Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search results redirect +some random spam popups


  • This topic is locked This topic is locked
33 replies to this topic

#1 whatiamigonnado

whatiamigonnado

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 28 July 2010 - 09:01 PM

The 27 of July I noticed strange behaviors on my computer. I ran my usually combo of HijackThis, Spybot and mbam to resolve the problem. However, after multiple scans and automatic fixes, some infected entries would just come back over and over. With the help of ProcessExplorer, I killed and deleted all the processes and files that I found suspicious. Amongst the spywares I remember removing, there was sdra64(personal information collector that I am personally very worried about), Animal Doctor and many others I don't remember.

Now with the latest updates, both spybot and mbam are currently not detecting any infected files even after multiples scans. Also, to my knowledge, HijackThis is reporting no suspicious entries (as was the case before).
However, now from time to time when I click on some google search results, I am redirected to some random advertising/spam page. Also, I have witnessed some tabs randomly opening to some advertising/spam page while browsing. The problem is occurring on Chrome, Firefox and Internet Explorer. The problem is intermittent: most of the time all the google search results are working fine.

Also, I am not sure if this is related to my spyware problem or is a completely different bad sector problem or what, but when performing a full scan with mbam, the scan would stall when scanning the folder G:\Savegames. (I use the G:\ drive as a backup drive and no system files are on it. All the mbam scans that I have done excluded this drive to achieve completion.) Also, when I try to access the folder with Windows explorer, explorer freezes.

I would like to
1. Fix the google search result/random tab popup problem
2. Be sure that no traces left of previous spywares I thought I removed (I especially want to be sure there are no traces left of sdra64)
3. Fix the problem on my G:\ drive

I included here the DDS logs. However, when I ran gmer, the scan started immediately and the program crashed after a few seconds. My computer than ran 'slugish'. I tried to restart through windows (without success) and then reset the computer manually. Thus, I cannot produce a gmer log.

PS Additional symptom: In Chrome, Firefox and Internet Explorer, I was not allowed to post on this forum (hitting the post button would give a browser generated error). I could also not send myself an email (same type of error). I had to put the log files and this message on a USB stick to make this post. This confirms my belief that I am stuck with some nasty bleep.


DDS (Ver_10-03-17.01) - NTFSx86
Run by zyth at 20:25:29,65 on 2010-07-28
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1653 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\zyth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\zyth\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "c:\documents and settings\zyth\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219706506437
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zyth\applic~1\mozilla\firefox\profiles\hh9vqvhr.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/evaluation/search/home
FF - plugin: c:\documents and settings\zyth\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\zyth\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\octoshape streaming services\zyth\octoprogram-l03-nms0806110_sua_900\npoctoshape.dll
FF - HiddenExtension: XULRunner: {11CF44F2-9EDA-4EED-B40D-1907AF46DACA} - c:\documents and settings\zyth\local settings\application data\{11cf44f2-9eda-4eed-b40d-1907af46daca}\
FF - HiddenExtension: Adobe Flash Plugin: No Registry Reference - c:\program files\mozilla firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2007-10-21 156800]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-12-11 74088]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2009-12-11 1078632]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160]
S0 eglgqtxo;eglgqtxo;c:\windows\system32\drivers\eglgqtxo.sys [2010-7-27 0]
S4 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2007-10-21 5248]

=============== Created Last 30 ================

2010-07-29 00:18:57 26 ----a-w- c:\documents and settings\zyth\defogger_reenable
2010-07-28 21:58:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 21:58:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 21:58:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-28 05:44:07 0 d--h--w- c:\windows\system32\GroupPolicy
2010-07-28 03:23:02 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-27 21:38:41 150 ----a-w- C:\zrpt.xml
2010-07-27 18:32:18 0 ----a-w- c:\windows\system32\drivers\eglgqtxo.sys
2010-07-27 05:13:35 1496 ----a-w- c:\windows\lsrslt.ini
2010-07-27 03:17:16 510 ----a-w- c:\windows\wininit.ini
2010-07-27 03:13:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-27 02:49:28 120 ----a-w- c:\windows\Gqayihut.dat
2010-07-27 02:49:28 0 ----a-w- c:\windows\Uqunupunepub.bin
2010-06-29 20:54:53 208887 ----a-w- c:\windows\system32\oodbs.lor
2010-06-29 05:51:13 0 d-----w- c:\windows\system32\oodag
2010-06-29 05:48:02 0 d-----w- c:\program files\OO Software

==================== Find3M ====================

2008-08-25 23:50:11 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat

Attached Files


Edited by whatiamigonnado, 28 July 2010 - 09:05 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:45 AM

Posted 07 August 2010 - 10:54 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 whatiamigonnado

whatiamigonnado
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 07 August 2010 - 05:42 PM


DDS (Ver_10-03-17.01) - NTFSx86
Run by zyth at 18:38:28,26 on 2010-08-07
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1650 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\zyth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Documents and Settings\zyth\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "c:\documents and settings\zyth\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219706506437
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zyth\applic~1\mozilla\firefox\profiles\hh9vqvhr.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/evaluation/search/home
FF - plugin: c:\documents and settings\zyth\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\zyth\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\octoshape streaming services\zyth\octoprogram-l03-nms0806110_sua_900\npoctoshape.dll
FF - HiddenExtension: XULRunner: {11CF44F2-9EDA-4EED-B40D-1907AF46DACA} - c:\documents and settings\zyth\local settings\application data\{11cf44f2-9eda-4eed-b40d-1907af46daca}\
FF - HiddenExtension: Adobe Flash Plugin: No Registry Reference - c:\program files\mozilla firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2007-10-21 156800]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-12-11 74088]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2009-12-11 1078632]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160]
S0 eglgqtxo;eglgqtxo;c:\windows\system32\drivers\eglgqtxo.sys [2010-7-27 0]
S4 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2007-10-21 5248]

=============== Created Last 30 ================

2010-07-29 01:53:35 0 d-sha-r- C:\Autorun.inf
2010-07-29 01:45:03 0 d-----w- C:\UsbFix
2010-07-29 00:18:57 26 ----a-w- c:\documents and settings\zyth\defogger_reenable
2010-07-28 21:58:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 21:58:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 21:58:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-28 05:44:07 0 d--h--w- c:\windows\system32\GroupPolicy
2010-07-28 03:23:02 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-27 21:38:41 150 ----a-w- C:\zrpt.xml
2010-07-27 18:32:18 0 ----a-w- c:\windows\system32\drivers\eglgqtxo.sys
2010-07-27 05:13:35 1496 ----a-w- c:\windows\lsrslt.ini
2010-07-27 03:17:16 510 ----a-w- c:\windows\wininit.ini
2010-07-27 03:13:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-27 02:49:28 120 ----a-w- c:\windows\Gqayihut.dat
2010-07-27 02:49:28 0 ----a-w- c:\windows\Uqunupunepub.bin

==================== Find3M ====================

2008-08-25 23:50:11 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat

============= FINISH: 18:39:19,81 ===============

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:45 AM

Posted 08 August 2010 - 12:42 AM

Hi,

uTorrent

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 whatiamigonnado

whatiamigonnado
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 08 August 2010 - 03:48 AM

ComboFix found a rootkit and rebooted the system. It also deleted some files listed in the log.


ComboFix 10-08-07.01 - zyth 2010-08-08 4:16.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1709 [GMT -4:00]
Running from: c:\documents and settings\zyth\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\zyth\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\zyth\Local Settings\Application Data\{11CF44F2-9EDA-4EED-B40D-1907AF46DACA}
c:\documents and settings\zyth\Local Settings\Application Data\{11CF44F2-9EDA-4EED-B40D-1907AF46DACA}\chrome.manifest
c:\documents and settings\zyth\Local Settings\Application Data\{11CF44F2-9EDA-4EED-B40D-1907AF46DACA}\chrome\content\_cfg.js
c:\documents and settings\zyth\Local Settings\Application Data\{11CF44F2-9EDA-4EED-B40D-1907AF46DACA}\chrome\content\overlay.xul
c:\documents and settings\zyth\Local Settings\Application Data\{11CF44F2-9EDA-4EED-B40D-1907AF46DACA}\install.rdf
c:\windows\daemon.dll
c:\windows\system32\driVERs\eglgqtxo.sys
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_eglgqtxo
-------\Service_eglgqtxo


((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 )))))))))))))))))))))))))))))))
.

