows\explorer(2).exe
c:\windows\system32\atmli.dll
c:\windows\system32\ckoolca.dll
c:\windows\system32\drivers\klvsffpi.sys
c:\windows\system32\drivers\urbqhvfe.sys
c:\windows\system32\mhsyqjs.dll
c:\windows\system32\scurit~1
c:\windows\system32\uniq.tll
c:\windows\system32\ycxhffzm.dll
c:\windows\Tasks\At1.job
C:\xcrashdump.dat

c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6to4
-------\Legacy_lich
-------\Legacy_MSUPDATE
-------\Legacy_pcmstub
-------\Legacy_URBQHVFE
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_urbqhvfe


((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.

2010-05-28 14:01 . 2010-05-28 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-21 16:22 . 2010-05-21 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-18 16:32 . 2010-05-18 16:32 -------- d-----w- c:\documents and settings\Cassandra and Meliss\Application Data\Malwarebytes
2010-05-18 16:32 . 2010-05-18 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-06 18:35 . 2010-05-06 18:37 -------- d-----w- c:\documents and settings\Cassandra and Meliss\Application Data\HpUpdate

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 16:11 . 2005-12-08 21:43 56 --sh--r- c:\windows\system32\640B3FA46B.sys
2009-01-06 16:11 . 2005-12-08 21:43 1786 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"delltransferagent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"dellsupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dell wireless manager ui"="c:\windows\system32\WLTRAY" [X]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-04 98304]
"realtray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-04 26112]
"dvdlauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"syntplpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 98304]
"syntpenh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"pronomgrwired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 86016]
"isusscheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"isuspm startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"hp software update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"groovemonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Belkin Wireless Utility.lnk - c:\program files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\Belkinwcui.exe [2006-8-15 1523712]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-3 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-21 16:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/21/2010 12:27 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/21/2010 12:27 PM 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/21/2010 12:25 PM 308064]
S0 irkb;irkb;c:\windows\system32\drivers\ouqcbvtk.sys --> c:\windows\system32\drivers\ouqcbvtk.sys [?]
S1 158f027f;158f027f;c:\windows\system32\drivers\158f027f.sys --> c:\windows\system32\drivers\158f027f.sys [?]
S1 400fb0a3;400fb0a3;c:\windows\system32\drivers\400fb0a3.sys --> c:\windows\system32\drivers\400fb0a3.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
zohcxaqa
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/login.php
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://maxsun.biz/in.cgi?9&key=ashley+tisdale+interviews
IE: e&xport to microsoft excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ysearchprotection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 17:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x82D7B4D0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8571f28
\Driver\ACPI -> ACPI.sys @ 0xf83f4cb8
\Driver\atapi -> atapi.sys @ 0xf838e852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
NDIS: Dell Wireless 1370 WLAN Mini-PCI Card -> SendCompleteHandler -> NDIS.sys @ 0x82d27bb0
PacketIndicateHandler -> NDIS.sys @ 0x82d34a21
SendHandler -> NDIS.sys @ 0x82d1287b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1388)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\WLTRAY.exe
c:\windows\system32\logon.scr
c:\windows\SoftwareDistribution\Download\65e6ace83d06517bf50827abf6f9a13e\update\update.exe
.
**************************************************************************
.
Completion time: 2010-06-03 18:15:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-03 22:14

Pre-Run: 43,171,557,376 bytes free
Post-Run: 43,823,206,400 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0393150D3C993D5FA64B1866637804F0




