Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help!


  • This topic is locked This topic is locked
33 replies to this topic

#1 StephenK

StephenK

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 26 July 2010 - 07:48 PM

Hi. Thank you for taking the time to view this. Over the past week or so, I've been dealing with removing malware from my computer. Just recently it's gotten much more annoying, however. When I first log on to my computer, by looking at Task Manager, I can see that my CPU usage is already at 100%, and it remains at that for usually at least 20 minutes, and after that it will drop to around 30-50%, without me doing anything. The thing that worries me, though is that Task Manager doesn't show what program, or programs are sucking up all of my CPU. All of the programs say "00". Just about every day for the last week or so, like I said, I've run scans with MBAM, and find infected objects every time. I don't know what to do! Oh and one more thing, when I make a search on Google, clicking on a link will redirect me to a site that had nothing to do with what I was trying to access. But this only happens sometimes. Here are my logs:

DDS (Ver_10-03-17.01) - NTFSx86
Run by StephenK at 19:30:38.65 on Mon 07/26/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.614 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe 4
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\SearchIndexer.exe
svchost.exe 4
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\StephenK\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
mWinlogon: UIHost=%windir%\resources\logon\logonui.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: Antiwpa - wpa.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\stephenk\applic~1\mozilla\firefox\profiles\n38v97w0.default\
FF - component: c:\documents and settings\stephenk\application data\mozilla\firefox\profiles\n38v97w0.default\extensions\{6c2c8df7-18c9-433f-9359-29c00d3577e0}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\stephenk\application data\mozilla\firefox\profiles\n38v97w0.default\extensions\{6c2c8df7-18c9-433f-9359-29c00d3577e0}\components\RadioWMPCore.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HBLiteSA.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: XULRunner: {0A181BA9-5046-4FAA-95C2-B558CB4CB523} - c:\documents and settings\stephenk\local settings\application data\{0A181BA9-5046-4FAA-95C2-B558CB4CB523}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 atitray;atitray;c:\program files\ray adams\ati tray tools\atitray.sys [2007-5-22 18088]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]

=============== Created Last 30 ================

2010-07-22 23:58:50 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-07-22 23:57:16 0 d-----r- c:\program files\Skype
2010-07-21 18:05:12 0 d-----w- c:\windows\pss
2010-07-20 01:51:23 0 d-----w- c:\docume~1\stephenk\applic~1\Malwarebytes
2010-07-20 01:36:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 01:36:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 01:36:53 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 01:36:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-20 01:32:47 0 ----a-w- c:\windows\Etabesuxit.bin
2010-07-20 01:32:46 120 ----a-w- c:\windows\Dmiqejadazayuj.dat
2010-07-20 01:32:37 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-07-20 01:32:37 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-07-20 01:32:20 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-07-20 01:32:20 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-07-20 01:31:45 0 d-----w- C:\spoolerlogs
2010-07-20 01:31:42 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-07-20 01:31:42 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-07-20 01:31:28 150 ----a-w- C:\zrpt.xml
2010-07-20 01:30:17 0 d-----w- c:\docume~1\stephenk\applic~1\B4C5F43DF4EED90E73FD369A568057A2

==================== Find3M ====================

2010-07-23 23:36:29 99 ----a-w- c:\documents and settings\stephenk\jagex_runescape_preferences2.dat
2010-07-23 23:35:18 46 ----a-w- c:\documents and settings\stephenk\jagex_runescape_preferences.dat
2010-06-22 23:40:13 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-06-22 23:40:13 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-06-22 23:40:13 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 19:36:17.84 ===============


------------------------------------------------------------------------------------------------------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-26 20:48:12
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\StephenK\LOCALS~1\Temp\fwldypoc.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xF7775AC8]
SSDT sptd.sys ZwEnumerateKey [0xF7775C22]
SSDT sptd.sys ZwEnumerateValueKey [0xF7775F9A]
SSDT sptd.sys ZwOpenKey [0xF777598E]
SSDT sptd.sys ZwQueryKey [0xF7776064]
SSDT sptd.sys ZwQueryValueKey [0xF7775EFC]
SSDT sptd.sys ZwSetValueKey [0xF77760EC]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD6701.SYS The process cannot access the file because it is being used by another process.
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 F5EEF4F0 16 Bytes JMP 64D0B014
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 F5EEF501 3 Bytes [E0, EE, F5] {LOOPNZ 0xfffffffffffffff0; CMC }
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 15 F5EEF505 27 Bytes [93, D0, 6D, 30, 85, 7A, 86, ...]
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[352] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[352] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[352] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\SearchIndexer.exe[1256] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1528] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0087000A
.text C:\WINDOWS\System32\svchost.exe[1528] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00DB000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1840] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 011C000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1840] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 011D000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1840] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 011B000C
.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[2360] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 867C90E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 867CAA40
Device \Driver\dmio \Device\DmControl\DmConfig 867CAA40
Device \Driver\dmio \Device\DmControl\DmPnP 867CAA40
Device \Driver\dmio \Device\DmControl\DmInfo 867CAA40
Device \Driver\Ftdisk \Device\HarddiskVolume1 867CAC78
Device \Driver\Cdrom \Device\CdRom0 865100E8
Device \FileSystem\Rdbss \Device\FsWrap 864AE280
Device \Driver\atapi \Device\Ide\IdePort0 [F76A7B40] atapi.sys[unknown section] {MOV EAX, 0x867ca728; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7785e12; RET }
Device \Driver\atapi \Device\Ide\IdePort1 [F76A7B40] atapi.sys[unknown section] {MOV EAX, 0x867ca728; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7785e12; RET }
Device \Driver\NetBT \Device\NetBt_Wins_Export 8633F0E8
Device \Driver\00000043 \Device\0000004b sptd.sys
Device \Driver\NetBT \Device\NetbiosSmb 8633F0E8
Device \Driver\Disk \Device\Harddisk0\DR0 867CA550
Device \Driver\NetBT \Device\NetBT_Tcpip_{48F7B7A2-5537-4722-9E50-5F9E04D0DE32} 8633F0E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8650D0E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8650D0E8
Device \FileSystem\Npfs \Device\NamedPipe 8636B0E8
Device \Driver\Ftdisk \Device\FtControl 867CAC78
Device \FileSystem\Msfs \Device\Mailslot 863080E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{86E346BD-7C57-438E-B069-5B84B4B081AE} 8633F0E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 862C00E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 862C00E8
Device \FileSystem\Cdfs \Cdfs 863631E8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 401507498
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 712030302
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -822959219
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x20 0x10 0xEB 0xBE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCD 0x95 0x8B 0x4B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6A 0x00 0xA3 0xE8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x94 0xF6 0x69 0xA7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x94 0xF6 0x69 0xA7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x20 0x10 0xEB 0xBE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCD 0x95 0x8B 0x4B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6A 0x00 0xA3 0xE8 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x94 0xF6 0x69 0xA7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x94 0xF6 0x69 0xA7 ...

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 StephenK

StephenK
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 27 July 2010 - 03:11 PM

Bump.

EDIT: Please be patient. There are over 440 unanswered topics in this forum at present and the current average wait time to receive help is 7 days. ~BP

Edited by Budapest, 27 July 2010 - 04:56 PM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:57 AM

Posted 05 August 2010 - 05:43 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 StephenK

StephenK
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 05 August 2010 - 04:41 PM

Hi, Elise. So you asked for a detailed description of my problems? Basically, the other day I did another MBAM scan and found some infections, removed them, and I'm no longer getting Internet Explorer popups, however, I am still getting redirects when I do Google searches, as well as Firefox popups in new tabs. But those don't occur very often. Other than that, I haven't really noticed anything other than svchost.exe sucking up a lot of memory/CPU usage. I don't know what to do about that.

Here are the logs you requested:

OTL

OTL logfile created on: 8/5/2010 3:59:52 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\StephenK\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 226.00 Mb Available Physical Memory | 22.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 29.22 Gb Free Space | 39.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 468.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STEPHEN
Current User Name: StephenK
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/05 15:59:12 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\StephenK\My Documents\Downloads\OTL.exe
PRC - [2010/07/21 14:03:02 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/06/29 12:47:35 | 007,704,216 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\Wow.exe
PRC - [2010/06/14 10:31:20 | 000,744,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/14 08:00:00 | 000,769,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe


========== Modules (SafeList) ==========

MOD - [2010/08/05 15:59:12 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\StephenK\My Documents\Downloads\OTL.exe
MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/02/01 19:25:55 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/10/20 14:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


========== Driver Services (SafeList) ==========

DRV - [2010/01/20 23:24:09 | 000,223,128 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\dtscsi.sys -- (dtscsi)
DRV - [2010/01/20 23:22:22 | 000,664,064 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/11/08 23:21:18 | 000,059,388 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2009/10/20 14:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009/03/25 07:29:52 | 000,130,432 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2008/04/14 08:00:00 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/14 01:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/14 00:11:00 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\changer.sys -- (Changer)
DRV - [2008/04/14 00:10:28 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\lbrtfdc.sys -- (lbrtfdc)
DRV - [2008/04/13 18:05:40 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2007/05/22 05:04:54 | 000,018,088 | ---- | M] () [Kernel | System | Running] -- C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys -- (atitray)
DRV - [2006/11/01 08:55:48 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/09/06 07:12:34 | 000,006,784 | ---- | M] (Micro Innovations) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\moufiltr.sys -- (moufiltr)
DRV - [2006/07/01 23:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2005/12/01 23:49:00 | 001,412,608 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/08/22 17:07:00 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/08/22 16:06:14 | 000,231,424 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWATI.sys -- (HSFHWATI)
DRV - [2005/08/22 16:06:10 | 000,718,464 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/08/01 19:00:00 | 000,349,312 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)
DRV - [2005/08/01 18:58:00 | 000,038,016 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1454471165-2139871995-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1454471165-2139871995-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1454471165-2139871995-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1454471165-2139871995-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {6c2c8df7-18c9-433f-9359-29c00d3577e0}:2.7.1.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: linkfilter@kaspersky.ru:9.0.0.736
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {0A181BA9-5046-4FAA-95C2-B558CB4CB523}:1.9.1