2010-07-29 02:07 . 2010-07-29 02:07 61440 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3d94270b-n\decora-sse.dll
2010-07-29 02:07 . 2010-07-29 02:07 503808 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46df943e-n\msvcp71.dll
2010-07-29 02:07 . 2010-07-29 02:07 499712 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46df943e-n\jmc.dll
2010-07-29 02:07 . 2010-07-29 02:07 348160 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46df943e-n\msvcr71.dll
2010-07-29 02:07 . 2010-07-29 02:07 12800 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3d94270b-n\decora-d3d.dll
2010-07-29 01:45 . 2010-07-29 01:49 -------- d-----w- C:\UsbFix
2010-07-28 21:58 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 21:58 . 2010-07-28 21:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-28 21:58 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 20:00 . 2010-07-28 20:00 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-28 05:44 . 2010-07-28 05:44 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-07-28 03:23 . 2010-07-28 03:23 503808 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61162dd1-n\msvcp71.dll
2010-07-28 03:23 . 2010-07-28 03:23 499712 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61162dd1-n\jmc.dll
2010-07-28 03:23 . 2010-07-28 03:23 61440 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-50458804-n\decora-sse.dll
2010-07-28 03:23 . 2010-07-28 03:23 348160 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61162dd1-n\msvcr71.dll
2010-07-28 03:23 . 2010-07-28 03:23 12800 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-50458804-n\decora-d3d.dll
2010-07-28 03:23 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-27 03:13 . 2010-07-27 07:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-27 02:49 . 2010-07-27 02:49 120 ----a-w- c:\windows\Gqayihut.dat
2010-07-27 02:49 . 2010-07-27 02:49 0 ----a-w- c:\windows\Uqunupunepub.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-08 08:25 . 2010-06-28 23:48 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2010-07-28 21:39 . 2007-10-24 01:16 -------- d-----w- c:\documents and settings\zyth\Application Data\uTorrent
2010-07-28 20:28 . 2009-08-06 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-28 03:23 . 2007-12-27 04:28 -------- d-----w- c:\program files\Java
2010-07-27 02:53 . 2007-10-21 22:58 -------- d-----w- c:\program files\mIRC
2010-06-30 04:48 . 2009-08-18 22:22 2568656 ----a-w- c:\documents and settings\zyth\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-06-29 05:48 . 2010-06-29 05:48 -------- d-----w- c:\program files\OO Software
2010-06-21 03:41 . 2008-11-30 19:37 -------- d-----w- c:\program files\Messenger Plus! Live
2010-05-14 21:44 . 2010-05-14 21:44 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-04 06:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\zyth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-11 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-3 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^zyth^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
path=c:\documents and settings\zyth\Start Menu\Programs\Startup\Antimalware Doctor.lnk
backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 12:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-08-03 16:51 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-03-13 02:43 81920 ----a-w- c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 18:01 13529088 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 18:01 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 18:01 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
2009-09-12 04:34 2524416 ----a-w- c:\program files\OO Software\Defrag\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-29 03:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"f:\\Quake III Arena\\quake3.exe"=
"f:\\Quake III Arena\\cnq3.exe"=
"c:\\Documents and Settings\\zyth\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\Octoshape Streaming Services\\zyth\\OctoshapeClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2007-10-21 156800]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-12-11 74088]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [2009-12-11 1078632]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160]
S4 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2007-10-21 5248]
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-1383384898-725345543-1003Core1cb17949d487a04.job
- c:\documents and settings\zyth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-11 13:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\zyth\Application Data\Mozilla\Firefox\Profiles\hh9vqvhr.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/evaluation/search/home
FF - plugin: c:\documents and settings\zyth\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\zyth\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Octoshape Streaming Services\zyth\octoprogram-L03-NMS0806110_SUA_900\npoctoshape.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-A00F62F1248F - c:\docume~1\zyth\LOCALS~1\Temp\_A00F62F1248F.exe
MSConfigStartUp-hsehf98u34i9tjioaugy987iuegdsg - c:\docume~1\zyth\LOCALS~1\Temp\avp.exe
MSConfigStartUp-mcexecwin - c:\docume~1\zyth\LOCALS~1\Temp\hyx47fv.dll
MSConfigStartUp-MChk - c:\windows\system32\rkwsp.exe
MSConfigStartUp-Nlojijokiqovabup - c:\windows\oqinesan.dll
MSConfigStartUp-releaseversion70700 - c:\documents and settings\zyth\Application Data\15A8F9440A58FB558BC8FE7DD7C596AE\releaseversion70700.exe
MSConfigStartUp-sta - ekwsp.dll
MSConfigStartUp-uiha98uiohf873yuiadnhgjesgregas - c:\docume~1\zyth\LOCALS~1\Temp\ucye3.exe
MSConfigStartUp-Vgimof - c:\windows\mgrodliz.dll
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
AddRemove-StarCraft II Beta - c:\program files\Common Files\Blizzard Entertainment\StarCraft II Beta (3)\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-08 04:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A769EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba758cb8
\Driver\atapi -> 0x8a537ae8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba5f6bb0
PacketIndicateHandler -> NDIS.sys @ 0xba5e5a0d
SendHandler -> NDIS.sys @ 0xba5f9b40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|•€|•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG12.00.00.01PROFESSIONAL"="BF0C7ECF07B9E46FD8367C43CC57C299648FB1D43EF3F36671B362E4A7DB73C4AD36821E869D8B7E3E974A228885D8306549ABBF5BAA25C7FD4B8941CF12091A41C942C548D9DA8362DA132B79F57D99F43F3D887B056CEF25400AB9A9A8A3E8C18C0FF8D2F5D6999337518A3CF46EBA05B9AEF36FAE63AC9F0B9ACBD94B5F074CC82B10C14034C072E7761081101E5C5E823CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808BA7FD869164D6794FEBC9E127BECC74C9DB7CE019D40AA5CA3234439EEE3F8773F6B252EF048EABD4D1C2CE2A21F8E10D640AB0B8517BDCF79C1A844A2DE9327CC2B1CE33715B4AFDB334484F97A267635A0016E6C7FB243017ABDC83F9DE3B7AA0BF72143F605BA1F29C9BF6AD93CB4166185485D832F9CE85F6BB39D38BCD30232609035ADBE55D75DC21B7CC3642D70B5C39CEA0B18C98216DAA6781E7317205DC09113CBC866E9BE7CD29F0F383664E388A58AD1D6AF475B7AF6EE11E28FF1DC4534C3B88F4E5FD38657A266D39832C564CD176BD824D0FEFCAF84266B430E95E442142F02D96436364BBB4B5814C1C9ACB6CFB911F15E63578D21476DAA2BFDD4B3B43D15D14A92228506906A599BF27A35557774585200C4800F3351AFA4A310B83AC4BEEC06A9A7937CDE328EEC56AB51302FFB8BB35FC230FE7A00B37B2857B21C7EFB593052E6B382315DCD891F604748C4A6312DA193F483836A8A53BD2BB937744CB785F343D85CD69A26E68B7E88EEEAF4658E7A3DDC948781FCF32CD4954C05329CE68D65AB337421199D6D2F3854ABEC35C9B08A290D95BBC549525F4780E23791DA2E39871502279BECAA5F3010E11927779F88CFAD8D9515E21E1A015A966593087E6EFAF3CAEA19363E40FB1C3F062ECFB58A7A97268B0FF41596A7C778CC14BB34FA4A24EE2C6EFE3646DC56C9C4B8B378A605546921CCD64FAC5797B881F6E820156D5F62306E71B5AB4702596DA3267C36034DB5DDD886F8F75F00D99A96A1A0398F436B405FDCF1ECE3C41A96424C6E58B8D3BB4CB32152D73F1833353FA0AAA890D027277A31B5CB0FA98DE0DCF28CEDA01B0279D2EB2FEE305DEDEEB1C1CA67036D05B7EE845E4CD89E08EA2D882C9EE738E0F81CCF79A49CAF0A6BA3871B3CAE6449445C925FB88576325DE29EB2D26F2987616D56ABA321525B553E954F340FDF8AA75BB63E9E0FE78ADF20ED9D3ACDCC774E94B1555B12EF85541DB42B9F55F2B6BCF5F416CD210C5FA07D5079C6CBE586DCD7339DFEF493061B52D20812E2148B65A77214DC9B63D6510545E9ADE61C5D31EDD53B0685ADAB5CE37FD2E34F9A1D8664F7FB2394CDE928366F286A50FA7C7083B3F92C3192974E49708E326845538712F4223FD393"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'explorer.exe'(1840)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2010-08-08 04:30:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-08 08:30

Pre-Run: 14772572160 bytes free
Post-Run: 15688908800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F2E73FFE2E29E3FB7620952C1291C224


DDS (Ver_10-03-17.01) - NTFSx86
Run by zyth at 4:40:31,95 on 2010-08-08
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1597 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\zyth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\zyth\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "c:\documents and settings\zyth\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219706506437
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zyth\applic~1\mozilla\firefox\profiles\hh9vqvhr.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/evaluation/search/home
FF - HiddenExtension: Adobe Flash Plugin: No Registry Reference - c:\program files\mozilla firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2007-10-21 156800]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-12-11 74088]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2009-12-11 1078632]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160]
S4 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2007-10-21 5248]

=============== Created Last 30 ================

2010-08-08 08:12:44 0 d-sha-r- C:\cmdcons
2010-08-08 08:09:53 98816 ----a-w- c:\windows\sed.exe
2010-08-08 08:09:53 77312 ----a-w- c:\windows\MBR.exe
2010-08-08 08:09:53 256512 ----a-w- c:\windows\PEV.exe
2010-08-08 08:09:53 161792 ----a-w- c:\windows\SWREG.exe
2010-07-29 01:53:35 0 d---a-r- C:\Autorun.inf
2010-07-29 01:45:03 0 d-----w- C:\UsbFix
2010-07-29 00:18:57 26 ----a-w- c:\documents and settings\zyth\defogger_reenable
2010-07-28 21:58:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 21:58:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 21:58:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-28 05:44:07 0 d--h--w- c:\windows\system32\GroupPolicy
2010-07-28 03:23:02 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-27 05:13:35 1496 ----a-w- c:\windows\lsrslt.ini
2010-07-27 03:17:16 510 ----a-w- c:\windows\wininit.ini
2010-07-27 03:13:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-27 02:49:28 120 ----a-w- c:\windows\Gqayihut.dat
2010-07-27 02:49:28 0 ----a-w- c:\windows\Uqunupunepub.bin