ComboFix 10-06-03.01 - Cassandra and Meliss 06/03/2010 17:09:19.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.259 [GMT -4:00]
Running from: c:\documents and settings\Cassandra and Meliss\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1737606864
C:\419.tmp
C:\41C.tmp
C:\41D.tmp
C:\41E.tmp
c:\program files\asks~1
c:\program files\Common Files\curity~1
c:\program files\Common Files\dobe~1
c:\program files\Common Files\racle~1
c:\program files\Common Files\scurit~1
c:\program files\Common Files\ystem~1
c:\program files\Common
c:\program files\crosof~1.net
c:\program files\RcvSystem
c:\windows\appatc~1
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
c:\windows\explorer(2).exe
c:\windows\system32\atmli.dll
c:\windows\system32\ckoolca.dll
c:\windows\system32\drivers\klvsffpi.sys
c:\windows\system32\drivers\urbqhvfe.sys
c:\windows\system32\mhsyqjs.dll
c:\windows\system32\scurit~1
c:\windows\system32\uniq.tll
c:\windows\system32\ycxhffzm.dll
c:\windows\Tasks\At1.job
C:\xcrashdump.dat

c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6to4
-------\Legacy_lich
-------\Legacy_MSUPDATE
-------\Legacy_pcmstub
-------\Legacy_URBQHVFE
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_urbqhvfe


((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.

2010-05-28 14:01 . 2010-05-28 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-21 16:22 . 2010-05-21 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-18 16:32 . 2010-05-18 16:32 -------- d-----w- c:\documents and settings\Cassandra and Meliss\Application Data\Malwarebytes
2010-05-18 16:32 . 2010-05-18 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-06 18:35 . 2010-05-06 18:37 -------- d-----w- c:\documents and settings\Cassandra and Meliss\Application Data\HpUpdate

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 16:11 . 2005-12-08 21:43 56 --sh--r- c:\windows\system32\640B3FA46B.sys
2009-01-06 16:11 . 2005-12-08 21:43 1786 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"delltransferagent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"dellsupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dell wireless manager ui"="c:\windows\system32\WLTRAY" [X]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-04 98304]
"realtray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-04 26112]
"dvdlauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"syntplpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 98304]
"syntpenh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"pronomgrwired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 86016]
"isusscheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"isuspm startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"hp software update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"groovemonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Belkin Wireless Utility.lnk - c:\program files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\Belkinwcui.exe [2006-8-15 1523712]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-3 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-21 16:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/21/2010 12:27 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/21/2010 12:27 PM 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/21/2010 12:25 PM 308064]
S0 irkb;irkb;c:\windows\system32\drivers\ouqcbvtk.sys --> c:\windows\system32\drivers\ouqcbvtk.sys [?]
S1 158f027f;158f027f;c:\windows\system32\drivers\158f027f.sys --> c:\windows\system32\drivers\158f027f.sys [?]
S1 400fb0a3;400fb0a3;c:\windows\system32\drivers\400fb0a3.sys --> c:\windows\system32\drivers\400fb0a3.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
zohcxaqa
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/login.php
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://maxsun.biz/in.cgi?9&key=ashley+tisdale+interviews
IE: e&xport to microsoft excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ysearchprotection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 17:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x82D7B4D0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8571f28
\Driver\ACPI -> ACPI.sys @ 0xf83f4cb8
\Driver\atapi -> atapi.sys @ 0xf838e852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
NDIS: Dell Wireless 1370 WLAN Mini-PCI Card -> SendCompleteHandler -> NDIS.sys @ 0x82d27bb0
PacketIndicateHandler -> NDIS.sys @ 0x82d34a21
SendHandler -> NDIS.sys @ 0x82d1287b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1388)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\WLTRAY.exe
c:\windows\system32\logon.scr
c:\windows\SoftwareDistribution\Download\65e6ace83d06517bf50827abf6f9a13e\update\update.exe
.
**************************************************************************
.
Completion time: 2010-06-03 18:15:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-03 22:14

Pre-Run: 43,171,557,376 bytes free
Post-Run: 43,823,206,400 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0393150D3C993D5FA64B1866637804F0


#11 pscott

pscott
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 06 June 2010 - 11:02 PM


Just in case I didnt paste the systemlook file on the previous post, it's below.



SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 23:51 on 06/06/2010 by Cassandra and Meliss (Administrator - Elevation successful)

========== filefind ==========

Searching for "ndis.*"
C:\i386\ndis.sys --a--- 182912 bytes [01:30 17/08/2005] [10:00 04/08/2004] 558635D3AF1C7546D26067D5D9B6959E
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ndis.sys.vir --a--- 213120 bytes [17:51 10/08/2004] [11:14 20/04/2009] 5DE5E1B16E2A2EADA03ECE536EE8D721
C:\WINDOWS\$NtServicePackUninstall$\ndis.sys -----c 182912 bytes [23:37 19/02/2009] [10:00 04/08/2004] 558635D3AF1C7546D26067D5D9B6959E
C:\WINDOWS\ERDNT\cache\ndis.sys --a--- 182656 bytes [03:36 07/06/2010] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\ServicePackFiles\i386\ndis.sys ------ 182656 bytes [14:41 05/12/2008] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\system32\dllcache\ndis.sys --a--- 182656 bytes [17:51 10/08/2004] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\system32\drivers\ndis.sys --a--- 182656 bytes [17:51 10/08/2004] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D

-=End Of File=-

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 PM

Posted 07 June 2010 - 07:52 PM

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\ndis.sys | C:\WINDOWS\system32\drivers\ndis.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 pscott

pscott
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 07 June 2010 - 09:43 PM

The latest combofix. (6-7-10)



ComboFix 10-06-06.01 - Cassandra and Meliss 06/07/2010 22:17:27.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.196 [GMT -4:00]
Running from: c:\documents and settings\Cassandra and Meliss\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cassandra and Meliss\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\ndis.sys --> c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((( Files Created from 2010-05-08 to 2010-06-08 )))))))))))))))))))))))))))))))
.