FF - HKLM\software\mozilla\Firefox\Extensions\\{0A181BA9-5046-4FAA-95C2-B558CB4CB523}: C:\Documents and Settings\StephenK\Local Settings\Application Data\{0A181BA9-5046-4FAA-95C2-B558CB4CB523} [2010/07/19 21:32:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/21 14:03:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/04 23:32:54 | 000,000,000 | ---D | M]

[2010/01/17 11:33:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\StephenK\Application Data\Mozilla\Extensions
[2010/08/03 18:44:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\StephenK\Application Data\Mozilla\Firefox\Profiles\n38v97w0.default\extensions
[2010/06/24 18:29:13 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\StephenK\Application Data\Mozilla\Firefox\Profiles\n38v97w0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/20 03:06:43 | 000,000,000 | ---D | M] (Hutch's Super Fantastic T00Lbar Toolbar) -- C:\Documents and Settings\StephenK\Application Data\Mozilla\Firefox\Profiles\n38v97w0.default\extensions\{6c2c8df7-18c9-433f-9359-29c00d3577e0}
[2010/08/04 12:49:31 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/22 19:57:46 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/08/04 12:49:32 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/20 06:14:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
[2010/08/04 12:49:14 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/02/01 19:32:22 | 000,001,216 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [DAEMON Tools] C:\Program Files\DAEMON Tools\daemon.exe (DT Soft Ltd.)
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKU\S-1-5-21-1454471165-2139871995-1801674531-1003..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-1454471165-2139871995-1801674531-1003..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKU\S-1-5-21-1454471165-2139871995-1801674531-1003..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - Startup: C:\Documents and Settings\StephenK\Start Menu\Programs\Startup\CurseClientStartup.ccip ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1454471165-2139871995-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.74.166 68.87.68.166
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (%windir%\resources\logon\logonui.exe) - C:\WINDOWS\Resources\Logon\logonUI.exe (Microsoft Corporation)
O20 - Winlogon\Notify\Antiwpa: DllName - wpa.dll - File not found
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\StephenK\Local Settings\Application Data\Microsoft\Wallpaper2.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\StephenK\Local Settings\Application Data\Microsoft\Wallpaper2.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/17 14:18:11 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [1997/08/26 14:11:32 | 000,000,000 | R--D | M] - F:\AUTORUN -- [ UDF ]
O32 - AutoRun File - [1997/08/27 09:15:54 | 000,000,056 | R--- | M] () - F:\AUTORUN.INF -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/04 18:34:33 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\StephenK\Recent
[2010/08/04 12:49:29 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/04 12:49:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/04 12:49:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/04 12:49:29 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/08/04 12:49:09 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/08/03 03:25:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2010/08/03 03:25:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2010/07/29 21:00:45 | 000,289,280 | ---- | C] (InstallShield Corporation, Inc.) -- C:\WINDOWS\uninst.exe
[2010/07/29 21:00:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\StephenK\WINDOWS
[2010/07/29 17:28:41 | 000,000,000 | ---D | C] -- C:\MECC
[2010/07/29 15:52:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\StephenK\Local Settings\Application Data\Yahoo
[2010/07/29 15:21:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\StephenK\Application Data\Yahoo!
[2010/07/29 15:16:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2010/07/29 15:15:00 | 000,000,000 | ---D | C] -- C:\Program Files\Yahoo!
[2010/07/28 02:28:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/07/28 02:28:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/28 02:27:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/27 16:32:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/07/27 16:32:34 | 000,423,656 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/22 19:58:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\StephenK\Application Data\skypePM
[2010/07/22 19:58:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\StephenK\Application Data\Skype
[2010/07/22 19:57:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010/07/22 19:57:16 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2010/07/22 19:57:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/07/22 01:37:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/07/22 01:37:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/07/21 14:05:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/07/20 19:00:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/07/19 21:51:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\StephenK\Application Data\Malwarebytes
[2010/07/19 21:51:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/19 21:45:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/07/19 21:36:54 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/19 21:36:53 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/19 21:36:53 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/19 21:36:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/19 21:32:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\StephenK\Local Settings\Application Data\{0A181BA9-5046-4FAA-95C2-B558CB4CB523}
[2010/07/19 21:32:37 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys
[2010/07/19 21:32:37 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\dllcache\lbrtfdc.sys
[2010/07/19 21:32:20 | 000,008,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\i2omgmt.sys
[2010/07/19 21:31:45 | 000,000,000 | ---D | C] -- C:\spoolerlogs
[2010/07/19 21:31:42 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys
[2010/07/19 21:31:42 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys
[2010/07/19 21:31:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\StephenK\Local Settings\Application Data\dhkjcleub
[2010/07/19 21:30:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\StephenK\Application Data\B4C5F43DF4EED90E73FD369A568057A2
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/05 14:20:53 | 000,000,751 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk
[2010/08/05 03:18:11 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/04 23:33:09 | 003,145,728 | -H-- | M] () -- C:\Documents and Settings\StephenK\NTUSER.DAT
[2010/08/04 23:33:09 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\StephenK\ntuser.ini
[2010/08/04 23:33:01 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/04 23:33:00 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/04 23:32:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/04 14:15:15 | 000,462,736 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/04 14:15:15 | 000,078,516 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/04 14:15:14 | 000,551,164 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/04 13:48:37 | 000,000,099 | ---- | M] () -- C:\Documents and Settings\StephenK\jagex_runescape_preferences2.dat
[2010/08/04 13:46:11 | 000,000,046 | ---- | M] () -- C:\Documents and Settings\StephenK\jagex_runescape_preferences.dat
[2010/08/04 12:49:13 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/08/04 12:49:13 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/04 12:49:13 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/04 12:49:13 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/04 12:49:13 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/08/03 20:23:07 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/08/02 14:09:03 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\StephenK\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/01 19:56:23 | 004,282,278 | -H-- | M] () -- C:\Documents and Settings\StephenK\Local Settings\Application Data\IconCache.db
[2010/07/29 21:18:11 | 000,001,182 | ---- | M] () -- C:\Documents and Settings\StephenK\Desktop\cc_20100729_211755.reg
[2010/07/29 21:16:56 | 000,012,506 | ---- | M] () -- C:\Documents and Settings\StephenK\Desktop\cc_20100729_211643.reg
[2010/07/29 20:53:36 | 491,356,160 | ---- | M] () -- C:\Documents and Settings\StephenK\Desktop\AMAZONtrail.iso
[2010/07/29 18:08:23 | 000,000,473 | ---- | M] () -- C:\WINDOWS\YUKON.INI
[2010/07/29 15:16:35 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2010/07/29 15:16:34 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\StephenK\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2010/07/29 13:27:14 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\StephenK\Start Menu\Programs\Startup\CurseClientStartup.ccip
[2010/07/25 23:43:43 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Etabesuxit.bin
[2010/07/23 13:39:56 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Dmiqejadazayuj.dat
[2010/07/22 19:58:50 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/07/22 00:40:56 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/07/21 14:14:58 | 000,000,477 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/07/21 14:14:58 | 000,000,409 | RHS- | M] () -- C:\boot.ini
[2010/07/21 14:14:58 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/20 04:53:02 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\StephenK\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/07/19 21:51:20 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\StephenK\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/07/19 21:51:20 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/19 21:47:38 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\StephenK\Desktop\rkill.com
[2010/07/19 21:31:32 | 000,000,150 | ---- | M] () -- C:\zrpt.xml
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/29 21:17:58 | 000,001,182 | ---- | C] () -- C:\Documents and Settings\StephenK\Desktop\cc_20100729_211755.reg
[2010/07/29 21:16:49 | 000,012,506 | ---- | C] () -- C:\Documents and Settings\StephenK\Desktop\cc_20100729_211643.reg
[2010/07/29 18:12:00 | 491,356,160 | ---- | C] () -- C:\Documents and Settings\StephenK\Desktop\AMAZONtrail.iso
[2010/07/29 17:29:33 | 000,000,473 | ---- | C] () -- C:\WINDOWS\YUKON.INI
[2010/07/29 15:16:35 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2010/07/29 15:16:34 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\StephenK\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2010/07/29 13:27:14 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\StephenK\Start Menu\Programs\Startup\CurseClientStartup.ccip
[2010/07/22 19:58:50 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/07/22 19:57:21 | 000,002,265 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/07/19 21:47:37 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\StephenK\Desktop\rkill.com
[2010/07/19 21:36:56 | 000,000,714 | ---- | C] () -- C:\Documents and Settings\StephenK\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/07/19 21:36:56 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/19 21:32:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Etabesuxit.bin
[2010/07/19 21:32:46 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Dmiqejadazayuj.dat
[2010/07/19 21:31:28 | 000,000,150 | ---- | C] () -- C:\zrpt.xml
[2010/01/22 13:02:02 | 000,374,272 | ---- | C] () -- C:\WINDOWS\System32\mss32.dll
[2010/01/20 23:24:08 | 000,223,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\dtscsi.sys
[2010/01/20 23:22:22 | 000,664,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2010/01/20 23:22:22 | 000,096,384 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd6701.sys
[2010/01/20 20:50:11 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2010/01/17 12:33:49 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2010/01/17 12:33:49 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2010/01/17 12:33:49 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2010/01/17 12:08:07 | 000,000,218 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2009/10/20 14:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2009/03/03 13:18:04 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[1997/12/19 01:03:38 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\msvcrt10.dll
< End of report >