==================== Find3M ====================

2008-08-25 23:50:11 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat

============= FINISH: 4:41:23,10 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2005-05-07 11:24:05
System Uptime: 2010-08-08 04:23:47 (0 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | P35-DS3L
Processor: Intel Core™2 Duo CPU E6750 @ 2.66GHz | Socket 775 | 2666/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 29 GiB total, 14,654 GiB free.
D: is FIXED (NTFS) - 98 GiB total, 32,21 GiB free.
E: is FIXED (NTFS) - 20 GiB total, 0,887 GiB free.
F: is FIXED (NTFS) - 20 GiB total, 18,088 GiB free.
G: is FIXED (NTFS) - 20 GiB total, 7,48 GiB free.
H: is CDROM ()
I: is CDROM ()
N: is Removable

==== Disabled Device Manager Items =============

Class GUID:
Description: Audio Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1458E601&REV_1000\4&808A433&0&0201
Manufacturer:
Name: Audio Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1458E601&REV_1000\4&808A433&0&0201
Service:

==== System Restore Points ===================

RP1: 2010-08-08 03:59:19 - System Checkpoint

==== Installed Programs ======================


Torrent
Adobe After Effects CS4 Third Party Content
Adobe AIR
Adobe Anchor Service CS4
Adobe Audition 3.0
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Creative Suite 4 Production Premium
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe Dynamiclink Support
Adobe Encore CS4 Codecs
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 STI-en
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator CS4
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Exporter
Adobe Media Encoder CS4 Importer
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Premiere Pro CS4 Third Party Content
Adobe Reader 8.2.3
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Soundbooth CS4 Codecs
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Software Update
ASUS WLAN Card Utilities/Driver
AutoReussite
Blue Coat K9 Web Protection 4.0.296
CDDRV_Installer
Combined Community Codec Pack 2008-09-21 16:18
Connect
Creative Audio Console
DivX Web Player
EViews 6
ffdshow [rev 1953] [2008-05-04]
FlashFXP v3
Google Chrome
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Java Auto Updater
Java™ 6 Update 21
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
KhalInstallWrapper
kuler
Logitech SetPoint
Logitech Updater
Malwarebytes' Anti-Malware
Messenger Plus! Live
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.6.2)
MSVCRT
MSXML 4.0 SP2 (KB936181)
Nero 8
neroxml
NVIDIA Drivers
O&O Defrag Professional
Octoshape Streaming Services
PDF Settings CS4
Photoshop Camera Raw
Pixel Bender Toolkit
PokerStars
Proxy Checker v7
Quake III Arena
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Segoe UI
Skype™ 4.1
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Starcraft
Suite Shared Configuration CS4
TypingMaster Pro
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Usbfix By C_XX & El Desaparecido
Ventrilo Client
VLC media player 0.9.9
WebFldrs XP
Winamp
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
xp-AntiSpy 3.96-8

==== Event Viewer Messages From Past Week ========

2010-08-08 04:23:01, error: PlugPlayManager [11] - The device Root\LEGACY_EGLGQTXO\0000 disappeared from the system without first being prepared for removal.
2010-08-08 04:15:18, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.

==== End Of File ===========================

Edited by whatiamigonnado, 08 August 2010 - 04:19 AM.


#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:45 AM

Posted 09 August 2010 - 04:53 AM

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

CODE
File::
c:\windows\Gqayihut.dat
c:\windows\Uqunupunepub.bin



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall these old Javas:
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7



Download ATF (Atribune Temp File) Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. Does the redirecting still occur?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 whatiamigonnado

whatiamigonnado
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 09 August 2010 - 11:40 PM

1. ComboFix said it found a rootkit and rebooted like it did the first time.
2. After some browsing with Firefox, some random spam tab opened, confirming that the threat was still present
3. During the Kapersky scan, the Generic Host Process reported an error and had to be closed.
4. After 5 hours, I stopped the scan. It had finished scanning my primary system drive (C:\), but the scan was "hanging" (taking a very long time to scan some compressed .rar files on my D:\ drive). I thought it would be more useful to post what it had found up to that point and let it scan during the rest of the night.
5. After the scan, I noticed that Internet Explorer would not open. I tried to reboot, but the system hang. I had to do it manually.
6. After the reboot, Internet Explorer worked. The google result redirect still occurred.
7. After the DDS scan and this post, I intend to restart the Kapersky scan and let it run during the rest of the night.

PS I still cannot make a post on this forum from my infected computer.


ComboFix 10-08-07.01 - zyth 2010-08-09 18:04:26.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1708 [GMT -4:00]
Running from: c:\documents and settings\zyth\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\zyth\Desktop\CFScript.txt

FILE ::
"c:\windows\Gqayihut.dat"
"c:\windows\Uqunupunepub.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Gqayihut.dat
c:\windows\Uqunupunepub.bin

.
((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))
.

2010-07-29 02:07 . 2010-07-29 02:07 61440 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3d94270b-n\decora-sse.dll
2010-07-29 02:07 . 2010-07-29 02:07 503808 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46df943e-n\msvcp71.dll
2010-07-29 02:07 . 2010-07-29 02:07 499712 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46df943e-n\jmc.dll
2010-07-29 02:07 . 2010-07-29 02:07 348160 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46df943e-n\msvcr71.dll
2010-07-29 02:07 . 2010-07-29 02:07 12800 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3d94270b-n\decora-d3d.dll
2010-07-29 01:45 . 2010-07-29 01:49 -------- d-----w- C:\UsbFix
2010-07-28 21:58 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 21:58 . 2010-07-28 21:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-28 21:58 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 20:00 . 2010-07-28 20:00 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-28 05:44 . 2010-07-28 05:44 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-07-28 03:23 . 2010-07-28 03:23 503808 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61162dd1-n\msvcp71.dll
2010-07-28 03:23 . 2010-07-28 03:23 499712 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61162dd1-n\jmc.dll
2010-07-28 03:23 . 2010-07-28 03:23 61440 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-50458804-n\decora-sse.dll
2010-07-28 03:23 . 2010-07-28 03:23 348160 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61162dd1-n\msvcr71.dll
2010-07-28 03:23 . 2010-07-28 03:23 12800 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-50458804-n\decora-d3d.dll
2010-07-28 03:23 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-27 03:13 . 2010-07-27 07:58 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 22:11 . 2010-06-28 23:48 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2010-07-28 21:39 . 2007-10-24 01:16 -------- d-----w- c:\documents and settings\zyth\Application Data\uTorrent
2010-07-28 20:28 . 2009-08-06 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-28 03:23 . 2007-12-27 04:28 -------- d-----w- c:\program files\Java
2010-07-27 02:53 . 2007-10-21 22:58 -------- d-----w- c:\program files\mIRC
2010-06-30 04:48 . 2009-08-18 22:22 2568656 ----a-w- c:\documents and settings\zyth\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-06-29 05:48 . 2010-06-29 05:48 -------- d-----w- c:\program files\OO Software
2010-06-21 03:41 . 2008-11-30 19:37 -------- d-----w- c:\program files\Messenger Plus! Live
2010-05-14 21:44 . 2010-05-14 21:44 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-04 10:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-08-08_08.26.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-09 22:10 . 2010-08-09 22:10 16384 c:\windows\Temp\Perflib_Perfdata_618.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\zyth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-11 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-3 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^zyth^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
path=c:\documents and settings\zyth\Start Menu\Programs\Startup\Antimalware Doctor.lnk
backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 12:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-08-03 16:51 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-03-13 02:43 81920 ----a-w- c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 18:01 13529088 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 18:01 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 18:01 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
2009-09-12 04:34 2524416 ----a-w- c:\program files\OO Software\Defrag\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-29 03:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"f:\\Quake III Arena\\quake3.exe"=
"f:\\Quake III Arena\\cnq3.exe"=
"c:\\Documents and Settings\\zyth\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\Octoshape Streaming Services\\zyth\\OctoshapeClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2007-10-21 156800]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-12-11 74088]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [2009-12-11 1078632]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160]
S4 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2007-10-21 5248]
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-1383384898-725345543-1003Core1cb17949d487a04.job
- c:\documents and settings\zyth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-11 13:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\zyth\Application Data\Mozilla\Firefox\Profiles\hh9vqvhr.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/evaluation/search/home