2010-06-05 03:39 . 2010-06-05 03:39 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-05 00:45 . 2010-06-05 00:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-06-05 00:40 . 2010-06-05 00:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-06-04 20:38 . 2010-06-04 20:42 -------- d-----w- c:\documents and settings\Cassandra and Meliss\Local Settings\Application Data\Temp
2010-06-04 20:38 . 2010-06-05 00:43 -------- d-----w- c:\documents and settings\Cassandra and Meliss\Local Settings\Application Data\Google
2010-06-04 15:41 . 2010-06-04 15:41 -------- d-sh--w- c:\documents and settings\Cassandra and Meliss\PrivacIE
2010-06-04 15:32 . 2010-06-04 15:32 -------- d-sh--w- c:\documents and settings\Cassandra and Meliss\IETldCache
2010-06-04 15:01 . 2010-04-16 11:43 41984 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-06-04 14:59 . 2010-06-04 14:59 -------- d-----w- c:\windows\ie8updates
2010-06-04 14:56 . 2010-02-25 06:24 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-04 14:56 . 2010-02-25 06:24 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-04 14:50 . 2010-06-04 14:52 -------- dc-h--w- c:\windows\ie8
2010-06-04 01:32 . 2010-06-04 01:32 -------- d-----w- c:\program files\MSXML 4.0
2010-06-03 23:00 . 2009-10-15 16:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-06-03 23:00 . 2009-10-15 16:28 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-05-28 14:01 . 2010-05-28 16:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-28 14:01 . 2010-05-28 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-28 13:33 . 2010-05-28 13:33 -------- d-----w- c:\program files\Trend Micro
2010-05-24 01:45 . 2008-04-13 22:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-05-24 01:45 . 2008-04-13 22:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-05-21 16:56 . 2010-05-21 16:56 -------- d-----w- C:\$AVG
2010-05-21 16:27 . 2010-05-21 16:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-21 16:27 . 2010-06-03 20:43 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-21 16:27 . 2010-05-21 16:27 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-21 16:27 . 2010-06-03 20:43 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-21 16:26 . 2010-06-08 02:07 -------- d-----w- c:\windows\system32\drivers\Avg
2010-05-21 16:23 . 2010-05-21 16:23 -------- d-----w- c:\program files\AVG
2010-05-21 16:22 . 2010-05-21 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-18 16:32 . 2010-05-18 16:32 -------- d-----w- c:\documents and settings\Cassandra and Meliss\Application Data\Malwarebytes
2010-05-18 16:32 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-18 16:32 . 2010-05-18 16:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-18 16:32 . 2010-05-18 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-18 16:32 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-18 16:01 . 2008-04-13 18:57 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys
2010-05-18 16:01 . 2008-04-13 16:39 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2010-05-18 16:01 . 2008-04-13 16:39 142592 ----a-w- c:\windows\system32\dllcache\aec.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 00:39 . 2006-02-15 05:33 -------- d-----w- c:\program files\Google
2010-06-04 14:18 . 2009-01-07 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-04 13:56 . 2009-01-07 01:43 -------- d-----w- c:\program files\Microsoft Works
2010-06-03 20:44 . 2010-06-03 20:44 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-03 20:44 . 2010-06-03 20:44 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-06-01 00:30 . 2005-08-04 03:28 -------- d-----w- c:\program files\Java
2010-05-28 13:33 . 2010-05-28 13:33 388096 ----a-r- c:\documents and settings\Cassandra and Meliss\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-28 02:33 . 2009-04-04 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-05-28 01:36 . 2005-08-04 03:39 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-05-26 05:19 . 2010-05-26 05:19 503808 ----a-w- c:\documents and settings\Cassandra and Meliss\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7e31d861-n\msvcp71.dll
2010-05-26 05:19 . 2010-05-26 05:19 499712 ----a-w- c:\documents and settings\Cassandra and Meliss\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7e31d861-n\jmc.dll
2010-05-26 05:19 . 2010-05-26 05:19 348160 ----a-w- c:\documents and settings\Cassandra and Meliss\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7e31d861-n\msvcr71.dll
2010-05-26 05:19 . 2010-05-26 05:19 12800 ----a-w- c:\documents and settings\Cassandra and Meliss\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3127afbd-n\decora-d3d.dll
2010-05-26 05:19 . 2010-05-26 05:19 61440 ----a-w- c:\documents and settings\Cassandra and Meliss\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3127afbd-n\decora-sse.dll
2010-05-19 13:56 . 2005-08-04 03:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-19 13:55 . 2005-08-04 03:32 -------- d-----w- c:\program files\MUSICMATCH
2010-05-06 18:37 . 2010-05-06 18:35 -------- d-----w- c:\documents and settings\Cassandra and Meliss\Application Data\HpUpdate
2010-05-06 18:36 . 2009-04-04 17:31 -------- d-----w- c:\program files\HP
2010-05-04 19:01 . 2005-08-18 20:39 -------- d-----w- c:\program files\Yahoo!
2010-05-04 19:01 . 2007-11-02 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-05-04 19:00 . 2009-06-12 18:28 -------- d-----w- c:\documents and settings\Cassandra and Meliss\Application Data\Yahoo!
2010-05-04 18:41 . 2009-06-13 06:37 94768 ----a-w- c:\documents and settings\Cassandra and Meliss\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-04 17:23 . 2005-08-04 03:38 -------- d-----w- c:\program files\Common Files\Intuit
2010-05-04 14:00 . 2010-05-04 14:00 61440 ----a-w- c:\documents and settings\Cassandra and Meliss\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-16392324-n\decora-sse.dll
2010-05-04 14:00 . 2010-05-04 14:00 503808 ----a-w- c:\documents and settings\Cassandra and Meliss\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-34efc016-n\msvcp71.dll
2010-05-04 14:00 . 2010-05-04 14:00 499712 ----a-w- c:\documents and settings\Cassandra and Meliss\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-34efc016-n\jmc.dll
2010-05-04 14:00 . 2010-05-04 14:00 12800 ----a-w- c:\documents and settings\Cassandra and Meliss\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-16392324-n\decora-d3d.dll
2010-05-04 14:00 . 2010-05-04 14:00 348160 ----a-w- c:\documents and settings\Cassandra and Meliss\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-34efc016-n\msvcr71.dll
2010-05-04 14:00 . 2005-08-04 03:28 -------- d-----w- c:\program files\Common Files\Java
2010-05-04 13:30 . 2010-05-04 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-29 16:18 . 2010-04-29 16:18 -------- d-----w- c:\documents and settings\Cassandra and Meliss\Application Data\AdobeUM
2010-04-29 15:15 . 2010-04-29 15:15 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-12 22:29 . 2010-05-04 13:59 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-03-10 06:15 . 2004-08-10 17:51 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-01-06 16:11 . 2005-12-08 21:43 56 --sh--r- c:\windows\system32\640B3FA46B.sys
2009-01-06 16:11 . 2005-12-08 21:43 1786 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[7] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2002-08-29 . E931E0A2B8BF0019DB902E98D03662CB . 22016 . . [5.1.2600.1106] . . c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-06-05 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dell wireless manager ui"="c:\windows\system32\WLTRAY" [X]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-04 98304]
"realtray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-04 26112]
"dvdlauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"syntplpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 98304]
"syntpenh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"pronomgrwired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 86016]
"isusscheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"isuspm startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"hp software update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"groovemonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Belkin Wireless Utility.lnk - c:\program files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\Belkinwcui.exe [2006-8-15 1523712]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-3 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-21 16:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/21/2010 12:27 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/21/2010 12:27 PM 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/21/2010 12:25 PM 308064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/6/2009 6:44 PM 24652]
S0 irkb;irkb;c:\windows\system32\drivers\ouqcbvtk.sys --> c:\windows\system32\drivers\ouqcbvtk.sys [?]
S1 158f027f;158f027f;c:\windows\system32\drivers\158f027f.sys --> c:\windows\system32\drivers\158f027f.sys [?]
S1 400fb0a3;400fb0a3;c:\windows\system32\drivers\400fb0a3.sys --> c:\windows\system32\drivers\400fb0a3.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/4/2010 8:39 PM 136176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
zohcxaqa
.
Contents of the 'Scheduled Tasks' folder