------------------------------------------------------------------------------------------------------------------------------------------

OTL Extras logfile created on: 8/5/2010 3:59:52 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\StephenK\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 226.00 Mb Available Physical Memory | 22.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 29.22 Gb Free Space | 39.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 468.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STEPHEN
Current User Name: StephenK
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1454471165-2139871995-1801674531-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"56746:TCP" = 56746:TCP:*:Enabled:Pando Media Booster
"56746:UDP" = 56746:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"56746:TCP" = 56746:TCP:*:Enabled:Pando Media Booster
"56746:UDP" = 56746:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Sierra\Empire Earth\Empire Earth.exe" = C:\Sierra\Empire Earth\Empire Earth.exe:*:Enabled:Empire Earth -- ()
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"C:\Program Files\AVG\AVG9\avgam.exe" = C:\Program Files\AVG\AVG9\avgam.exe:*:Enabled:avgam.exe -- File not found
"C:\Program Files\AVG\AVG9\avgdiagex.exe" = C:\Program Files\AVG\AVG9\avgdiagex.exe:*:Enabled:avgdiagex.exe -- File not found
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- File not found
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- File not found
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire -- (FrostWire Group)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{14AFE241-FC6E-4FDB-BCA0-7AD6F4974171}" = Adobe Setup
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 21
"{30C8AA56-4088-426F-91D1-0EDFD3A25678}" = Adobe Dreamweaver CS4
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{92C5DB3D-9D6F-4324-BB11-57825F4C2635}" = DVD Decoder Pak for Windows XP
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.0.9.322
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F1CBC6F7-D82D-4DC5-B81C-9A14F418593A}_is1" = WC3Banlist
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"53F13DB4D9611FD63BE580F06F0729BF236ABE68" = Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_acce07fd2c8fe7f9e3f26243e626578" = Adobe Dreamweaver CS4
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"CCleaner" = CCleaner
"CNXT_AUDIO" = Conexant AC-Link Audio
"CNXT_MODEM_PCI_VEN_1002&DEV_4378" = Soft Data Fax Modem with SmartCP
"FrostWire" = FrostWire 4.20.3
"IconForge beta version 7.23_is1" = IconForge beta version 7.23
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.11)" = Mozilla Firefox (3.5.11)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OJOsoft Total Video Converter_is1" = OJOsoft Total Video Converter
"PowerISO" = PowerISO
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.3
"WinPcapInst" = WinPcap 4.1.1
"WinRAR archiver" = WinRAR archiver
"World of Warcraft" = World of Warcraft
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1454471165-2139871995-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"090215de958f1060" = Curse Client
"IconTweaker" = IconTweaker 1.12
"Oregon Trail 5th Edition" = Oregon Trail 5th Edition
"SwiftKit" = SwiftKit
"Warcraft III" = Warcraft III: All Products

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/5/2010 1:09:37 PM | Computer Name = STEPHEN | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/5/2010 1:09:37 PM | Computer Name = STEPHEN | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/5/2010 2:32:07 PM | Computer Name = STEPHEN | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/5/2010 2:32:07 PM | Computer Name = STEPHEN | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/5/2010 2:54:37 PM | Computer Name = STEPHEN | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 8/5/2010 2:54:37 PM | Computer Name = STEPHEN | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41D

Edited by StephenK, 05 August 2010 - 05:21 PM.


#5 StephenK

StephenK
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 05 August 2010 - 05:04 PM

I can't add the rest of the logs.. It keeps saying the page was reset when I add a reply, or try to edit my original message.

Edited by StephenK, 05 August 2010 - 05:05 PM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:57 AM

Posted 06 August 2010 - 02:12 AM

Hello,
No problem, this is quite common for certain types of malware.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 StephenK

StephenK
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 06 August 2010 - 01:08 PM

Here's the log you asked for! Looks like we're getting somewhere.

ComboFix 10-08-06.01 - StephenK 08/06/2010 13:48:02.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.742 [GMT -4:00]
Running from: c:\documents and settings\StephenK\My Documents\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\StephenK\Application Data\B4C5F43DF4EED90E73FD369A568057A2
c:\documents and settings\StephenK\Application Data\B4C5F43DF4EED90E73FD369A568057A2\enemies-names.txt
c:\documents and settings\StephenK\Application Data\B4C5F43DF4EED90E73FD369A568057A2\local.ini
c:\documents and settings\StephenK\Application Data\B4C5F43DF4EED90E73FD369A568057A2\lsrslt.ini
c:\documents and settings\StephenK\Application Data\inst.exe
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUpdater.exe

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-06 to 2010-08-06 )))))))))))))))))))))))))))))))
.

2010-08-04 16:49 . 2010-08-04 16:49 503808 ----a-w- c:\documents and settings\StephenK\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-34136045-n\msvcp71.dll
2010-08-04 16:49 . 2010-08-04 16:49 499712 ----a-w- c:\documents and settings\StephenK\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-34136045-n\jmc.dll
2010-08-04 16:49 . 2010-08-04 16:49 348160 ----a-w- c:\documents and settings\StephenK\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-34136045-n\msvcr71.dll
2010-08-04 16:49 . 2010-08-04 16:49 61440 ----a-w- c:\documents and settings\StephenK\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6e45de90-n\decora-sse.dll
2010-08-04 16:49 . 2010-08-04 16:49 12800 ----a-w- c:\documents and settings\StephenK\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6e45de90-n\decora-d3d.dll
2010-08-04 16:49 . 2010-08-04 16:49 -------- d-----w- c:\program files\Java
2010-08-03 07:25 . 2010-08-03 07:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-07-30 01:04 . 1996-02-08 12:06 274944 ----a-w- c:\documents and settings\StephenK\Application Data\uTorrent\Amazon trail\WIN32\AUTORUN.EXE
2010-07-30 01:00 . 1997-06-12 14:03 289280 ----a-w- c:\windows\uninst.exe
2010-07-30 01:00 . 2010-07-30 01:00 -------- d-----w- c:\documents and settings\StephenK\WINDOWS
2010-07-30 00:58 . 1995-08-03 09:01 1980416 ----a-w- c:\documents and settings\StephenK\Application Data\uTorrent\Amazon trail\WINDEMO\TSMANIAD\TSSMANIA.EXE
2010-07-30 00:58 . 1995-08-03 09:01 98816 ----a-w- c:\documents and settings\StephenK\Application Data\uTorrent\Amazon trail\WINDEMO\SBWDWIND\MECCLOGO.EXE
2010-07-30 00:58 . 1995-08-03 09:01 562528 ----a-w- c:\documents and settings\StephenK\Application Data\uTorrent\Amazon trail\WINDEMO\SBWDWIND\SBW.EXE
2010-07-30 00:58 . 1995-08-03 09:01 171520 ----a-w- c:\documents and settings\StephenK\Application Data\uTorrent\Amazon trail\WINDEMO\SBWDWIND\SBWED.DLL
2010-07-30 00:58 . 1995-08-03 09:01 29668 ----a-w- c:\documents and settings\StephenK\Application Data\uTorrent\Amazon trail\WINDEMO\SBWDWIND\ANGLORES.DLL
2010-07-30 00:55 . 1995-09-21 11:17 65328 ----a-w- c:\documents and settings\StephenK\Application Data\uTorrent\Amazon trail\SETUP.EXE
2010-07-29 21:28 . 2010-07-29 21:28 -------- d-----w- C:\MECC
2010-07-29 21:26 . 2010-07-29 21:27 264210 ----a-w- c:\documents and settings\StephenK\Application Data\uTorrent\The Yukon Trail\setup.exe
2010-07-29 19:52 . 2010-07-29 19:52 -------- d-----w- c:\documents and settings\StephenK\Local Settings\Application Data\Yahoo
2010-07-29 19:21 . 2010-07-29 19:52 -------- d-----w- c:\documents and settings\StephenK\Application Data\Yahoo!
2010-07-29 19:16 . 2010-07-29 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-29 19:16 . 2010-04-20 20:45 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2010-07-29 19:15 . 2010-08-05 03:32 -------- d-----w- c:\program files\Yahoo!
2010-07-28 06:28 . 2010-07-28 06:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-27 20:32 . 2010-07-27 20:32 -------- d-----w- c:\program files\Common Files\Java
2010-07-27 20:32 . 2010-08-04 16:49 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-22 23:58 . 2010-07-22 23:58 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-07-22 23:58 . 2010-08-05 22:18 -------- d-----w- c:\documents and settings\StephenK\Application Data\skypePM
2010-07-22 23:58 . 2010-08-05 22:43 -------- d-----w- c:\documents and settings\StephenK\Application Data\Skype
2010-07-22 23:57 . 2010-07-22 23:57 -------- d-----w- c:\program files\Common Files\Skype
2010-07-22 23:57 . 2010-07-22 23:57 -------- d-----r- c:\program files\Skype
2010-07-22 23:57 . 2010-07-22 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-07-20 07:06 . 2010-06-08 15:49 52224 ----a-w- c:\documents and settings\StephenK\Application Data\Mozilla\Firefox\Profiles\n38v97w0.default\extensions\{6c2c8df7-18c9-433f-9359-29c00d3577e0}\components\FFExternalAlert.dll
2010-07-20 07:06 . 2010-06-08 15:49 101376 ----a-w- c:\documents and settings\StephenK\Application Data\Mozilla\Firefox\Profiles\n38v97w0.default\extensions\{6c2c8df7-18c9-433f-9359-29c00d3577e0}\components\RadioWMPCore.dll
2010-07-20 02:04 . 2010-07-20 02:04 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-20 01:51 . 2010-07-20 01:51 -------- d-----w- c:\documents and settings\StephenK\Application Data\Malwarebytes
2010-07-20 01:46 . 2010-07-20 01:46 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-20 01:45 . 2010-07-20 01:45 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-20 01:36 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 01:36 . 2010-07-20 01:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 01:36 . 2010-07-20 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-20 01:36 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 01:32 . 2010-07-26 03:43 0 ----a-w- c:\windows\Etabesuxit.bin
2010-07-20 01:32 . 2010-07-23 17:39 120 ----a-w- c:\windows\Dmiqejadazayuj.dat
2010-07-20 01:32 . 2010-07-20 01:32 -------- d-----w- c:\documents and settings\StephenK\Local Settings\Application Data\{0A181BA9-5046-4FAA-95C2-B558CB4CB523}
2010-07-20 01:32 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-07-20 01:32 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-07-20 01:32 . 2008-04-14 04:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-07-20 01:32 . 2008-04-14 04:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-07-20 01:31 . 2010-07-20 01:31 -------- d-----w- C:\spoolerlogs
2010-07-20 01:31 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-07-20 01:31 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-07-20 01:31 . 2010-07-20 01:58 -------- d-----w- c:\documents and settings\StephenK\Local Settings\Application Data\dhkjcleub