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-09 18:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A731EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba758cb8
\Driver\atapi -> 0x8a565e68
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba5f6bb0
PacketIndicateHandler -> NDIS.sys @ 0xba5e5a0d
SendHandler -> NDIS.sys @ 0xba5f9b40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|•€|•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG12.00.00.01PROFESSIONAL"="BF0C7ECF07B9E46FD8367C43CC57C299648FB1D43EF3F36671B362E4A7DB73C4AD36821E869D8B7E3E974A228885D8306549ABBF5BAA25C7FD4B8941CF12091A41C942C548D9DA8362DA132B79F57D99F43F3D887B056CEF25400AB9A9A8A3E8C18C0FF8D2F5D6999337518A3CF46EBA05B9AEF36FAE63AC9F0B9ACBD94B5F074CC82B10C14034C072E7761081101E5C5E823CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808BA7FD869164D6794FEBC9E127BECC74C9DB7CE019D40AA5CA3234439EEE3F8773F6B252EF048EABD4D1C2CE2A21F8E10D640AB0B8517BDCF79C1A844A2DE9327CC2B1CE33715B4AFDB334484F97A267635A0016E6C7FB243017ABDC83F9DE3B7AA0BF72143F605BA1F29C9BF6AD93CB4166185485D832F9CE85F6BB39D38BCD30232609035ADBE55D75DC21B7CC3642D70B5C39CEA0B18C98216DAA6781E7317205DC09113CBC866E9BE7CD29F0F383664E388A58AD1D6AF475B7AF6EE11E28FF1DC4534C3B88F4E5FD38657A266D39832C564CD176BD824D0FEFCAF84266B430E95E442142F02D96436364BBB4B5814C1C9ACB6CFB911F15E63578D21476DAA2BFDD4B3B43D15D14A92228506906A599BF27A35557774585200C4800F3351AFA4A310B83AC4BEEC06A9A7937CDE328EEC56AB51302FFB8BB35FC230FE7A00B37B2857B21C7EFB593052E6B382315DCD891F604748C4A6312DA193F483836A8A53BD2BB937744CB785F343D85CD69A26E68B7E88EEEAF4658E7A3DDC948781FCF32CD4954C05329CE68D65AB337421199D6D2F3854ABEC35C9B08A290D95BBC549525F4780E23791DA2E39871502279BECAA5F3010E11927779F88CFAD8D9515E21E1A015A966593087E6EFAF3CAEA19363E40FB1C3F062ECFB58A7A97268B0FF41596A7C778CC14BB34FA4A24EE2C6EFE3646DC56C9C4B8B378A605546921CCD64FAC5797B881F6E820156D5F62306E71B5AB4702596DA3267C36034DB5DDD886F8F75F00D99A96A1A0398F436B405FDCF1ECE3C41A96424C6E58B8D3BB4CB32152D73F1833353FA0AAA890D027277A31B5CB0FA98DE0DCF28CEDA01B0279D2EB2FEE305DEDEEB1C1CA67036D05B7EE845E4CD89E08EA2D882C9EE738E0F81CCF79A49CAF0A6BA3871B3CAE6449445C925FB88576325DE29EB2D26F2987616D56ABA321525B553E954F340FDF8AA75BB63E9E0FE78ADF20ED9D3ACDCC774E94B1555B12EF85541DB42B9F55F2B6BCF5F416CD210C5FA07D5079C6CBE586DCD7339DFEF493061B52D20812E2148B65A77214DC9B63D6510545E9ADE61C5D31EDD53B0685ADAB5CE37FD2E34F9A1D8664F7FB2394CDE928366F286A50FA7C7083B3F92C3192974E49708E326845538712F4223FD393"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2948)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2010-08-09 18:16:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-09 22:15

Pre-Run: 15 715 262 464 bytes free
Post-Run: 15 703 375 872 bytes free

- - End Of File - - 0F62511A6FDFE9BBFDAA1DCFB122070C


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, August 10, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 09, 2010 19:33:07
Records in database: 4130570
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
N:\

Scan statistics:
Objects scanned: 93191
Threats found: 17
Infected objects found: 44
Suspicious objects found: 0
Scan duration: 05:17:11


File name / Threat / Threats count
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\19\78433853-68f2adaf Infected: Trojan-Downloader.Java.Agent.al 1
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\26\3685711a-26c776ad Infected: Trojan-Downloader.Java.Agent.al 1
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\34\48d6abe2-7d16a5dc Infected: Trojan-Downloader.Java.Agent.al 1
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\40\3cc6fde8-3983095c Infected: Trojan-Downloader.Java.Agent.al 1
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\52\2d28fbb4-70f4c386 Infected: Exploit.Java.Agent.f 1
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\52\2d28fbb4-70f4c386 Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\61\14833d-3296200b Infected: Trojan-Downloader.Java.Agent.ao 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\16\4ce65250-13cabc09 Infected: Exploit.Java.Agent.a 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\16\4ce65250-13cabc09 Infected: Exploit.Java.CVE-2009-3867.a 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\22\74018dd6-41f9683b Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\23\1860b57-63753377 Infected: Trojan-Downloader.Java.Agent.al 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\28\68a9cc5c-1e4cb9d1 Infected: Exploit.Java.Agent.bu 2
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\29\455eb21d-3dd871b0 Infected: Trojan-Downloader.Java.Agent.al 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\39\fbe7ba7-70233208 Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\39\fbe7ba7-70233208 Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\42\58c5086a-194257ba Infected: Exploit.Java.Agent.a 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\42\58c5086a-194257ba Infected: Exploit.Java.CVE-2009-3867.a 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\43\1beddeeb-603525bb Infected: Trojan-Downloader.Java.Agent.br 3
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\43\62b0f66b-34606119 Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\46\4a35472e-7bf83cb0 Infected: Exploit.Java.Agent.a 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\46\4a35472e-7bf83cb0 Infected: Exploit.Java.CVE-2009-3867.a 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-62b53dc6 Infected: Trojan-Downloader.Java.OpenConnection.ao 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-62b53dc6 Infected: Trojan.Java.ClassLoader.au 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-62b53dc6 Infected: Trojan-Downloader.Java.Agent.a 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\5\6a183b45-78dc7b9e Infected: Exploit.Java.Agent.bu 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\52\34086e34-68ae9541 Infected: Trojan-Downloader.Java.Agent.br 3
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\58\d552d7a-4c974028 Infected: Exploit.Java.Agent.bu 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\59\4d13647b-14dde2de Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\6\7943cc6-64bb05bc Infected: Trojan-Downloader.Java.Agent.br 3
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\60\38bc557c-642994c4 Infected: Trojan-Downloader.Java.Agent.al 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\7\5a014607-72596a85 Infected: Trojan-Downloader.Java.Agent.al 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\Program Files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\plug.xul Infected: Trojan-Spy.JS.Agent.a 1
D:\Incoming\Demobuilder5-1\db.exe Infected: Trojan.Win32.Agent.arlq 1
D:\Incoming\Demobuilder5-1\pio-Demo[1].Builder.5.10-crkexe.zip Infected: Trojan.Win32.Agent.arlq 1
D:\Incoming\Demobuilder5-1.zip Infected: Trojan.Win32.Agent.arlq 1

Scanning stopped by the user.



DDS (Ver_10-03-17.01) - NTFSx86
Run by zyth at 0:18:07,87 on 2010-08-10
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1665 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Documents and Settings\zyth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\zyth\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "c:\documents and settings\zyth\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219706506437
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zyth\applic~1\mozilla\firefox\profiles\hh9vqvhr.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/evaluation/search/home
FF - plugin: c:\documents and settings\zyth\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\zyth\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\octoshape streaming services\zyth\octoprogram-l03-nms0806110_sua_900\npoctoshape.dll
FF - HiddenExtension: Adobe Flash Plugin: No Registry Reference - c:\program files\mozilla firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2007-10-21 156800]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-12-11 74088]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2009-12-11 1078632]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160]
S4 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2007-10-21 5248]

=============== Created Last 30 ================

2010-08-08 08:12:44 0 d-sha-r- C:\cmdcons
2010-08-08 08:09:53 98816 ----a-w- c:\windows\sed.exe
2010-08-08 08:09:53 77312 ----a-w- c:\windows\MBR.exe
2010-08-08 08:09:53 256512 ----a-w- c:\windows\PEV.exe
2010-08-08 08:09:53 161792 ----a-w- c:\windows\SWREG.exe
2010-07-29 01:53:35 0 d---a-r- C:\Autorun.inf
2010-07-29 01:45:03 0 d-----w- C:\UsbFix
2010-07-29 00:18:57 26 ----a-w- c:\documents and settings\zyth\defogger_reenable
2010-07-28 21:58:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 21:58:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 21:58:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-28 05:44:07 0 d--h--w- c:\windows\system32\GroupPolicy
2010-07-28 03:23:02 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-27 05:13:35 1496 ----a-w- c:\windows\lsrslt.ini
2010-07-27 03:17:16 510 ----a-w- c:\windows\wininit.ini
2010-07-27 03:13:30 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2008-08-25 23:50:11 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat

============= FINISH: 0:19:06,98 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2005-05-07 11:24:05
System Uptime: 2010-08-10 00:15:53 (0 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | P35-DS3L
Processor: Intel® Core™2 Duo CPU E6750 @ 2.66GHz | Socket 775 | 2666/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 29 GiB total, 14,655 GiB free.
D: is FIXED (NTFS) - 98 GiB total, 32,21 GiB free.
E: is FIXED (NTFS) - 20 GiB total, 0,887 GiB free.
F: is FIXED (NTFS) - 20 GiB total, 18,088 GiB free.
G: is FIXED (NTFS) - 20 GiB total, 7,48 GiB free.
H: is CDROM ()
I: is CDROM ()
N: is Removable

==== Disabled Device Manager Items =============

Class GUID:
Description: Audio Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1458E601&REV_1000\4&808A433&0&0201
Manufacturer:
Name: Audio Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1458E601&REV_1000\4&808A433&0&0201
Service:

==== System Restore Points ===================

RP1: 2010-08-08 03:59:19 - System Checkpoint
RP2: 2010-08-09 18:26:27 - Supprim Java™ 6 Update 3
RP3: 2010-08-09 18:26:52 - Supprim Java™ 6 Update 5
RP4: 2010-08-09 18:27:40 - Supprim Java™ 6 Update 7