2010-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-05 00:39]

2010-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-05 00:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.live.com/?wa=wsignin1.0
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://maxsun.biz/in.cgi?9&key=ashley+tisdale+interviews
IE: e&xport to microsoft excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 22:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1844)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-07 22:39:35
ComboFix-quarantined-files.txt 2010-06-08 02:39
ComboFix2.txt 2010-06-07 03:41
ComboFix3.txt 2010-06-03 22:15

Pre-Run: 41,959,104,512 bytes free
Post-Run: 41,916,252,160 bytes free

- - End Of File - - C9FEF0958B3C667AF1D6566D70CD8160


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 PM

Posted 08 June 2010 - 10:17 PM

Looking better.

Still some work and stuff that needs to be done however, could you run GMER once more please and post the log.

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 pscott

pscott
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 10 June 2010 - 06:27 AM

Attached File  ark.text.log   10.98KB   6 downloadsgmer log below:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-10 07:20:47
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\CASSAN~1\LOCALS~1\Temp\pwdoapow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\internet explorer\iexplore.exe[616] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[616] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[616] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[616] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[616] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[616] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[616] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[616] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[616] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4028] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4028] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4028] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4028] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4028] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4028] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4028] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4028] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4028] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4028] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4028] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4028] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4028] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[4028] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat A815DD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\DTSTransform\1033
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\DTSTransform\1033@DTSTransformDescription Write File
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{10010100-740B-11D0-AE7B-00AA004A34D5}
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{10010100-740B-11D0-AE7B-00AA004A34D5}@
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ C:\Program Files\Microsoft SQL Server\80\Tools\Binn\dtspump.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\ProgID@ DTSPump.DataPumpTransformWriteFile.2.0
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\VersionIndependentProgID@ DTSPump.DataPumpTransformWriteFile
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ C:\Program Files\Microsoft SQL Server\80\Tools\Binn\SQLDMO.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\ProgID@ SQLDMO.DistributionArticle.8.0
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\VersionIndependentProgID@ SQLDMO.DistributionArticle

---- EOF - GMER 1.0.15 ----









0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users