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-06 17:21 . 2010-01-17 15:46 -------- d-----w- c:\documents and settings\StephenK\Application Data\uTorrent
2010-08-06 17:19 . 2010-06-23 03:18 64200 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-06 10:28 . 2010-02-01 16:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-06 05:35 . 2010-01-30 05:19 -------- d-----w- c:\program files\World of Warcraft
2010-08-04 17:48 . 2010-01-17 19:16 99 ----a-w- c:\documents and settings\StephenK\jagex_runescape_preferences2.dat
2010-08-04 17:46 . 2010-01-17 19:15 46 ----a-w- c:\documents and settings\StephenK\jagex_runescape_preferences.dat
2010-08-04 02:56 . 2010-01-21 00:46 -------- d-----w- c:\program files\Warcraft III
2010-08-03 22:35 . 2010-01-17 15:54 -------- d-----w- c:\program files\SwiftKit
2010-08-02 18:32 . 2010-01-23 05:30 -------- d-----w- c:\documents and settings\StephenK\Application Data\vlc
2010-07-28 08:22 . 2010-07-31 05:01 178450 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-07-26 21:40 . 2010-02-02 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2010-07-26 21:38 . 2010-01-17 16:01 -------- d-----w- c:\documents and settings\StephenK\Application Data\GameRanger
2010-07-21 18:37 . 2010-03-25 18:20 -------- d-----w- c:\documents and settings\StephenK\Application Data\FrostWire
2010-06-22 23:40 . 2010-01-17 16:33 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-06-22 23:40 . 2010-01-17 16:33 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-06-22 23:40 . 2010-01-17 16:33 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-06-22 23:11 . 2010-06-22 23:00 -------- d-----w- c:\documents and settings\Guest\Application Data\uTorrent
2010-06-22 17:01 . 2010-01-30 08:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-06-17 04:16 . 2010-06-17 04:16 -------- d-----w- c:\documents and settings\Guest\Application Data\Windows Desktop Search
2010-06-14 14:31 . 2010-01-17 18:14 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-12 16:52 . 2010-06-12 16:52 -------- d-----w- c:\program files\Runes of Magic
2010-06-10 15:20 . 2010-03-25 18:18 -------- d-----w- c:\program files\FrostWire
2010-06-08 21:07 . 2010-01-18 09:50 -------- d-----w- c:\program files\DivX
2010-06-08 17:38 . 2010-01-21 18:17 -------- d-----w- c:\program files\WinPcap
2010-05-31 03:25 . 2010-05-31 03:25 348160 ----a-w- c:\documents and settings\StephenK\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2e573a52-n\msvcr71.dll
2010-05-31 03:25 . 2010-05-31 03:25 503808 ----a-w- c:\documents and settings\StephenK\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2e573a52-n\msvcp71.dll
2010-05-31 03:25 . 2010-05-31 03:25 499712 ----a-w- c:\documents and settings\StephenK\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2e573a52-n\jmc.dll
2010-05-24 16:29 . 2010-05-24 16:29 61440 ----a-w- c:\documents and settings\StephenK\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-41e1e607-n\decora-sse.dll
2010-05-24 16:29 . 2010-05-24 16:29 12800 ----a-w- c:\documents and settings\StephenK\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-41e1e607-n\decora-d3d.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-04-23 2938552]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-01-17 289584]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-14 50176]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-02 344064]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\StephenK\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-7-29 0]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="%windir%\resources\logon\logonui.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^StephenK^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\documents and settings\StephenK\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccipStartup

[HKLM\~\startupfolder\C:^Documents and Settings^StephenK^Start Menu^Programs^Startup^FrostWire On Startup.lnk]
path=c:\documents and settings\StephenK\Start Menu\Programs\Startup\FrostWire On Startup.lnk
backup=c:\windows\pss\FrostWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 13:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-01-17 15:47 289584 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"sta"=rundll32 "lntqp.dll",,Run

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Sierra\\Empire Earth\\Empire Earth.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"56746:TCP"= 56746:TCP:Pando Media Booster
"56746:UDP"= 56746:UDP:Pando Media Booster

R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [5/22/2007 5:04 AM 18088]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 4:06 PM 231424]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/20/2010 11:22 PM 664064]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\StephenK\Application Data\Mozilla\Firefox\Profiles\n38v97w0.default\
FF - component: c:\documents and settings\StephenK\Application Data\Mozilla\Firefox\Profiles\n38v97w0.default\extensions\{6c2c8df7-18c9-433f-9359-29c00d3577e0}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\StephenK\Application Data\Mozilla\Firefox\Profiles\n38v97w0.default\extensions\{6c2c8df7-18c9-433f-9359-29c00d3577e0}\components\RadioWMPCore.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - HiddenExtension: XULRunner: {0A181BA9-5046-4FAA-95C2-B558CB4CB523} - c:\documents and settings\StephenK\Local Settings\Application Data\{0A181BA9-5046-4FAA-95C2-B558CB4CB523}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-06 14:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: TUKERNEL.EXE catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x866ABB4C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf78c8f28
\Driver\ACPI -> ACPI.sys @ 0xf781bcb8
\Driver\atapi -> atapi.sys @ 0xf778f852
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Broadcom 802.11b/g WLAN -> SendCompleteHandler -> NDIS.sys @ 0xf769bbb0
PacketIndicateHandler -> NDIS.sys @ 0xf768aa0d
SendHandler -> NDIS.sys @ 0xf769eb40

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,98,bb,4b,72,fc,1f,76,46,9f,2d,26,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,98,bb,4b,72,fc,1f,76,46,9f,2d,26,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(232)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(380)
c:\windows\system32\WININET.dll
.
Completion time: 2010-08-06 14:07:17
ComboFix-quarantined-files.txt 2010-08-06 18:07

Pre-Run: 31,263,580,160 bytes free
Post-Run: 31,523,610,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer /TUTag=M7ERZT /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition (TuneUp Backup)" /noexecute=optin /fastdetect /usepmtimer /TUTag=M7ERZT-BAK

- - End Of File - - 49087D0489FC11B8E04C46109C62C578


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:57 AM

Posted 06 August 2010 - 01:27 PM

Hello,

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>

Firefox::
FF - ProfilePath - c:\documents and settings\StephenK\Application Data\Mozilla\Firefox\Profiles\n38v97w0.default\
FF - HiddenExtension: XULRunner: {0A181BA9-5046-4FAA-95C2-B558CB4CB523} - c:\documents and settings\StephenK\Local Settings\Application Data\{0A181BA9-5046-4FAA-95C2-B558CB4CB523}

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 StephenK

StephenK
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 06 August 2010 - 02:50 PM

Here are your logs:

2010/08/06 14:47:22.0093 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41
2010/08/06 14:47:22.0093 ================================================================================
2010/08/06 14:47:22.0093 SystemInfo:
2010/08/06 14:47:22.0093
2010/08/06 14:47:22.0093 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/06 14:47:22.0093 Product type: Workstation
2010/08/06 14:47:22.0093 ComputerName: STEPHEN
2010/08/06 14:47:22.0093 UserName: StephenK
2010/08/06 14:47:22.0093 Windows directory: C:\WINDOWS
2010/08/06 14:47:22.0093 System windows directory: C:\WINDOWS
2010/08/06 14:47:22.0093 Processor architecture: Intel x86
2010/08/06 14:47:22.0093 Number of processors: 1
2010/08/06 14:47:22.0093 Page size: 0x1000
2010/08/06 14:47:22.0093 Boot type: Normal boot
2010/08/06 14:47:22.0093 ================================================================================
2010/08/06 14:47:22.0859 Initialize success
2010/08/06 14:47:29.0703 ================================================================================
2010/08/06 14:47:29.0703 Scan started
2010/08/06 14:47:29.0703 Mode: Manual;
2010/08/06 14:47:29.0703 ================================================================================
2010/08/06 14:47:32.0218 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/06 14:47:32.0250 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/08/06 14:47:32.0312 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/06 14:47:32.0421 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/06 14:47:32.0562 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/08/06 14:47:32.0656 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/08/06 14:47:32.0765 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/06 14:47:32.0828 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/06 14:47:33.0031 ati2mtag (d81980c64543ba5c39dd2a92dc1d2daf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/08/06 14:47:33.0156 atitray (f46afb51f1a1cb8c7ecd85533ca839fe) C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys
2010/08/06 14:47:33.0218 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/06 14:47:33.0265 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/06 14:47:33.0359 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/08/06 14:47:33.0546 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/06 14:47:33.0609 CAMCAUD (c2ef37f09cfee9665e6cd7c0b0afb84f) C:\WINDOWS\system32\drivers\camc6aud.sys
2010/08/06 14:47:33.0640 CAMCHALA (512df898de5c0654647acd5c82f0bd99) C:\WINDOWS\system32\drivers\camc6hal.sys
2010/08/06 14:47:33.0937 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/06 14:47:33.0953 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/06 14:47:34.0015 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/06 14:47:34.0078 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/06 14:47:34.0125 Changer (2a5815ca6fff24b688c01f828b96819c) C:\WINDOWS\system32\drivers\Changer.sys
2010/08/06 14:47:34.0265 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/08/06 14:47:34.0343 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/08/06 14:47:34.0500 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/06 14:47:34.0562 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/06 14:47:34.0640 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/06 14:47:34.0687 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/06 14:47:34.0812 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/06 14:47:34.0843 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/06 14:47:34.0906 dtscsi (6461e57bb51a848aae26f52427b7cf9e) C:\WINDOWS\System32\Drivers\dtscsi.sys
2010/08/06 14:47:34.0984 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/06 14:47:35.0031 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/08/06 14:47:35.0078 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/06 14:47:35.0093 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/08/06 14:47:35.0156 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/08/06 14:47:35.0187 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/06 14:47:35.0250 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/06 14:47:35.0281 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/06 14:47:35.0359 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/06 14:47:35.0656 HSFHWATI (14794f142befc962ab142584607a6631) C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
2010/08/06 14:47:35.0781 HSF_DPV (0e44af3828111d4c3e73c33ac95226d8) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2010/08/06 14:47:35.0890 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/06 14:47:35.0953 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/08/06 14:47:36.0046 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/06 14:47:36.0171 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/06 14:47:36.0265 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/08/06 14:47:36.0296 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/06 14:47:36.0328 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/06 14:47:36.0375 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/06 14:47:36.0468 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/06 14:47:36.0625 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/06 14:47:36.0718 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/06 14:47:36.0781 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/06 14:47:37.0218 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/06 14:47:37.0640 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/06 14:47:37.0671 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/06 14:47:37.0750 lbrtfdc (406598827a1b5f77954de11dde115ced) C:\WINDOWS\system32\drivers\lbrtfdc.sys
2010/08/06 14:47:37.0812 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/08/06 14:47:37.0875 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/06 14:47:37.0937 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/06 14:47:37.0968 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/06 14:47:38.0015 moufiltr (899519e8679a0f5f38c06b0fd6619436) C:\WINDOWS\system32\DRIVERS\moufiltr.sys
2010/08/06 14:47:38.0046 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/06 14:47:38.0062 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/06 14:47:38.0109 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/06 14:47:38.0343 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/06 14:47:38.0406 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/06 14:47:38.0484 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/06 14:47:38.0546 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/06 14:47:38.0562 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/06 14:47:38.0687 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/06 14:47:38.0734 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/06 14:47:38.0781 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/06 14:47:38.0812 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/06 14:47:38.0843 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/06 14:47:39.0015 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/06 14:47:39.0046 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/06 14:47:39.0093 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/06 14:47:39.0156 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/06 14:47:39.0234 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/08/06 14:47:39.0265 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2010/08/06 14:47:39.0312 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
2010/08/06 14:47:39.0390 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/06 14:47:39.0609 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/06 14:47:39.0843 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/06 14:47:39.0921 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/06 14:47:39.0937 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/06 14:47:40.0000 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/08/06 14:47:40.0031 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/08/06 14:47:40.0062 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/06 14:47:40.0093 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/06 14:47:40.0156 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/06 14:47:40.0234 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/06 14:47:40.0281 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/08/06 14:47:40.0343 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2010/08/06 14:47:40.0609 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/06 14:47:40.0671 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/08/06 14:47:40.0687 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/06 14:47:40.0734 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/06 14:47:40.0843 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/06 14:47:40.0875 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/06 14:47:40.0890 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/06 14:47:40.0906 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/06 14:47:40.0968 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/06 14:47:41.0000 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/06 14:47:41.0078 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/06 14:47:41.0125 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/06 14:47:41.0156 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/06 14:47:41.0250 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2010/08/06 14:47:41.0312 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/08/06 14:47:41.0390 SCDEmu (16b1abe7f3e35f21dac57592b6c5d464) C:\WINDOWS\system32\drivers\SCDEmu.sys
2010/08/06 14:47:41.0421 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/08/06 14:47:41.0453 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/06 14:47:41.0531 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/08/06 14:47:41.0562 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/06 14:47:41.0656 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/06 14:47:41.0750 sptd (b0e72ec9868fcab56581ab7af739914d) C:\WINDOWS\system32\Drivers\sptd.sys
2010/08/06 14:47:41.0859 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/06 14:47:41.0906 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/06 14:47:41.0968 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/06 14:47:41.0984 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/06 14:47:42.0062 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/06 14:47:42.0140 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/06 14:47:42.0234 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/06 14:47:42.0250 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/06 14:47:42.0296 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/06 14:47:42.0421 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/06 14:47:42.0500 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/06 14:47:42.0609 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/08/06 14:47:42.0671 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/06 14:47:42.0703 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/06 14:47:42.0734 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/06 14:47:42.0750 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/08/06 14:47:42.0796 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/06 14:47:42.0875 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/06 14:47:42.0937 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/06 14:47:43.0000 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/06 14:47:43.0078 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/06 14:47:43.0171 winachsf (214bc3ad84907ad6ad655ac5465f449a) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/08/06 14:47:43.0281 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/08/06 14:47:43.0375 ================================================================================
2010/08/06 14:47:43.0375 Scan finished
2010/08/06 14:47:43.0375 ================================================================================
2010/08/06 14:50:35.0140 Deinitialize success


--------------------------------------------------------------------------------------------------------------------------------------------


ComboFix 10-08-06.01 - StephenK 08/06/2010 15:17:51.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.626 [GMT -4:00]
Running from: c:\documents and settings\StephenK\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\StephenK\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\StephenK\Local Settings\Application Data\{0A181BA9-5046-4FAA-95C2-B558CB4CB523}
c:\documents and settings\StephenK\Local Settings\Application Data\{0A181BA9-5046-4FAA-95C2-B558CB4CB523}\chrome.manifest
c:\documents and settings\StephenK\Local Settings\Application Data\{0A181BA9-5046-4FAA-95C2-B558CB4CB523}\chrome\content\_cfg.js
c:\documents and settings\StephenK\Local Settings\Application Data\{0A181BA9-5046-4FAA-95C2-B558CB4CB523}\chrome\content\overlay.xul
c:\documents and settings\StephenK\Local Settings\Application Data\{0A181BA9-5046-4FAA-95C2-B558CB4CB523}\install.rdf

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-06 to 2010-08-06 )))))))))))))))))))))))))))))))
.

2010-08-04 16:49 . 2010-08-04 16:49 -------- d-----w- c:\program files\Java
2010-08-03 07:25 . 2010-08-03 07:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-07-30 01:00 . 1997-06-12 14:03 289280 ----a-w- c:\windows\uninst.exe
2010-07-30 01:00 . 2010-07-30 01:00 -------- d-----w- c:\documents and settings\StephenK\WINDOWS
2010-07-29 21:28 . 2010-07-29 21:28 -------- d-----w- C:\MECC
2010-07-29 19:52 . 2010-07-29 19:52 -------- d-----w- c:\documents and settings\StephenK\Local Settings\Application Data\Yahoo
2010-07-29 19:21 . 2010-07-29 19:52 -------- d-----w- c:\documents and settings\StephenK\Application Data\Yahoo!
2010-07-29 19:16 . 2010-07-29 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-29 19:15 . 2010-08-05 03:32 -------- d-----w- c:\program files\Yahoo!
2010-07-28 06:28 . 2010-07-28 06:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-27 20:32 . 2010-07-27 20:32 -------- d-----w- c:\program files\Common Files\Java
2010-07-27 20:32 . 2010-08-04 16:49 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-22 23:58 . 2010-07-22 23:58 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-07-22 23:58 . 2010-08-06 19:14 -------- d-----w- c:\documents and settings\StephenK\Application Data\skypePM
2010-07-22 23:58 . 2010-08-06 19:31 -------- d-----w- c:\documents and settings\StephenK\Application Data\Skype
2010-07-22 23:57 . 2010-07-22 23:57 -------- d-----w- c:\program files\Common Files\Skype
2010-07-22 23:57 . 2010-07-22 23:57 -------- d-----r- c:\program files\Skype
2010-07-22 23:57 . 2010-07-22 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-07-20 02:04 . 2010-07-20 02:04 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-20 01:51 . 2010-07-20 01:51 -------- d-----w- c:\documents and settings\StephenK\Application Data\Malwarebytes
2010-07-20 01:46 . 2010-07-20 01:46 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-20 01:45 . 2010-07-20 01:45 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-20 01:36 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 01:36 . 2010-07-20 01:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 01:36 . 2010-07-20 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-20 01:36 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 01:32 . 2010-07-26 03:43 0 ----a-w- c:\windows\Etabesuxit.bin
2010-07-20 01:32 . 2010-07-23 17:39 120 ----a-w- c:\windows\Dmiqejadazayuj.dat
2010-07-20 01:32 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-07-20 01:32 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-07-20 01:32 . 2008-04-14 04:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-07-20 01:32 . 2008-04-14 04:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-07-20 01:31 . 2010-07-20 01:31 -------- d-----w- C:\spoolerlogs
2010-07-20 01:31 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-07-20 01:31 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-07-20 01:31 . 2010-07-20 01:58 -------- d-----w- c:\documents and settings\StephenK\Local Settings\Application Data\dhkjcleub