==== Installed Programs ======================


Torrent
Adobe After Effects CS4 Third Party Content
Adobe AIR
Adobe Anchor Service CS4
Adobe Audition 3.0
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Creative Suite 4 Production Premium
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe Dynamiclink Support
Adobe Encore CS4 Codecs
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 STI-en
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator CS4
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Exporter
Adobe Media Encoder CS4 Importer
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Premiere Pro CS4 Third Party Content
Adobe Reader 8.2.3
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Soundbooth CS4 Codecs
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Software Update
ASUS WLAN Card Utilities/Driver
AutoReussite
Blue Coat K9 Web Protection 4.0.296
CDDRV_Installer
Combined Community Codec Pack 2008-09-21 16:18
Connect
Creative Audio Console
DivX Web Player
EViews 6
ffdshow [rev 1953] [2008-05-04]
FlashFXP v3
Google Chrome
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Java Auto Updater
Java™ 6 Update 21
KhalInstallWrapper
kuler
Logitech SetPoint
Logitech Updater
Malwarebytes' Anti-Malware
Messenger Plus! Live
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.6.2)
MSVCRT
MSXML 4.0 SP2 (KB936181)
Nero 8
neroxml
NVIDIA Drivers
O&O Defrag Professional
Octoshape Streaming Services
PDF Settings CS4
Photoshop Camera Raw
Pixel Bender Toolkit
PokerStars
Proxy Checker v7
Quake III Arena
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Segoe UI
Skype™ 4.1
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Starcraft
Suite Shared Configuration CS4
TypingMaster Pro
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Usbfix By C_XX & El Desaparecido
Ventrilo Client
VLC media player 0.9.9
WebFldrs XP
Winamp
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
xp-AntiSpy 3.96-8

==== Event Viewer Messages From Past Week ========

2010-08-08 04:23:01, error: PlugPlayManager [11] - The device Root\LEGACY_EGLGQTXO\0000 disappeared from the system without first being prepared for removal.
2010-08-08 04:15:18, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.

==== End Of File ===========================

Edited by whatiamigonnado, 09 August 2010 - 11:45 PM.


#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:45 AM

Posted 10 August 2010 - 01:45 AM

Hi,

QUOTE
After the DDS scan and this post, I intend to restart the Kapersky scan and let it run during the rest of the night.

Ok. After that please run ComboFix and let it update itself. Post back the report.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 whatiamigonnado

whatiamigonnado
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 10 August 2010 - 07:14 PM

Hi,

After running ComboFix, a dialog box opened saying something along the lines of:

Rootkit !! TDL3
Rootkit activity persists. Have to attempt other methods.
and recommending to write down the following information:

Service: atapi
File: C:\WINDOWS\system32\DRIVERS\atapi.sys

The google result redirect is still occurring.
Also, here are the Kapersky and ComboFix logs:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, August 10, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 09, 2010 19:33:07
Records in database: 4130570
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 108919
Threats found: 17
Infected objects found: 44
Suspicious objects found: 0
Scan duration: 17:44:38


File name / Threat / Threats count
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\19\78433853-68f2adaf Infected: Trojan-Downloader.Java.Agent.al 1
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\26\3685711a-26c776ad Infected: Trojan-Downloader.Java.Agent.al 1
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\34\48d6abe2-7d16a5dc Infected: Trojan-Downloader.Java.Agent.al 1
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\40\3cc6fde8-3983095c Infected: Trojan-Downloader.Java.Agent.al 1
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\52\2d28fbb4-70f4c386 Infected: Exploit.Java.Agent.f 1
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\52\2d28fbb4-70f4c386 Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\61\14833d-3296200b Infected: Trojan-Downloader.Java.Agent.ao 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\16\4ce65250-13cabc09 Infected: Exploit.Java.Agent.a 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\16\4ce65250-13cabc09 Infected: Exploit.Java.CVE-2009-3867.a 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\22\74018dd6-41f9683b Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\23\1860b57-63753377 Infected: Trojan-Downloader.Java.Agent.al 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\28\68a9cc5c-1e4cb9d1 Infected: Exploit.Java.Agent.bu 2
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\29\455eb21d-3dd871b0 Infected: Trojan-Downloader.Java.Agent.al 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\39\fbe7ba7-70233208 Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\39\fbe7ba7-70233208 Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\42\58c5086a-194257ba Infected: Exploit.Java.Agent.a 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\42\58c5086a-194257ba Infected: Exploit.Java.CVE-2009-3867.a 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\43\1beddeeb-603525bb Infected: Trojan-Downloader.Java.Agent.br 3
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\43\62b0f66b-34606119 Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\46\4a35472e-7bf83cb0 Infected: Exploit.Java.Agent.a 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\46\4a35472e-7bf83cb0 Infected: Exploit.Java.CVE-2009-3867.a 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-62b53dc6 Infected: Trojan-Downloader.Java.OpenConnection.ao 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-62b53dc6 Infected: Trojan.Java.ClassLoader.au 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-62b53dc6 Infected: Trojan-Downloader.Java.Agent.a 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\5\6a183b45-78dc7b9e Infected: Exploit.Java.Agent.bu 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\52\34086e34-68ae9541 Infected: Trojan-Downloader.Java.Agent.br 3
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\58\d552d7a-4c974028 Infected: Exploit.Java.Agent.bu 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\59\4d13647b-14dde2de Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\6\7943cc6-64bb05bc Infected: Trojan-Downloader.Java.Agent.br 3
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\60\38bc557c-642994c4 Infected: Trojan-Downloader.Java.Agent.al 1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\7\5a014607-72596a85 Infected: Trojan-Downloader.Java.Agent.al 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\Program Files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\plug.xul Infected: Trojan-Spy.JS.Agent.a 1
D:\Incoming\Demobuilder5-1\db.exe Infected: Trojan.Win32.Agent.arlq 1
D:\Incoming\Demobuilder5-1\pio-Demo[1].Builder.5.10-crkexe.zip Infected: Trojan.Win32.Agent.arlq 1
D:\Incoming\Demobuilder5-1.zip Infected: Trojan.Win32.Agent.arlq 1

Selected area has been scanned.


ComboFix 10-08-10.03 - zyth 2010-08-10 19:31:36.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1708 [GMT -4:00]
Running from: c:\documents and settings\zyth\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-07-10 to 2010-08-10 )))))))))))))))))))))))))))))))
.