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-06 19:31 . 2010-01-17 15:46 -------- d-----w- c:\documents and settings\StephenK\Application Data\uTorrent
2010-08-06 18:48 . 2010-02-01 16:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-06 17:19 . 2010-06-23 03:18 64200 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-06 05:35 . 2010-01-30 05:19 -------- d-----w- c:\program files\World of Warcraft
2010-08-04 17:48 . 2010-01-17 19:16 99 ----a-w- c:\documents and settings\StephenK\jagex_runescape_preferences2.dat
2010-08-04 17:46 . 2010-01-17 19:15 46 ----a-w- c:\documents and settings\StephenK\jagex_runescape_preferences.dat
2010-08-04 02:56 . 2010-01-21 00:46 -------- d-----w- c:\program files\Warcraft III
2010-08-03 22:35 . 2010-01-17 15:54 -------- d-----w- c:\program files\SwiftKit
2010-08-02 18:32 . 2010-01-23 05:30 -------- d-----w- c:\documents and settings\StephenK\Application Data\vlc
2010-07-28 08:22 . 2010-07-31 05:01 178450 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-07-26 21:40 . 2010-02-02 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2010-07-26 21:38 . 2010-01-17 16:01 -------- d-----w- c:\documents and settings\StephenK\Application Data\GameRanger
2010-07-21 18:37 . 2010-03-25 18:20 -------- d-----w- c:\documents and settings\StephenK\Application Data\FrostWire
2010-06-22 23:40 . 2010-01-17 16:33 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-06-22 23:40 . 2010-01-17 16:33 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-06-22 23:40 . 2010-01-17 16:33 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-06-22 23:11 . 2010-06-22 23:00 -------- d-----w- c:\documents and settings\Guest\Application Data\uTorrent
2010-06-22 17:01 . 2010-01-30 08:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-06-17 04:16 . 2010-06-17 04:16 -------- d-----w- c:\documents and settings\Guest\Application Data\Windows Desktop Search
2010-06-14 14:31 . 2010-01-17 18:14 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-12 16:52 . 2010-06-12 16:52 -------- d-----w- c:\program files\Runes of Magic
2010-06-10 15:20 . 2010-03-25 18:18 -------- d-----w- c:\program files\FrostWire
2010-06-08 21:07 . 2010-01-18 09:50 -------- d-----w- c:\program files\DivX
2010-06-08 17:38 . 2010-01-21 18:17 -------- d-----w- c:\program files\WinPcap
.

((((((((((((((((((((((((((((( SnapShot@2010-08-06_18.04.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-06 19:33 . 2010-08-06 19:33 16384 c:\windows\Temp\Perflib_Perfdata_42c.dat
+ 2010-01-17 18:23 . 2010-08-06 19:33 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-01-17 18:23 . 2010-08-06 17:47 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-01-17 18:23 . 2010-08-06 19:33 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-01-17 18:23 . 2010-08-06 17:47 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-01-17 18:23 . 2010-08-06 19:33 901120 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-17 18:23 . 2010-08-06 17:47 901120 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-04-23 2938552]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-01-17 289584]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-14 50176]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-02 344064]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\StephenK\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-7-29 0]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="%windir%\resources\logon\logonui.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^StephenK^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\documents and settings\StephenK\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccipStartup

[HKLM\~\startupfolder\C:^Documents and Settings^StephenK^Start Menu^Programs^Startup^FrostWire On Startup.lnk]
path=c:\documents and settings\StephenK\Start Menu\Programs\Startup\FrostWire On Startup.lnk
backup=c:\windows\pss\FrostWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 13:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-01-17 15:47 289584 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"sta"=rundll32 "lntqp.dll",,Run

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Sierra\\Empire Earth\\Empire Earth.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"56746:TCP"= 56746:TCP:Pando Media Booster
"56746:UDP"= 56746:UDP:Pando Media Booster

R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [5/22/2007 5:04 AM 18088]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 4:06 PM 231424]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/20/2010 11:22 PM 664064]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\StephenK\Application Data\Mozilla\Firefox\Profiles\n38v97w0.default\
FF - component: c:\documents and settings\StephenK\Application Data\Mozilla\Firefox\Profiles\n38v97w0.default\extensions\{6c2c8df7-18c9-433f-9359-29c00d3577e0}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\StephenK\Application Data\Mozilla\Firefox\Profiles\n38v97w0.default\extensions\{6c2c8df7-18c9-433f-9359-29c00d3577e0}\components\RadioWMPCore.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-06 15:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: TUKERNEL.EXE CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x866A3B4C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf78c8f28
\Driver\ACPI -> ACPI.sys @ 0xf781bcb8
\Driver\atapi -> atapi.sys @ 0xf778f852
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Broadcom 802.11b/g WLAN -> SendCompleteHandler -> NDIS.sys @ 0xf769bbb0
PacketIndicateHandler -> NDIS.sys @ 0xf768aa0d
SendHandler -> NDIS.sys @ 0xf769eb40

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,98,bb,4b,72,fc,1f,76,46,9f,2d,26,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,98,bb,4b,72,fc,1f,76,46,9f,2d,26,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1976)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(212)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2548)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
.
**************************************************************************
.
Completion time: 2010-08-06 15:48:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-06 19:48
ComboFix2.txt 2010-08-06 18:07

Pre-Run: 31,482,945,536 bytes free
Post-Run: 31,434,424,320 bytes free

- - End Of File - - 74C38F04F214CDF2ECA3C287318B29DF


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:57 AM

Posted 07 August 2010 - 04:07 AM

Hello again,
It seems the MBR infection was not completely cleaned.

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.
  • Double-click on MBRCheck.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • It will open a black screen with some data on it...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will be created on the desktop.
  • Copy and paste the contents of that log in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 StephenK

StephenK
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 07 August 2010 - 04:14 AM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000002c

Kernel Drivers (total 138):
0x804D7000 \WINDOWS\system32\TUKERNEL.EXE
0x80710000 \WINDOWS\system32\hal.dll
0x8661B000 \WINDOWS\system32\KDCOM.DLL
0xF7C78000 \WINDOWS\system32\BOOTVID.dll
0xF7770000 sptd.sys
0xF7D64000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF7758000 \WINDOWS\System32\Drivers\SPTD6701.SYS
0xF772A000 ACPI.sys
0xF7719000 pci.sys
0xF7864000 isapnp.sys
0xF7874000 ohci1394.sys
0xF7884000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7C7C000 compbatt.sys
0xF7C80000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7E2C000 pciide.sys
0xF7AE4000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF76FB000 pcmcia.sys
0xF7894000 MountMgr.sys
0xF76DC000 ftdisk.sys
0xF7D66000 dmload.sys
0xF76B6000 dmio.sys
0xF7C84000 ACPIEC.sys
0xF7E2D000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7AEC000 PartMgr.sys
0xF78A4000 VolSnap.sys
0xF769E000 atapi.sys
0xF78B4000 disk.sys
0xF78C4000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF767E000 fltMgr.sys
0xF766C000 sr.sys
0xF7655000 KSecDD.sys
0xF75C8000 Ntfs.sys
0xF759B000 NDIS.sys
0xF7581000 Mup.sys
0xF78E4000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7A94000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF7D38000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF63F6000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF63E2000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7B14000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF63BE000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7B1C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7AA4000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7B24000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7B2C000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7D3C000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF632A000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF6316000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF62F6000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF62A0000 \SystemRoot\system32\drivers\camc6hal.sys
0xF7AB4000 \SystemRoot\system32\drivers\camc6aud.sys
0xF627C000 \SystemRoot\system32\drivers\portcls.sys
0xF67BC000 \SystemRoot\system32\drivers\drmk.sys
0xF6259000 \SystemRoot\system32\drivers\ks.sys
0xF6220000 \SystemRoot\system32\DRIVERS\HSFHWATI.sys
0xF6123000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xF6073000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF7B34000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6029000 \SystemRoot\System32\Drivers\dtscsi.sys
0xF381E000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0xF7F92000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF4341000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7534000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF37CB000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF4331000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF3947000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7C54000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF37BA000 \SystemRoot\system32\DRIVERS\psched.sys
0xF3937000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7C64000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7C6C000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF3907000 \SystemRoot\System32\Drivers\pcouffin.sys
0xF29ED000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF38F7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7E12000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF298F000 \SystemRoot\system32\DRIVERS\update.sys
0xF6D9E000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF38E7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF38D7000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF38C7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7A74000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7E14000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAAD74000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xAA214000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA9FC4000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAAD70000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7E1A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xAA18C000 \SystemRoot\System32\Drivers\Null.SYS
0xF7E1E000 \SystemRoot\System32\Drivers\Beep.SYS
0xA9FB4000 \SystemRoot\System32\drivers\vga.sys
0xF7E20000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7D68000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA9FAC000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA9FA4000 \SystemRoot\System32\Drivers\Npfs.SYS
0xAA597000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA7C41000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA7BE8000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA7BC0000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA7B9E000 \SystemRoot\System32\drivers\afd.sys
0xAA204000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAA1E4000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xA7B73000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA7B03000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAA1C4000 \SystemRoot\System32\Drivers\Fips.SYS
0xA7ADD000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAA1B4000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAA1A4000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB0BC4000 \??\C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys
0xA8A9A000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xABC06000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB0BA8000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xABAD5000 \SystemRoot\system32\DRIVERS\moufiltr.sys
0xA7ACC000 \SystemRoot\System32\Drivers\Udfs.SYS
0xA7AB4000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xABAD1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB09F5000 \SystemRoot\System32\drivers\Dxapi.sys
0xA8A72000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7E7E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF054000 \SystemRoot\System32\ati2cqag.dll
0xBF08E000 \SystemRoot\System32\atikvmag.dll
0xBF0C4000 \SystemRoot\System32\ati3duag.dll
0xBF32B000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB0B13000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA4E82000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA8708000 \SystemRoot\system32\drivers\npf.sys
0xA4DCB000 \SystemRoot\system32\DRIVERS\srv.sys
0xA49A2000 \SystemRoot\system32\drivers\wdmaud.sys
0xABC40000 \SystemRoot\system32\drivers\sysaudio.sys
0xA468B000 \SystemRoot\System32\Drivers\HTTP.sys
0xA4A27000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA4250000 \SystemRoot\system32\drivers\kmixer.sys
0xF7E9E000 \SystemRoot\system32\giveio.sys
0xA4B7D000 \SystemRoot\system32\speedfan.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 36):
0 System Idle Process
4 System
972 C:\WINDOWS\system32\smss.exe
1116 csrss.exe
1208 C:\WINDOWS\system32\winlogon.exe
1324 C:\WINDOWS\system32\services.exe
1336 C:\WINDOWS\system32\lsass.exe
1564 C:\WINDOWS\system32\ati2evxx.exe
1580 C:\WINDOWS\system32\svchost.exe
1720 svchost.exe
1864 C:\WINDOWS\system32\svchost.exe
1936 svchost.exe
352 svchost.exe
856 C:\WINDOWS\system32\spoolsv.exe
1956 C:\WINDOWS\system32\svchost.exe
1992 C:\WINDOWS\ehome\ehSched.exe
260 C:\Program Files\Java\jre6\bin\jqs.exe
1492 C:\WINDOWS\system32\searchindexer.exe
1596 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
1144 C:\WINDOWS\system32\svchost.exe
1288 alg.exe
3008 C:\WINDOWS\system32\ati2evxx.exe
3156 C:\WINDOWS\explorer.exe
3576 C:\WINDOWS\system32\wscntfy.exe
764 C:\WINDOWS\ehome\ehtray.exe
808 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
1084 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2216 C:\WINDOWS\ehome\ehmsas.exe
1120 C:\WINDOWS\system32\svchost.exe
4064 C:\Program Files\Mozilla Firefox\firefox.exe
2076 C:\Program Files\World of Warcraft\Wow.exe
3608 C:\Program Files\Skype\Phone\Skype.exe
1752 C:\Program Files\Skype\Plugin Manager\skypePM.exe
2336 C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
2356 C:\Program Files\Mozilla Firefox\firefox.exe
3700 C:\Documents and Settings\StephenK\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HTS541080G9AT00, Rev: MB4OA60A

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: CCF356FEC6D9BBB29EF3EF1E4270A2B799955EA4


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:57 AM

Posted 07 August 2010 - 05:50 AM

Your log indicates you have an infected Master Boot Record (MBR). To learn more about this infection please refer to:Rerun MBRCheck.exe again by double-clicking on it. Vista/Windows 7 users right-click and select Run As Administrator.
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Enter 'Y' and then press Enter.
  • When asked: 'Enter your choice:', select option [2] (Restore the MBR of a physical disk with a standard boot code) and press the Enter key.
  • Now the program will ask: 'Enter the physical disk number to fix (0-99, -1 to cancel)'
  • Enter [0] (for PhysicalDrive0) and press the Enter key.
  • The program will show Available MBR codes followed by a list of operating systems as shown below.
    QUOTE
    Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel
    Please select the MBR code to write to this drive:
  • Please select your version of Windows from the list and enter the corresponding number (For example, type 0 or 1 for XP, type 3 for Vista, type 5 for Windows 7, etc) and then press Enter. Be careful...if the wrong OS is used, it will render the computer unbootable.
  • When prompted for confirmation: 'Do you want to fix the MBR code?'. Type the full word Yes (not Y or the fix will not work) and press Enter.
  • Left-click on the title bar (where program name and path is written).
  • From the menu chose Edit -> Select All.
  • Press the Enter key on your keyboard to copy selected text.
  • Open Notepad, paste that text into it and save to your desktop as MBRCheck.txt.
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • Reboot your computer to complete the fix and copy/paste MBRCheck.txt in your next reply.
  • If your computer does not restart on its own, please restart it manually.
Important Note: While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the operating system so that it will not boot up or the partitions may become corrupted. Further, Vista does not always use the same MBR code as it depends on the type of install that was used. I recommend you have your Windows CD available which will allow recovering the boot code via the Windows Recovery Console (XP) or Recovery Environment Startup Repair (Vista, Windows 7) in case of any problems, or install the XP Recovery Console before proceeding with the above fix. Then if any problems occur, the links below explain how to use and repair the MBR:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 StephenK

StephenK
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 07 August 2010 - 12:44 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000002c

Kernel Drivers (total 138):
0x804D7000 \WINDOWS\system32\TUKERNEL.EXE
0x80710000 \WINDOWS\system32\hal.dll
0x8661B000 \WINDOWS\system32\KDCOM.DLL
0xF7C78000 \WINDOWS\system32\BOOTVID.dll
0xF7770000 sptd.sys
0xF7D64000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF7758000 \WINDOWS\System32\Drivers\SPTD6701.SYS
0xF772A000 ACPI.sys
0xF7719000 pci.sys
0xF7864000 isapnp.sys
0xF7874000 ohci1394.sys
0xF7884000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7C7C000 compbatt.sys
0xF7C80000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7E2C000 pciide.sys
0xF7AE4000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF76FB000 pcmcia.sys
0xF7894000 MountMgr.sys
0xF76DC000 ftdisk.sys
0xF7D66000 dmload.sys
0xF76B6000 dmio.sys
0xF7C84000 ACPIEC.sys
0xF7E2D000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7AEC000 PartMgr.sys
0xF78A4000 VolSnap.sys
0xF769E000 atapi.sys
0xF78B4000 disk.sys
0xF78C4000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF767E000 fltMgr.sys
0xF766C000 sr.sys
0xF7655000 KSecDD.sys
0xF75C8000 Ntfs.sys
0xF759B000 NDIS.sys
0xF7581000 Mup.sys
0xF78E4000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7A94000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF7D38000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF63F6000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF63E2000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7B14000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF63BE000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7B1C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7AA4000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7B24000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7B2C000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7D3C000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF632A000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF6316000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF62F6000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF62A0000 \SystemRoot\system32\drivers\camc6hal.sys
0xF7AB4000 \SystemRoot\system32\drivers\camc6aud.sys
0xF627C000 \SystemRoot\system32\drivers\portcls.sys
0xF67BC000 \SystemRoot\system32\drivers\drmk.sys
0xF6259000 \SystemRoot\system32\drivers\ks.sys
0xF6220000 \SystemRoot\system32\DRIVERS\HSFHWATI.sys
0xF6123000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xF6073000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF7B34000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6029000 \SystemRoot\System32\Drivers\dtscsi.sys
0xF381E000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0xF7F92000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF4341000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7534000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF37CB000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF4331000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF3947000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7C54000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF37BA000 \SystemRoot\system32\DRIVERS\psched.sys
0xF3937000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7C64000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7C6C000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF3907000 \SystemRoot\System32\Drivers\pcouffin.sys
0xF29ED000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF38F7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7E12000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF298F000 \SystemRoot\system32\DRIVERS\update.sys
0xF6D9E000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF38E7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF38D7000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF38C7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7A74000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7E14000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAAD74000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xAA214000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA9FC4000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAAD70000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7E1A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xAA18C000 \SystemRoot\System32\Drivers\Null.SYS
0xF7E1E000 \SystemRoot\System32\Drivers\Beep.SYS
0xA9FB4000 \SystemRoot\System32\drivers\vga.sys
0xF7E20000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7D68000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA9FAC000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA9FA4000 \SystemRoot\System32\Drivers\Npfs.SYS
0xAA597000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA7C41000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA7BE8000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA7BC0000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA7B9E000 \SystemRoot\System32\drivers\afd.sys
0xAA204000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAA1E4000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xA7B73000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA7B03000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAA1C4000 \SystemRoot\System32\Drivers\Fips.SYS
0xA7ADD000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAA1B4000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAA1A4000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB0BC4000 \??\C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys
0xA8A9A000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xABC06000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB0BA8000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xABAD5000 \SystemRoot\system32\DRIVERS\moufiltr.sys
0xA7ACC000 \SystemRoot\System32\Drivers\Udfs.SYS
0xA7AB4000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xABAD1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB09F5000 \SystemRoot\System32\drivers\Dxapi.sys
0xA8A72000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7E7E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF054000 \SystemRoot\System32\ati2cqag.dll
0xBF08E000 \SystemRoot\System32\atikvmag.dll
0xBF0C4000 \SystemRoot\System32\ati3duag.dll
0xBF32B000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB0B13000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA4E82000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA8708000 \SystemRoot\system32\drivers\npf.sys
0xA4DCB000 \SystemRoot\system32\DRIVERS\srv.sys
0xA49A2000 \SystemRoot\system32\drivers\wdmaud.sys
0xABC40000 \SystemRoot\system32\drivers\sysaudio.sys
0xA468B000 \SystemRoot\System32\Drivers\HTTP.sys
0xA4A27000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF7E9E000 \SystemRoot\system32\giveio.sys
0xA4B7D000 \SystemRoot\system32\speedfan.sys
0xA35FE000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 35):
0 System Idle Process
4 System
972 C:\WINDOWS\system32\smss.exe
1116 csrss.exe
1208 C:\WINDOWS\system32\winlogon.exe
1324 C:\WINDOWS\system32\services.exe
1336 C:\WINDOWS\system32\lsass.exe
1564 C:\WINDOWS\system32\ati2evxx.exe
1580 C:\WINDOWS\system32\svchost.exe
1720 svchost.exe
1864 C:\WINDOWS\system32\svchost.exe
1936 svchost.exe
352 svchost.exe
856 C:\WINDOWS\system32\spoolsv.exe
1956 C:\WINDOWS\system32\svchost.exe
1992 C:\WINDOWS\ehome\ehSched.exe
260 C:\Program Files\Java\jre6\bin\jqs.exe
1492 C:\WINDOWS\system32\searchindexer.exe
1596 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
1144 C:\WINDOWS\system32\svchost.exe
1288 alg.exe
3008 C:\WINDOWS\system32\ati2evxx.exe
3156 C:\WINDOWS\explorer.exe
3576 C:\WINDOWS\system32\wscntfy.exe
764 C:\WINDOWS\ehome\ehtray.exe
808 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
1084 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2216 C:\WINDOWS\ehome\ehmsas.exe
1120 C:\WINDOWS\system32\svchost.exe
4064 C:\Program Files\Mozilla Firefox\firefox.exe
2336 C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
3644 C:\WINDOWS\system32\taskmgr.exe
2440 C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe
1380 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
3808 C:\Documents and Settings\StephenK\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HTS541080G9AT00, Rev: MB4OA60A