2010-07-29 02:07 . 2010-07-29 02:07 61440 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3d94270b-n\decora-sse.dll
2010-07-29 02:07 . 2010-07-29 02:07 503808 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46df943e-n\msvcp71.dll
2010-07-29 02:07 . 2010-07-29 02:07 499712 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46df943e-n\jmc.dll
2010-07-29 02:07 . 2010-07-29 02:07 348160 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46df943e-n\msvcr71.dll
2010-07-29 02:07 . 2010-07-29 02:07 12800 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3d94270b-n\decora-d3d.dll
2010-07-29 01:45 . 2010-07-29 01:49 -------- d-----w- C:\UsbFix
2010-07-28 21:58 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 21:58 . 2010-07-28 21:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-28 21:58 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 20:00 . 2010-07-28 20:00 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-28 05:44 . 2010-07-28 05:44 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-07-28 03:23 . 2010-07-28 03:23 503808 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61162dd1-n\msvcp71.dll
2010-07-28 03:23 . 2010-07-28 03:23 499712 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61162dd1-n\jmc.dll
2010-07-28 03:23 . 2010-07-28 03:23 61440 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-50458804-n\decora-sse.dll
2010-07-28 03:23 . 2010-07-28 03:23 348160 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61162dd1-n\msvcr71.dll
2010-07-28 03:23 . 2010-07-28 03:23 12800 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-50458804-n\decora-d3d.dll
2010-07-28 03:23 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-27 03:13 . 2010-08-10 13:47 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 23:39 . 2010-06-28 23:48 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2010-08-09 22:27 . 2007-12-27 04:28 -------- d-----w- c:\program files\Java
2010-08-09 22:27 . 2007-12-27 04:28 -------- d-----w- c:\program files\Common Files\Java
2010-07-28 21:39 . 2007-10-24 01:16 -------- d-----w- c:\documents and settings\zyth\Application Data\uTorrent
2010-07-28 20:28 . 2009-08-06 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-27 02:53 . 2007-10-21 22:58 -------- d-----w- c:\program files\mIRC
2010-06-30 04:48 . 2009-08-18 22:22 2568656 ----a-w- c:\documents and settings\zyth\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-06-29 05:48 . 2010-06-29 05:48 -------- d-----w- c:\program files\OO Software
2010-06-21 03:41 . 2008-11-30 19:37 -------- d-----w- c:\program files\Messenger Plus! Live
2010-05-14 21:44 . 2010-05-14 21:44 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-04 14:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-08-08_08.26.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-10 23:38 . 2010-08-10 23:38 16384 c:\windows\Temp\Perflib_Perfdata_220.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\zyth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-11 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-3 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^zyth^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
path=c:\documents and settings\zyth\Start Menu\Programs\Startup\Antimalware Doctor.lnk
backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 12:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-08-03 16:51 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-03-13 02:43 81920 ----a-w- c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 18:01 13529088 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 18:01 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 18:01 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
2009-09-12 04:34 2524416 ----a-w- c:\program files\OO Software\Defrag\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-29 03:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"f:\\Quake III Arena\\quake3.exe"=
"f:\\Quake III Arena\\cnq3.exe"=
"c:\\Documents and Settings\\zyth\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\Octoshape Streaming Services\\zyth\\OctoshapeClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2007-10-21 156800]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-12-11 74088]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [2009-12-11 1078632]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160]
S4 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2007-10-21 5248]
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-1383384898-725345543-1003Core1cb17949d487a04.job
- c:\documents and settings\zyth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-11 13:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\zyth\Application Data\Mozilla\Firefox\Profiles\hh9vqvhr.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/evaluation/search/home
FF - plugin: c:\documents and settings\zyth\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\zyth\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Octoshape Streaming Services\zyth\octoprogram-L03-NMS0806110_SUA_900\npoctoshape.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-10 19:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A73AEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba758cb8
\Driver\atapi -> 0x8a5872d8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba5f6bb0
PacketIndicateHandler -> NDIS.sys @ 0xba603a21
SendHandler -> NDIS.sys @ 0xba5e187b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG12.00.00.01PROFESSIONAL"="BF0C7ECF07B9E46FD8367C43CC57C299648FB1D43EF3F36671B362E4A7DB73C4AD36821E869D8B7E3E974A228885D8306549ABBF5BAA25C7FD4B8941CF12091A41C942C548D9DA8362DA132B79F57D99F43F3D887B056CEF25400AB9A9A8A3E8C18C0FF8D2F5D6999337518A3CF46EBA05B9AEF36FAE63AC9F0B9ACBD94B5F074CC82B10C14034C072E7761081101E5C5E823CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808BA7FD869164D6794FEBC9E127BECC74C9DB7CE019D40AA5CA3234439EEE3F8773F6B252EF048EABD4D1C2CE2A21F8E10D640AB0B8517BDCF79C1A844A2DE9327CC2B1CE33715B4AFDB334484F97A267635A0016E6C7FB243017ABDC83F9DE3B7AA0BF72143F605BA1F29C9BF6AD93CB4166185485D832F9CE85F6BB39D38BCD30232609035ADBE55D75DC21B7CC3642D70B5C39CEA0B18C98216DAA6781E7317205DC09113CBC866E9BE7CD29F0F383664E388A58AD1D6AF475B7AF6EE11E28FF1DC4534C3B88F4E5FD38657A266D39832C564CD176BD824D0FEFCAF84266B430E95E442142F02D96436364BBB4B5814C1C9ACB6CFB911F15E63578D21476DAA2BFDD4B3B43D15D14A92228506906A599BF27A35557774585200C4800F3351AFA4A310B83AC4BEEC06A9A7937CDE328EEC56AB51302FFB8BB35FC230FE7A00B37B2857B21C7EFB593052E6B382315DCD891F604748C4A6312DA193F483836A8A53BD2BB937744CB785F343D85CD69A26E68B7E88EEEAF4658E7A3DDC948781FCF32CD4954C05329CE68D65AB337421199D6D2F3854ABEC35C9B08A290D95BBC549525F4780E23791DA2E39871502279BECAA5F3010E11927779F88CFAD8D9515E21E1A015A966593087E6EFAF3CAEA19363E40FB1C3F062ECFB58A7A97268B0FF41596A7C778CC14BB34FA4A24EE2C6EFE3646DC56C9C4B8B378A605546921CCD64FAC5797B881F6E820156D5F62306E71B5AB4702596DA3267C36034DB5DDD886F8F75F00D99A96A1A0398F436B405FDCF1ECE3C41A96424C6E58B8D3BB4CB32152D73F1833353FA0AAA890D027277A31B5CB0FA98DE0DCF28CEDA01B0279D2EB2FEE305DEDEEB1C1CA67036D05B7EE845E4CD89E08EA2D882C9EE738E0F81CCF79A49CAF0A6BA3871B3CAE6449445C925FB88576325DE29EB2D26F2987616D56ABA321525B553E954F340FDF8AA75BB63E9E0FE78ADF20ED9D3ACDCC774E94B1555B12EF85541DB42B9F55F2B6BCF5F416CD210C5FA07D5079C6CBE586DCD7339DFEF493061B52D20812E2148B65A77214DC9B63D6510545E9ADE61C5D31EDD53B0685ADAB5CE37FD2E34F9A1D8664F7FB2394CDE928366F286A50FA7C7083B3F92C3192974E49708E326845538712F4223FD393"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3576)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2010-08-10 19:44:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-10 23:44

Pre-Run: 15701164032 bytes free
Post-Run: 15805599744 bytes free

- - End Of File - - CAA27BA489E54E8CE92D42A2B4283B6F


#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:45 AM

Posted 10 August 2010 - 11:20 PM

Hi,

1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click "Start Scan". If threats are found, select cure and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 whatiamigonnado

whatiamigonnado
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 11 August 2010 - 01:22 AM

Hi,
The scan found 2 threats:
1. The pci.sys one was already pre-selected as cure and I left it that way.
2. The atapi.sys one was pre-selected as skip, but the cure option was not available. I left it at skip.

2010/08/11 02:10:24.0921 TDSS rootkit removing tool 2.4.1.1 Aug 10 2010 14:48:09
2010/08/11 02:10:24.0921 ================================================================================
2010/08/11 02:10:24.0921 SystemInfo:
2010/08/11 02:10:24.0921
2010/08/11 02:10:24.0921 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/11 02:10:24.0921 Product type: Workstation
2010/08/11 02:10:24.0921 ComputerName: GALADRIEL
2010/08/11 02:10:24.0921 UserName: zyth
2010/08/11 02:10:24.0921 Windows directory: C:\WINDOWS
2010/08/11 02:10:24.0921 System windows directory: C:\WINDOWS
2010/08/11 02:10:24.0921 Processor architecture: Intel x86
2010/08/11 02:10:24.0921 Number of processors: 2
2010/08/11 02:10:24.0921 Page size: 0x1000
2010/08/11 02:10:24.0921 Boot type: Normal boot
2010/08/11 02:10:24.0921 ================================================================================
2010/08/11 02:10:25.0640 Initialize success
2010/08/11 02:10:40.0687 ================================================================================
2010/08/11 02:10:40.0687 Scan started
2010/08/11 02:10:40.0687 Mode: Manual;
2010/08/11 02:10:40.0687 ================================================================================
2010/08/11 02:10:41.0187 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/11 02:10:41.0218 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/11 02:10:41.0265 adfs (6d7f09cd92a9fef3a8efce66231fdd79) C:\WINDOWS\system32\drivers\adfs.sys
2010/08/11 02:10:41.0343 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/11 02:10:41.0390 AegisP (15e655baa989444f56787ef558823643) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2010/08/11 02:10:41.0406 AFD (e3049b90fe06f3f740b7cfda44995e2c) C:\WINDOWS\System32\drivers\afd.sys
2010/08/11 02:10:41.0500 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/08/11 02:10:41.0546 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/11 02:10:41.0578 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/11 02:10:41.0578 Suspicious file (NoAccess): C:\WINDOWS\system32\DRIVERS\atapi.sys. md5: cdfe4411a69c224bd1d11b2da92dac51
2010/08/11 02:10:41.0578 atapi - detected Locked file (1)
2010/08/11 02:10:41.0625 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/11 02:10:41.0656 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/11 02:10:41.0671 bckd (adafc83650d0aa190328e9f197da62ce) C:\WINDOWS\system32\drivers\bckd.sys
2010/08/11 02:10:41.0687 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/11 02:10:41.0718 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/11 02:10:41.0750 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/11 02:10:41.0765 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/11 02:10:41.0796 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/11 02:10:41.0890 ctac32k (fb06bb39860340c6fa84867f0288d1dd) C:\WINDOWS\system32\drivers\ctac32k.sys
2010/08/11 02:10:41.0906 ctaud2k (b810fa12cf726b200e057834eaebb1ac) C:\WINDOWS\system32\drivers\ctaud2k.sys
2010/08/11 02:10:41.0953 ctdvda2k (c4333325d325efa668888d0d3177c6ff) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2010/08/11 02:10:41.0984 ctgame (bfc40092329cf4ab838cc4a6f2fad659) C:\WINDOWS\system32\DRIVERS\ctgame.sys
2010/08/11 02:10:42.0000 ctprxy2k (1fa95c8cf34b9911e352a07ea7a200fc) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2010/08/11 02:10:42.0015 ctsfm2k (400cb754b91f73bee2655686a57269d2) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2010/08/11 02:10:42.0046 d346bus (99159e3ef20a4792aefe4115e8ad0957) C:\WINDOWS\system32\DRIVERS\d346bus.sys
2010/08/11 02:10:42.0062 d346prt (fb228cd598b7686e98fbf7bfb55666eb) C:\WINDOWS\System32\Drivers\d346prt.sys
2010/08/11 02:10:42.0109 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/11 02:10:42.0156 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/11 02:10:42.0187 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/11 02:10:42.0203 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/11 02:10:42.0234 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/11 02:10:42.0265 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/11 02:10:42.0296 emupia (7bb488ec082d40645936d9e583f560dc) C:\WINDOWS\system32\drivers\emupia2k.sys
2010/08/11 02:10:42.0328 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/11 02:10:42.0343 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/08/11 02:10:42.0359 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/11 02:10:42.0375 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/08/11 02:10:42.0390 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/11 02:10:42.0421 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/11 02:10:42.0437 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/11 02:10:42.0453 GcKernel (72fe2bea6863d4eb93442a1c4fb5ca48) C:\WINDOWS\system32\DRIVERS\GcKernel.sys
2010/08/11 02:10:42.0484 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/11 02:10:42.0531 ha10kx2k (9bb84b1dff8bce7fdddea746f6819fcf) C:\WINDOWS\system32\drivers\ha10kx2k.sys
2010/08/11 02:10:42.0562 hamachi (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2010/08/11 02:10:42.0578 hap16v2k (1418833169b29780fbdab127623b8767) C:\WINDOWS\system32\drivers\hap16v2k.sys
2010/08/11 02:10:42.0593 hap17v2k (8b3148391dc121d96d513785d588e75b) C:\WINDOWS\system32\drivers\hap17v2k.sys
2010/08/11 02:10:42.0625 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/08/11 02:10:42.0640 HIDSwvd (bd205320308fb41c88a4049a2d1764b4) C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys
2010/08/11 02:10:42.0656 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/11 02:10:42.0718 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/11 02:10:42.0765 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/11 02:10:42.0765 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/11 02:10:42.0812 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/11 02:10:42.0828 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/11 02:10:42.0843 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/11 02:10:42.0859 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/11 02:10:42.0890 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/11 02:10:42.0921 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/11 02:10:42.0921 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/11 02:10:42.0937 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/11 02:10:42.0953 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/11 02:10:42.0968 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/11 02:10:42.0984 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/11 02:10:43.0015 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/11 02:10:43.0031 L8042Kbd (d88846f9f4f27ae9be584a6e5b6b8753) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
2010/08/11 02:10:43.0062 LHidFilt (24e0ddb99aeccf86bb37702611761459) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2010/08/11 02:10:43.0078 LMouFilt (d58b330d318361a66a9fe60d7c9b4951) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2010/08/11 02:10:43.0093 LUsbFilt (144011d14bd35f4e36136ae057b1aadd) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
2010/08/11 02:10:43.0109 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/11 02:10:43.0140 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/11 02:10:43.0156 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/11 02:10:43.0156 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/11 02:10:43.0187 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/11 02:10:43.0234 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/11 02:10:43.0250 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/11 02:10:43.0281 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/11 02:10:43.0296 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/11 02:10:43.0312 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/11 02:10:43.0328 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/11 02:10:43.0359 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/11 02:10:43.0375 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/11 02:10:43.0406 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/11 02:10:43.0421 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/11 02:10:43.0437 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/11 02:10:43.0453 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/11 02:10:43.0468 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/11 02:10:43.0484 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/11 02:10:43.0515 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/11 02:10:43.0531 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/08/11 02:10:43.0546 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/11 02:10:43.0578 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/11 02:10:43.0609 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/11 02:10:43.0781 nv (9f4384aa43548ddd438f7b7825d11699) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/08/11 02:10:43.0937 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/11 02:10:43.0953 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/11 02:10:43.0968 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/08/11 02:10:44.0000 ossrv (01e1ab8249f9dde5978c6b4af18eda7c) C:\WINDOWS\system32\drivers\ctoss2k.sys
2010/08/11 02:10:44.0015 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/08/11 02:10:44.0046 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/11 02:10:44.0078 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/11 02:10:44.0109 PCI (08c21aa3cccf0fe00a131e8224e8d1e7) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/11 02:10:44.0109 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pci.sys. Real md5: 08c21aa3cccf0fe00a131e8224e8d1e7, Fake md5: a219903ccf74233761d92bef471a07b1
2010/08/11 02:10:44.0109 PCI - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/11 02:10:44.0140 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/11 02:10:44.0171 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/11 02:10:44.0265 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/11 02:10:44.0296 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/11 02:10:44.0312 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/11 02:10:44.0328 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/11 02:10:44.0390 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/11 02:10:44.0421 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/11 02:10:44.0437 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/11 02:10:44.0437 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/11 02:10:44.0468 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/11 02:10:44.0484 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/11 02:10:44.0500 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/11 02:10:44.0515 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/11 02:10:44.0546 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/11 02:10:44.0578 RT73 (c7bcf9808e2a1b4cabe16ff7fbce5fab) C:\WINDOWS\system32\DRIVERS\rt73.sys
2010/08/11 02:10:44.0609 RTLE8023xp (b52b25f41bf3511071a0e7d10d659c56) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/08/11 02:10:44.0656 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/11 02:10:44.0671 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/11 02:10:44.0703 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/11 02:10:44.0718 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/11 02:10:44.0765 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/11 02:10:44.0781 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/11 02:10:44.0812 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/11 02:10:44.0828 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/11 02:10:44.0843 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/11 02:10:44.0906 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/11 02:10:44.0937 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/11 02:10:44.0984 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/11 02:10:45.0046 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/11 02:10:45.0062 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/11 02:10:45.0093 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/11 02:10:45.0140 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/11 02:10:45.0171 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/11 02:10:45.0187 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/11 02:10:45.0203 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/11 02:10:45.0218 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/11 02:10:45.0250 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/11 02:10:45.0265 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/11 02:10:45.0312 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/11 02:10:45.0343 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/11 02:10:45.0359 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/11 02:10:45.0390 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/08/11 02:10:45.0421 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/11 02:10:45.0468 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/11 02:10:45.0484 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/11 02:10:45.0500 ================================================================================
2010/08/11 02:10:45.0500 Scan finished
2010/08/11 02:10:45.0500 ================================================================================
2010/08/11 02:10:45.0500 Detected object count: 2
2010/08/11 02:13:17.0015 Locked file(atapi) - User select action: Skip
2010/08/11 02:13:17.0078 PCI (08c21aa3cccf0fe00a131e8224e8d1e7) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/11 02:13:17.0078 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pci.sys. Real md5: 08c21aa3cccf0fe00a131e8224e8d1e7, Fake md5: a219903ccf74233761d92bef471a07b1
2010/08/11 02:13:17.0984 Backup copy found, using it..
2010/08/11 02:13:18.0000 C:\WINDOWS\system32\DRIVERS\pci.sys - will be cured after reboot
2010/08/11 02:13:18.0000 Rootkit.Win32.TDSS.tdl3(PCI) - User select action: Cure
2010/08/11 02:13:29.0609 Deinitialize success


#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:45 AM

Posted 11 August 2010 - 11:03 AM

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

CODE
File::
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\19\78433853-68f2adaf
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\26\3685711a-26c776ad
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\34\48d6abe2-7d16a5dc
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\52\2d28fbb4-70f4c386
C:\Documents and Settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\61\14833d-3296200b
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\16\4ce65250-13cabc09
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\22\74018dd6-41f9683b
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\23\1860b57-63753377
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\28\68a9cc5c-1e4cb9d1
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\29\455eb21d-3dd871b0
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\39\fbe7ba7-70233208
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\42\58c5086a-194257ba
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\43\1beddeeb-603525bb
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\43\62b0f66b-34606119
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\46\4a35472e-7bf83cb0
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-62b53dc6
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\5\6a183b45-78dc7b9e
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\52\34086e34-68ae9541
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\58\d552d7a-4c974028
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\59\4d13647b-14dde2de
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\6\7943cc6-64bb05bc
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\60\38bc557c-642994c4
C:\Documents and Settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\7\5a014607-72596a85
C:\Program Files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\plug.xul
D:\Incoming\Demobuilder5-1.zip
c:\documents and settings\zyth\Start Menu\Programs\Startup\Antimalware Doctor.lnk
c:\windows\pss\Antimalware Doctor.lnkStartup
Folder::
D:\Incoming\Demobuilder5-1
Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^zyth^Start Menu^Programs^Startup^Antimalware Doctor.lnk]



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 whatiamigonnado

whatiamigonnado
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 11 August 2010 - 03:41 PM

The ComboFix window is hanging with the following message:
'NIRCMDC' is not recognized as an internal or external command, operable program or batch file.

#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:45 AM

Posted 11 August 2010 - 11:37 PM

Please download a fresh copy of ComboFix and try again.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 whatiamigonnado

whatiamigonnado
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 12 August 2010 - 12:41 AM

Hi,
ComboFix prompted it had found a rootkit and to note the same information I provided before about atapi.sys