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: CCF356FEC6D9BBB29EF3EF1E4270A2B799955EA4


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 0
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:57 AM

Posted 07 August 2010 - 12:52 PM

Can you now please rerun MBRcheck as instructed here so I can see if the MBR is ok now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 StephenK

StephenK
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 07 August 2010 - 01:57 PM

Here's the new log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000002c

Kernel Drivers (total 137):
0x804D7000 \WINDOWS\system32\TUKERNEL.EXE
0x80710000 \WINDOWS\system32\hal.dll
0x8669A000 \WINDOWS\system32\KDCOM.DLL
0xF7C78000 \WINDOWS\system32\BOOTVID.dll
0xF7770000 sptd.sys
0xF7D64000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF7758000 \WINDOWS\System32\Drivers\SPTD6701.SYS
0xF772A000 ACPI.sys
0xF7719000 pci.sys
0xF7864000 isapnp.sys
0xF7874000 ohci1394.sys
0xF7884000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7C7C000 compbatt.sys
0xF7C80000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7E2C000 pciide.sys
0xF7AE4000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF76FB000 pcmcia.sys
0xF7894000 MountMgr.sys
0xF76DC000 ftdisk.sys
0xF7D66000 dmload.sys
0xF76B6000 dmio.sys
0xF7C84000 ACPIEC.sys
0xF7E2D000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7AEC000 PartMgr.sys
0xF78A4000 VolSnap.sys
0xF769E000 atapi.sys
0xF78B4000 disk.sys
0xF78C4000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF767E000 fltMgr.sys
0xF766C000 sr.sys
0xF7655000 KSecDD.sys
0xF75C8000 Ntfs.sys
0xF759B000 NDIS.sys
0xF7D68000 speedfan.sys
0xF7581000 Mup.sys
0xF7E2E000 giveio.sys
0xF78E4000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7A14000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF7D38000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF63C7000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF63B3000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7B14000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF638F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7B1C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7A24000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7B24000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7B2C000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7D3C000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF62FB000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF62E7000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF62C7000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF6271000 \SystemRoot\system32\drivers\camc6hal.sys
0xF7A94000 \SystemRoot\system32\drivers\camc6aud.sys
0xF624D000 \SystemRoot\system32\drivers\portcls.sys
0xF7A34000 \SystemRoot\system32\drivers\drmk.sys
0xF622A000 \SystemRoot\system32\drivers\ks.sys
0xF61F1000 \SystemRoot\system32\DRIVERS\HSFHWATI.sys
0xF60F4000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xF6044000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF7B34000 \SystemRoot\System32\Drivers\Modem.SYS
0xF5FFA000 \SystemRoot\System32\Drivers\dtscsi.sys
0xF37C7000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0xF7ED3000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF42EB000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7500000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF3774000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7964000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF38F0000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7C54000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF3763000 \SystemRoot\system32\DRIVERS\psched.sys
0xF38E0000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7C5C000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7C64000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF38A0000 \SystemRoot\System32\Drivers\pcouffin.sys
0xF2996000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF3890000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7E08000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF2910000 \SystemRoot\system32\DRIVERS\update.sys
0xF6D97000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF3880000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF3870000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF3860000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF4C80000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7E0A000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB0B70000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xB0B6C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB0CB9000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB0C61000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB0C59000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7E00000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xAA130000 \SystemRoot\System32\Drivers\Null.SYS
0xF7E2A000 \SystemRoot\System32\Drivers\Beep.SYS
0xAA1CD000 \SystemRoot\System32\drivers\vga.sys
0xF7E12000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7D70000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xAA961000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA9DCE000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA9DC6000 \SystemRoot\System32\Drivers\Npfs.SYS
0xAA95D000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA7CC5000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA7C6C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA7C44000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA7C22000 \SystemRoot\System32\drivers\afd.sys
0xAA25E000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA9FF1000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xA7BF7000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA7B87000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA9FD1000 \SystemRoot\System32\Drivers\Fips.SYS
0xA7B61000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA9FC1000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA9FB1000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB0B68000 \??\C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys
0xB0B60000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF7E1A000 \SystemRoot\system32\DRIVERS\moufiltr.sys
0xA7B50000 \SystemRoot\System32\Drivers\Udfs.SYS
0xA7B38000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7E1E000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB09F0000 \SystemRoot\System32\drivers\Dxapi.sys
0xA9DA6000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xB0969000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF054000 \SystemRoot\System32\ati2cqag.dll
0xBF08E000 \SystemRoot\System32\atikvmag.dll
0xBF0C4000 \SystemRoot\System32\ati3duag.dll
0xBF32B000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB09D4000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA4E68000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9F71000 \SystemRoot\system32\drivers\sysaudio.sys
0xA4D3A000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xF652E000 \SystemRoot\system32\drivers\npf.sys
0xA4C53000 \SystemRoot\system32\DRIVERS\srv.sys
0xA4B3B000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA453E000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 37):
0 System Idle Process
4 System
972 C:\WINDOWS\system32\smss.exe
1084 csrss.exe
1144 C:\WINDOWS\system32\winlogon.exe
1260 C:\WINDOWS\system32\services.exe
1272 C:\WINDOWS\system32\lsass.exe
1496 C:\WINDOWS\system32\ati2evxx.exe
1512 C:\WINDOWS\system32\svchost.exe
1656 svchost.exe
1804 C:\WINDOWS\system32\svchost.exe
1868 svchost.exe
264 svchost.exe
792 C:\WINDOWS\system32\spoolsv.exe
392 C:\WINDOWS\system32\ati2evxx.exe
644 C:\WINDOWS\explorer.exe
884 C:\WINDOWS\system32\svchost.exe
908 C:\WINDOWS\ehome\ehSched.exe
1004 C:\Program Files\Java\jre6\bin\jqs.exe
1276 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
952 C:\WINDOWS\ehome\ehtray.exe
960 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
1040 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
1844 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1444 C:\Program Files\Pando Networks\Media Booster\PMB.exe
1216 C:\WINDOWS\ehome\ehmsas.exe
288 C:\WINDOWS\system32\wuauclt.exe
2060 C:\WINDOWS\system32\svchost.exe
2076 C:\WINDOWS\system32\searchindexer.exe
2420 C:\WINDOWS\system32\wscntfy.exe
2700 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
4016 C:\Program Files\Mozilla Firefox\firefox.exe
292 C:\WINDOWS\system32\taskmgr.exe
2188 alg.exe
2624 wmiprvse.exe
3136 C:\WINDOWS\system32\svchost.exe
2440 C:\Documents and Settings\StephenK\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HTS541080G9AT00, Rev: MB4OA60A

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: CCF356FEC6D9BBB29EF3EF1E4270A2B799955EA4


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users