ComboFix 10-08-11.04 - zyth 2010-08-12 1:18.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1710 [GMT -4:00]
Running from: c:\documents and settings\zyth\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\zyth\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\19\78433853-68f2adaf"
"c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\26\3685711a-26c776ad"
"c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\34\48d6abe2-7d16a5dc"
"c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\52\2d28fbb4-70f4c386"
"c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\61\14833d-3296200b"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\16\4ce65250-13cabc09"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\22\74018dd6-41f9683b"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\23\1860b57-63753377"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\28\68a9cc5c-1e4cb9d1"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\29\455eb21d-3dd871b0"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\39\fbe7ba7-70233208"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\42\58c5086a-194257ba"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\43\1beddeeb-603525bb"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\43\62b0f66b-34606119"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\46\4a35472e-7bf83cb0"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-62b53dc6"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\5\6a183b45-78dc7b9e"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\52\34086e34-68ae9541"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\58\d552d7a-4c974028"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\59\4d13647b-14dde2de"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\6\7943cc6-64bb05bc"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\60\38bc557c-642994c4"
"c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\7\5a014607-72596a85"
"c:\documents and settings\zyth\Start Menu\Programs\Startup\Antimalware Doctor.lnk"
"c:\program files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\plug.xul"
"c:\windows\pss\Antimalware Doctor.lnkStartup"
"d:\incoming\Demobuilder5-1.zip"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\19\78433853-68f2adaf
c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\26\3685711a-26c776ad
c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\34\48d6abe2-7d16a5dc
c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\52\2d28fbb4-70f4c386
c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\cache\6.0\61\14833d-3296200b
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\16\4ce65250-13cabc09
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\22\74018dd6-41f9683b
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\23\1860b57-63753377
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\28\68a9cc5c-1e4cb9d1
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\29\455eb21d-3dd871b0
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\39\fbe7ba7-70233208
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\42\58c5086a-194257ba
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\43\1beddeeb-603525bb
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\43\62b0f66b-34606119
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\46\4a35472e-7bf83cb0
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\47\2dcb5a6f-62b53dc6
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\5\6a183b45-78dc7b9e
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\52\34086e34-68ae9541
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\58\d552d7a-4c974028
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\59\4d13647b-14dde2de
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\6\7943cc6-64bb05bc
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\60\38bc557c-642994c4
c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\cache\6.0\7\5a014607-72596a85
c:\program files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\plug.xul
c:\windows\pss\Antimalware Doctor.lnkStartup
d:\incoming\Demobuilder5-1
d:\incoming\Demobuilder5-1.zip
d:\incoming\Demobuilder5-1\db.exe
d:\incoming\Demobuilder5-1\dbsetup_trial.exe
d:\incoming\Demobuilder5-1\File_id.diz
d:\incoming\Demobuilder5-1\pio-Demo Builder Version 5.10.crk.nfo
d:\incoming\Demobuilder5-1\pio-Demo[1].Builder.5.10-crkexe.zip

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PROCEXP141


((((((((((((((((((((((((( Files Created from 2010-07-12 to 2010-08-12 )))))))))))))))))))))))))))))))
.

2010-07-29 02:07 . 2010-07-29 02:07 61440 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3d94270b-n\decora-sse.dll
2010-07-29 02:07 . 2010-07-29 02:07 503808 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46df943e-n\msvcp71.dll
2010-07-29 02:07 . 2010-07-29 02:07 499712 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46df943e-n\jmc.dll
2010-07-29 02:07 . 2010-07-29 02:07 348160 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46df943e-n\msvcr71.dll
2010-07-29 02:07 . 2010-07-29 02:07 12800 ----a-w- c:\documents and settings\Yves\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3d94270b-n\decora-d3d.dll
2010-07-29 01:45 . 2010-07-29 01:49 -------- d-----w- C:\UsbFix
2010-07-28 21:58 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 21:58 . 2010-07-28 21:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-28 21:58 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 20:00 . 2010-07-28 20:00 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-28 05:44 . 2010-07-28 05:44 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-07-28 03:23 . 2010-07-28 03:23 503808 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61162dd1-n\msvcp71.dll
2010-07-28 03:23 . 2010-07-28 03:23 499712 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61162dd1-n\jmc.dll
2010-07-28 03:23 . 2010-07-28 03:23 61440 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-50458804-n\decora-sse.dll
2010-07-28 03:23 . 2010-07-28 03:23 348160 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61162dd1-n\msvcr71.dll
2010-07-28 03:23 . 2010-07-28 03:23 12800 ----a-w- c:\documents and settings\zyth\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-50458804-n\decora-d3d.dll
2010-07-28 03:23 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-27 03:13 . 2010-08-10 13:47 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-12 05:26 . 2010-06-28 23:48 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2010-08-11 06:14 . 2004-08-04 01:07 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-08-09 22:27 . 2007-12-27 04:28 -------- d-----w- c:\program files\Java
2010-08-09 22:27 . 2007-12-27 04:28 -------- d-----w- c:\program files\Common Files\Java
2010-07-28 21:39 . 2007-10-24 01:16 -------- d-----w- c:\documents and settings\zyth\Application Data\uTorrent
2010-07-28 20:28 . 2009-08-06 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-27 02:53 . 2007-10-21 22:58 -------- d-----w- c:\program files\mIRC
2010-06-30 04:48 . 2009-08-18 22:22 2568656 ----a-w- c:\documents and settings\zyth\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-06-29 05:48 . 2010-06-29 05:48 -------- d-----w- c:\program files\OO Software
2010-06-21 03:41 . 2008-11-30 19:37 -------- d-----w- c:\program files\Messenger Plus! Live
2010-05-14 21:44 . 2010-05-14 21:44 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-04 18:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-08-08_08.26.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-12 05:24 . 2010-08-12 05:24 16384 c:\windows\Temp\Perflib_Perfdata_59c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\zyth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-11 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-3 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 12:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-08-03 16:51 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-03-13 02:43 81920 ----a-w- c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 18:01 13529088 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 18:01 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 18:01 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
2009-09-12 04:34 2524416 ----a-w- c:\program files\OO Software\Defrag\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-29 03:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"f:\\Quake III Arena\\quake3.exe"=
"f:\\Quake III Arena\\cnq3.exe"=
"c:\\Documents and Settings\\zyth\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\Octoshape Streaming Services\\zyth\\OctoshapeClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2007-10-21 156800]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-12-11 74088]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [2009-12-11 1078632]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160]
S4 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2007-10-21 5248]
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-1383384898-725345543-1003Core1cb17949d487a04.job
- c:\documents and settings\zyth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-11 13:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\zyth\Application Data\Mozilla\Firefox\Profiles\hh9vqvhr.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/evaluation/search/home
FF - plugin: c:\documents and settings\zyth\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\zyth\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Octoshape Streaming Services\zyth\octoprogram-L03-NMS0806110_SUA_900\npoctoshape.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-12 01:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A61DF00]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba758cb8
\Driver\atapi -> 0x8a61df00
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba5f6bb0
PacketIndicateHandler -> NDIS.sys @ 0xba5e5a0d
SendHandler -> NDIS.sys @ 0xba5f9b40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG12.00.00.01PROFESSIONAL"="BF0C7ECF07B9E46FD8367C43CC57C299648FB1D43EF3F36671B362E4A7DB73C4AD36821E869D8B7E3E974A228885D8306549ABBF5BAA25C7FD4B8941CF12091A41C942C548D9DA8362DA132B79F57D99F43F3D887B056CEF25400AB9A9A8A3E8C18C0FF8D2F5D6999337518A3CF46EBA05B9AEF36FAE63AC9F0B9ACBD94B5F074CC82B10C14034C072E7761081101E5C5E823CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808BA7FD869164D6794FEBC9E127BECC74C9DB7CE019D40AA5CA3234439EEE3F8773F6B252EF048EABD4D1C2CE2A21F8E10D640AB0B8517BDCF79C1A844A2DE9327CC2B1CE33715B4AFDB334484F97A267635A0016E6C7FB243017ABDC83F9DE3B7AA0BF72143F605BA1F29C9BF6AD93CB4166185485D832F9CE85F6BB39D38BCD30232609035ADBE55D75DC21B7CC3642D70B5C39CEA0B18C98216DAA6781E7317205DC09113CBC866E9BE7CD29F0F383664E388A58AD1D6AF475B7AF6EE11E28FF1DC4534C3B88F4E5FD38657A266D39832C564CD176BD824D0FEFCAF84266B430E95E442142F02D96436364BBB4B5814C1C9ACB6CFB911F15E63578D21476DAA2BFDD4B3B43D15D14A92228506906A599BF27A35557774585200C4800F3351AFA4A310B83AC4BEEC06A9A7937CDE328EEC56AB51302FFB8BB35FC230FE7A00B37B2857B21C7EFB593052E6B382315DCD891F604748C4A6312DA193F483836A8A53BD2BB937744CB785F343D85CD69A26E68B7E88EEEAF4658E7A3DDC948781FCF32CD4954C05329CE68D65AB337421199D6D2F3854ABEC35C9B08A290D95BBC549525F4780E23791DA2E39871502279BECAA5F3010E11927779F88CFAD8D9515E21E1A015A966593087E6EFAF3CAEA19363E40FB1C3F062ECFB58A7A97268B0FF41596A7C778CC14BB34FA4A24EE2C6EFE3646DC56C9C4B8B378A605546921CCD64FAC5797B881F6E820156D5F62306E71B5AB4702596DA3267C36034DB5DDD886F8F75F00D99A96A1A0398F436B405FDCF1ECE3C41A96424C6E58B8D3BB4CB32152D73F1833353FA0AAA890D027277A31B5CB0FA98DE0DCF28CEDA01B0279D2EB2FEE305DEDEEB1C1CA67036D05B7EE845E4CD89E08EA2D882C9EE738E0F81CCF79A49CAF0A6BA3871B3CAE6449445C925FB88576325DE29EB2D26F2987616D56ABA321525B553E954F340FDF8AA75BB63E9E0FE78ADF20ED9D3ACDCC774E94B1555B12EF85541DB42B9F55F2B6BCF5F416CD210C5FA07D5079C6CBE586DCD7339DFEF493061B52D20812E2148B65A77214DC9B63D6510545E9ADE61C5D31EDD53B0685ADAB5CE37FD2E34F9A1D8664F7FB2394CDE928366F286A50FA7C7083B3F92C3192974E49708E326845538712F4223FD393"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3408)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Adobe\Reader 8.0\Reader\viewerps.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
.
**************************************************************************
.
Completion time: 2010-08-12 01:29:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-12 05:29

Pre-Run: 15763066880 bytes free
Post-Run: 15692423168 bytes free

- - End Of File - - 62D878D971D8C4AC4DFA4D34A4B7DE20





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users